SSL handshake failure for postgres connection over cloud in liberty - postgresql

I have been stuck with this issue longer than i want to admit. I am trying to use postgres db connection for my small spring mvc project over liberty. My server.xml looks like below.
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>jdbc-4.2</feature>
<feature>jsp-2.3</feature>
<feature>localConnector-1.0</feature>
<feature>servlet-4.0</feature>
<feature>ldapRegistry-3.0</feature>
<feature>appSecurity-3.0</feature>
<feature>transportSecurity-1.0</feature>
</featureManager>
<ssl id="defaultSSLSettings" keyStoreRef="defaultKeyStore" trustDefaultCerts="true" />
<keyStore id="defaultKeyStore"
location="/opt/ibm/wlp/usr/servers/defaultServer/resources/security/key.jks"
password="changeIt"/>
<dataSource id="DefaultDataSource" jndiName="jdbc/postgres"
transactional='true' type='javax.sql.ConnectionPoolDataSource'>
<jdbcDriver libraryRef="PostgresLib" />
<properties databaseName="clouddb"
password=""
serverName="ea957de9-2271-4d6c-999e-f2c250575850.budepemd0im5pmu4u60g.databases..cloud"
user="admin" portNumber="30352" />
</dataSource>
<library id="PostgresLib">
<fileset
dir="C:/Users/AkanchaSingh/Desktop/iit-test-app/test-app"
includes="postgresql-42.2.5.jre6.jar" />
</library>
<httpEndpoint host="*" httpPort="9080" httpsPort="9443"
id="defaultHttpEndpoint">
<tcpOptions soReuseAddr="true" />
<httpOptions maxKeepAliveRequests="-1" />
</httpEndpoint>
<applicationManager autoExpand="true"
startTimeout="600" stopTimeout="600"></applicationManager>
<applicationMonitor updateTrigger="mbean" />
<webApplication autoStart="true" contextRoot="test"
id="test" location="/opt/ibm/wlp/usr/servers/defaultServer/test.war"
name="test">
</webApplication>
</server>
I have tried connecting to postgres by all methods eg: datasource and also connection manager
Properties info = new Properties();
String url = "jdbc:postgresql://ea957de9-2271-4d6c-999e-f2c250575850.budepemd0im5pmu4u60g.databases.appdomain.cloud:30352/clouddb";
info.setProperty("user", "");
info.setProperty("password", "");
info.setProperty("ssl", "true");
info.setProperty("sslfactory", "org.postgresql.ssl.SingleCertValidatingFactory");
info.setProperty("sslfactoryarg", loadFile("/opt/ibm/wlp/usr/servers/defaultServer/resources/security/PGSSLROOTCERT.crt"));
Even after providing the root.crt from the postgres db connection page I keep getting
[err] org.postgresql.util.PSQLException: SSL error: Received fatal alert: handshake_failure
[err] at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
[err] at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
[err] at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
[err] at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
[err] at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
[err] at org.postgresql.jdbc.PgConnection.(PgConnection.java:195)
I also have tried to pass the certificate in my keystore and truststore.. Nothing seems to work in this case.. I can connect successfully to the postgres db locally via IDE and also through psql but as soon as i dockerize it and run, it throws this exception.
DockerFile:
FROM websphere-liberty:19.0.0.12-full-java8-ibmjava
ENTRYPOINT ["/opt/ibm/wlp/bin/server","run","defaultServer"]
USER root
EXPOSE 9080
COPY --chown=1001:0 server.xml /opt/ibm/wlp/usr/servers/defaultServer/
RUN mkdir -p /root/.postgresql
COPY --chown=1001:0 root.crt /root/.postgresql/
COPY --chown=1001:0 key.jks /opt/ibm/wlp/usr/servers/defaultServer/resources/security/
RUN chmod -R 777 /opt/ibm/wlp/usr/servers/defaultServer/resources/security
COPY --chown=1001:0 target/test.war /opt/ibm/wlp/usr/servers/defaultServer/
RUN installUtility install --acceptLicense defaultServer
RUN chmod -R 777 /opt/ibm/wlp/output/defaultServer/workarea
RUN chmod a+rwx /opt/ibm/wlp/output/defaultServer

OpenLiberty has an automated test bucket that runs with PostgreSQL in a docker container, where 2 of the Liberty servers use SSL successfully. Here is one of them:
https://github.com/OpenLiberty/open-liberty/blob/integration/dev/com.ibm.ws.jdbc_fat_postgresql/publish/servers/server-PostgreSQLSSLTest/server.xml
Try using the <properties.postgresql> element under your <dataSource> instead of the generic <properties>. The former has additional properties for ssl on it, as illustrated in the server.xml of the test case.

Related

DB2 driver settings in Websphere Liberty

I have application running in Websphere Liberty and uses DB2 in Z/oS. I have set the db2 driver proerties in DB2JCCConfiguration.properties .How can make sure that the server has picked up properties I have set .I am not sure how to verify the trace to see if the properties are applied to server
To configure a datasource (for any backend DB) with Liberty, you can add configuration like this to your server.xml:
<featureManager>
<feature>jdbc-4.2</feature>
</featureManager>
<library id="driver-library">
<fileset dir="/path/to/driver/dir" includes="*.jar"/>
</library>
<dataSource id="DefaultDataSource" jndiName="jdbc/myDB">
<jdbcDriver libraryRef="driver-library"/>
<properties.db2.jcc serverName="example.db.hostname.com" portNumber="50000"
databaseName="myDB"
user="exampleUser"
password="examplePassword"
currentSchema="xyz"
fullyMaterializeInputStreams="true"/>
</dataSource>
To test if your configuration is correct and that your Liberty server can connect to your DB2 database, add the following configuration:
<featureManager>
<feature>appSecurity-3.0</feature>
<feature>restConnector-2.0</feature>
<feature>jdbc-4.2</feature>
</featureManager>
<!-- Any security mechanism can be used, <quickStartSecurity> is the simplest -->
<quickStartSecurity userName="admin" userPassword="admin"/>
And then go to: https://localhost:9443/ibm/api/validation/dataSource/DefaultDataSource
(this assumes your <dataSource> id is DefaultDataSource)
For more info, see this cheat sheet: https://aguibert.github.io/openliberty-cheat-sheet/#_ibm_db2

Glassfish4 JMX Configuration using asadmin

I have Glassfish4 and want make JMX to listen only to localhost and diable TLS and Security via asaadmin.
I can do the same via Admin Web UI, but not sure how to do that via asadim.
The below command updates the jmx-connecter property under admin-config but I need a similar change under default-config.
asadmin set server.admin-service.jmx-connector.system.security-enabled=false
The above update the domain.xml under
<config name="server-config">
.....
<admin-service system-jmx-connector-name="system" type="das-and-server">
<jmx-connector address="localhost" port="8686" name="system" auth-realm-name="admin-realm" security-enabled="false">
<ssl tls-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" client-auth="want" cert-nickname="server"></ssl>
</jmx-connector>
<property name="adminConsoleContextRoot" value="/admin"></property>
<property name="adminConsoleDownloadLocation" value="${com.sun.aas.installRoot}/lib/install/applications/admingui.war"></property>
<property name="ipsRoot" value="${com.sun.aas.installRoot}/.."></property>
<das-config></das-config>
</admin-service>
....
</config>
I need to update values under default-config like this
<config name="default-config">
.....
<admin-service system-jmx-connector-name="system">
<jmx-connector address="localhost" port="${JMX_SYSTEM_CONNECTOR_PORT}" name="system" auth-realm-name="admin-realm" security-enabled="false">
<ssl ssl3-enabled="false" tls-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" client-auth="want" cert-nickname="glassfish-instance"></ssl>
</jmx-connector>
<property name="adminConsoleDownloadLocation" value="${com.sun.aas.installRoot}/lib/install/applications/admingui.war"></property>
<das-config></das-config>
</admin-service>
....
</config>
Please, guide me on how to do this via CLI using asadmin.
If this helps: Top update the same from the Admin UI --> Configurations --> default-config --> JMX Connector / SSL.
thanks
After reading a lot, found out.
asadmin set configs.config.default-config.admin-service.jmx-connector.system.address=localhost
asadmin set configs.config.default-config.admin-service.jmx-connector.system.security-enabled=false

Issue enabling jpa and jdbc in Websphere Liberty

I am following these exercises for learning Liberty.
I am having an issue in he Lab 3 - Module 2.2 Liberty and JPA (DB2) .
After setting all the JDBC and Data Source details, i restart the server and i do not see the two lines that mention the dataSource and jdbd driver.
[AUDIT] J2CA8004I : The dataSource DB2Connection is avilable as jdbc/DB2Connection.
[AUDIT] J2CA8000I : The jdbcDriver my JDBCDriver is available.
How can i know if the jpa and jdb features ae correctly set?
This is the server.xml
<!-- Enable features -->
<featureManager onError="WARN">
<feature>jsp-2.2</feature>
<feature>jpa-2.0</feature>
<feature>jdbc-4.0</feature>
</featureManager>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9080"
httpsPort="9443" />
<jdbcDriver id="myJDBCDriver">
<library name="DB2Lib">
<fileset dir="C:\wlp\db2jdbc" includes="db2jcc4.jar, db2jcc_license_cu.jar"></fileset>
</library>
</jdbcDriver>
<dataSource jndiName="jdbc/DB2Connection" id="DB2Connection"
jdbcDriverRef="myJDBCDriver">
<properties.db2.jcc databaseName="SAMPLE" serverName="igacloud" password="{xor}FhgeOz1tPj08" user="db2admin"></properties.db2.jcc>
</dataSource>
Unlike Classic WebSphere, which has a "test connection" capability in its admin console (datasource panel), there is no equivalent means with WebSphere Liberty yet. Have you tried testing the connection with a simple "Hello World" JPA application?
The CWWKF0012I message is simply confirming what features have been enabled - some features depend on other features and automatically enables them, which is why you see more features than defined in your server.xml.

Jboss5.01GA RMI EJB3.0

I have a cloud instance where i have installed Jboss5.0.1GA server. Server instance contains a Public ip and a natted Ip Address. I have run Jboss server using -b with ip(natted) address and web url is working fine. Now i am creating Java external client to access EJB3 bean which is deployed in Jboss server where i am getting the exception and trying solution using google which is not helped my case. Find below code which tells what i am using in external client to access EJB3.
properties = new Properties();
properties.load(stream);
// Set the context
Hashtable ht = new Hashtable();
ht.put(Context.INITIAL_CONTEXT_FACTORY,
"org.jnp.interfaces.NamingContextFactory");
ht.put(Context.PROVIDER_URL,"public ip address");
ht.put(Context.URL_PKG_PREFIXES,
"org.jboss.naming:org.jnp.interfaces");
// Find and create a reference to the bean using JNDI
context = new InitialContext(ht);
While executing it localhost its working fine. While connecting remote throwing below exception. "javax.naming.CommunicationException [Root exception is java.rmi.ConnectException: Connection refused to host: ". Can anyone help me on the same.
`This is my connector file(ejb3-connectors-jboss-beans.xml).
EJB3 Connectors
-->
JBoss Remoting Connector
Note: Bean Name "org.jboss.ejb3.RemotingConnector" is used
as a lookup value; alter only after checking java references
to this key.
-->
<property name="invokerLocator">
<value-factory bean="ServiceBindingManager"
method="getStringBinding">
<parameter>
jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3
</parameter>
<parameter>
<null />
</parameter>
<parameter>socket://${jboss.bind.address}:${port}</parameter>
<parameter>
<null />
</parameter>
<parameter>3873</parameter>
</value-factory>
</property>
<property name="serverConfiguration">
<inject bean="ServerConfiguration" />
</property>
AOP
org.jboss.aspects.remoting.AOPRemotingInvocationHandler
`
Do a telnet to the ip and port you are trying to connect on the jboss from the remote server instance. If that's not working then you have to solve networking issues first. (Let me know, so I can guide you on how to do it)
Also check your EJB3 binding settings and check networking. Out of the box config looks looks this..
<mbean code="org.jboss.remoting.transport.Connector"
xmbean-dd="org/jboss/remoting/transport/Connector.xml"
name="jboss.remoting:type=Connector,name=DefaultEjb3Connector,handler=ejb3">
<depends>jboss.aop:service=AspectDeployer</depends>
<attribute name="InvokerLocator">socket://0.0.0.0:3873</attribute>
<attribute name="Configuration">
<handlers>
<handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
</handlers>
</attribute>
</mbean>
Thanks!
#leo.
To my case below 2 things worked for me.
1. Running Jboss server using run.bat -b **public ip(not nat ip)** -Djboss.bind.address=0.0.0.0
2. Enabling my **local** machine hosts file to point remote ip to hostname ie remoteip remotehostname.
Hope it will help to others as well.

IISExpress 8 with custom configuration file - web service won't load

When I develop a WCF service or website solution, I always use IISExpress with a custom configuration file so I can share the setup with other developers in the team. Basically, I run a batch file with the following command in it:
"C:\Program Files (x86)\IIS Express\iisexpress.exe" /config:service-hosts.config
Where service-hosts.config is the path to my custom configuration file.
This method has been working perfectly fine, and still works fine in other solutions on my PC (each with their own service-hosts.config file). However, I've just started having a problem loading a WCF service using this method. I'm getting the following error when trying to browse to the service root dir, or any of the built in help endpoints:
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Detailed Error Information:
Module IIS Web Core
Notification Unknown
Handler Not yet determined
Error Code 0x80070003
Config Error Cannot read configuration file
Config File \?\D:\Projects\MyProject\WCFSite\web.config
Requested URL http:// localhost:80/
Physical Path
Logon Method Not yet determined
Logon User Not yet determined
Request Tracing Directory C:\Users\Spikeh\Documents\IISExpress\TraceLogFiles\
Config Source:
-1:
0:
More Information:
This error occurs when there is a problem reading the configuration file for the Web server or Web application. In some cases, the event logs may contain more information about what caused this error.
If you see the text "There is a duplicate 'system.web.extensions/scripting/scriptResourceHandler' section defined", this error is because you are running a .NET Framework 3.5-based application in .NET Framework 4. If you are running WebMatrix, to resolve this problem, go to the Settings node to set the .NET Framework version to ".NET 2". You can also remove the extra sections from the web.config file.
View more information ยป
I've been debugging for hours and can't get this error to change, let alone fix it.
I've tried overwriting my service-hosts.config file with a few different versions of applicationHosts.config, running IISExspress in 64bit, replacing the web.config file with a very basic version, setting permissions on the directory (to the point where every user on my PC has access), and changing the app pool, but still no change.
The weird thing is... when I change the WCF project to use "IISExpress" in the Web section of project properties, then subsequently debug the project, everything works fine... even with all of my web.config settings in place.
This points to how I'm running IISExpress, or my service-hosts.config file... though the service-hosts.config file (with slight modifications for the sites involved) is exactly the same as it is in my other projects.
One thing to note (might be a red herring), but I did downgrade the solution from VS2012 to VS2010, and changed the framework target to .Net 4.0... not sure if something might be configured funny due to that?
Does anyone have any ideas? I'm at the point of jumping off the roof...
UPDATE:
Here's the debug information from IISExpress (running with /trace:e):
Running IIS...
Starting IIS Express ...
Initializing the W3 Server Started CTC = 5514916
PreInitSitesThread: Premature Exit Occured ( hr = 80070003 )
W3 Server initializing WinSock. CTC = 5514916
W3 Server WinSock initialized. CTC = 5514916
W3 Server ThreadPool initialized (ipm has signalled). CTC = 5514916
Start listenerChannel http:0
Successfully registered URL "http://*:80/" for site "MyWebsite" application "/"
Registration completed for site "MyWebsite"
AppPool 'MyCustomAppPool' initialized
InitComplete event signalled
IIS Express is running.
Enter 'Q' to stop IIS Express
IncrementMessages called
Request ended: http://localhost:80/ with HTTP status 500.19
And here's the important part of my service-hosts.config:
<applicationPools>
<add name="Clr4IntegratedAppPool" managedRuntimeVersion="v4.0" managedPipelineMode="Integrated" CLRConfigFile="%IIS_BIN%\config\templates\PersonalWebServer\aspnet.config" autoStart="true" />
<add name="Clr4ClassicAppPool" managedRuntimeVersion="v4.0" managedPipelineMode="Classic" CLRConfigFile="%IIS_BIN%\config\templates\PersonalWebServer\aspnet.config" autoStart="true" />
<add name="Clr2IntegratedAppPool" managedRuntimeVersion="v2.0" managedPipelineMode="Integrated" CLRConfigFile="%IIS_BIN%\config\templates\PersonalWebServer\aspnet.config" autoStart="true" />
<add name="Clr2ClassicAppPool" managedRuntimeVersion="v2.0" managedPipelineMode="Classic" CLRConfigFile="%IIS_BIN%\config\templates\PersonalWebServer\aspnet.config" autoStart="true" />
<add name="UnmanagedClassicAppPool" managedRuntimeVersion="" managedPipelineMode="Classic" autoStart="true" />
<add name="IISExpressAppPool" managedRuntimeVersion="v4.0" managedPipelineMode="Integrated" CLRConfigFile="%IIS_BIN%\config\templates\PersonalWebServer\aspnet.config" autoStart="true" />
<add name="MycustomAppPool" managedRuntimeVersion="v4.0" managedPipelineMode="Integrated" CLRConfigFile="%IIS_USER_HOME%\config\aspnet.config" autoStart="true" />
<applicationPoolDefaults managedRuntimeLoader="v4.0" >
<processModel/>
</applicationPoolDefaults>
</applicationPools>
<listenerAdapters>
<add name="http" />
</listenerAdapters>
<sites>
<site name="MyWebsite" id="1">
<application path="/" applicationPool="MyCustomAppPool">
<virtualDirectory path="/" physicalPath="D:\Projects\MyProject\WCFSite\" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:80:" />
</bindings>
</site>
<siteDefaults>
<logFile logFormat="W3C" directory="%IIS_USER_HOME%\Logs" />
<traceFailedRequestsLogging directory="%IIS_USER_HOME%\TraceLogFiles" enabled="true" maxLogFileSizeKB="1024" />
</siteDefaults>
<applicationDefaults applicationPool="Clr4IntegratedAppPool" />
<virtualDirectoryDefaults allowSubDirConfig="true" />
</sites>
<webLimits />
Seems that the service-hosts.config file was pointing to something it shouldn't have been pointing to. I replaced my service-hosts.config with an copy from an older project (and therefore an older version of IISExpress / .Net Framework) and everything works fine.
Sounds like it was to do with my 4.5 -> 4.0 downgrade after all.