users@glassfish.java.net

Re: upgrade problem

From: <thomas_at_randspringer.de>
Date: Fri, 4 Mar 2011 17:17:30 +0100 (CET)

Hi,


I reinstalledglassfish-full-profile (BTW, why do I need cluster-feature when I want a secured admin access?).
 
Now the enable-secure-admin command was available.
 
I did:
 
$>asadmin --secure=true enable-secure-admin        
Enter admin user name>  admin
Enter admin password for user "admin">
Command enable-secure-admin executed successfully.
 
$>asadmin --secure=true stop-domain domain1
It appears that server [localhost:4848] accepts secure connections only.
Retrying the command with --secure=true...
CLI306 Warning - server is not running.
Command stop-domain executed successfully.
 
A "ps -ef | grep java" told me that it is still running. I killed the java process.
 
$>asadmin --secure=true start-domain domain1
Waiting for domain1 to start ....................................................................
Successfully started the domain : domain1
...
...
Admin Port: 4848
Command start-domain executed successfully.
 
$>asadmin --secure=true stop-domain domain1
[
[
  Version: V3
  Subject: xxx
  Signature Algorithm: SHA1withRSA, OID = XXX

  Key:  Sun RSA public key, 1024 bits
  modulus:
...
...
]
Do you trust the above certificate [y|N] -->Y
Waiting for the domain to stop ....
Command stop-domain executed successfully.


Now I started the domain again and tried to access the admin-gui via https.

I got a new exception:

>snip
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131)
        at com.sun.jersey.api.client.Client.handle(Client.java:629)
        at com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)
        at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)

>snip

The full server.log is at:

 http://www.randspringer.de/server.log

What I did with GF 3.0.1 was:
1. I enabled https in the admin-gui

After that, I observed that I have to do a
 asadmin --secure=true --user admin --passwordfile  <my_password.txt> deploy my.war
instead of the
 asadmin deploy my.war

And the start-domain, stop-domain and restart-domain command required a additionally "--secure=true" option.

Thomas



 
 
 
 
 

Snjezana Sevo-Zenzerovic <snjezana.sevozenzerovic_at_oracle.com> hat am 2. März 2011 um 20:57 geschrieben:

>
>
> Could you try getting back to the original content of 3.1 distribution by reinstalling glassfish-full-profile package (its screen name in updatetool should be "GlassFish Full Platform")? This will bring back packages such as glassfish-cluster and glassfish-ha . glassfish-cluster package contains enable-secure-admin command Anissa mentioned.
>
> I am not sure that will completely resolve your Admin GUI issue, but it will bring you closer to the distribution content that has been tested.
>
> Thanks,
>
> Snjezana
>
> ----- Original Message -----
> From: thomas_at_randspringer.de
> To: users_at_glassfish.java.net
> Sent: Wednesday, March 2, 2011 9:34:49 AM GMT -08:00 US/Canada Pacific
> Subject: Re: upgrade problem
>
>
>
>
> Hi,
>
>
>
>
> I run now
>
>
>
>
> java version "1.6.0_24"
> Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
> Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)
>
>
>
> I removed the -Dsun.security.ssl.allowUnsafeRenegotiation=true property from domain.xml
>
> stopped the server and startet it again.
>
>
>
> The server started without error messages. But when I access the admin-console via https I get a lot of exceptions.
>
>
>
> [#|2011-03-02T13:28:34.149+0100|SEVERE|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|service exception
> java.lang.RuntimeException: ClientAbortException: java.io.IOException: SSLOutputWriter: CLOSED
> at org.glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java:200)
> at org.glassfish.admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453)
> at org.glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:209)
>
>
>
> The full jvm.log and server.log is here:
>
>
>
> http://www.randspringer.de/jvm.log
> http://www.randspringer.de/server.log
>
>
>
> I see a lot of dependency errors in jvm.log. Which packages are necessary to run GF as pure servlet container.
>
> We need it for 3 WARs:
>
> 1. our own rails-application-WAR
>
> 2. hudson WAR
>
> 3. apache-solr-WAR
>
>
>
>
>
> pkg list
>
> gives:
>
>
>
> NAME (PUBLISHER) VERSION STATE UFIX
> felix 3.0.8-0 installed ----
> glassfish-appclient 3.1-43 installed ----
> glassfish-common 3.1-43 installed ----
> glassfish-common-full 3.1-43 installed ----
> glassfish-corba 3.1.0-27 installed ----
> glassfish-corba-base 3.1.0-27 installed ----
> glassfish-ejb 3.1-43 installed ----
> glassfish-ejb-lite 3.1-43 installed ----
> glassfish-full-incorporation 3.1-43 installed ----
> glassfish-grizzly 1.9.31-1 installed ----
> glassfish-grizzly-full 1.9.31-1 installed ----
> glassfish-gui 3.1-43 installed ----
> glassfish-hk2 3.1-43 installed ----
> glassfish-jca 3.1-43 installed ----
> glassfish-jcdi 3.1-43 installed ----
> glassfish-jdbc 3.1-43 installed ----
> glassfish-jpa 3.1-43 installed ----
> glassfish-jsf 2.1.0-11 installed ----
> glassfish-jta 3.1-43 installed ----
> glassfish-jts 3.1-43 installed ----
> glassfish-management 3.1-43 installed ----
> glassfish-nucleus 3.1-43 installed ----
> glassfish-registration 3.1-43 installed ----
> glassfish-scripting 3.1-41 installed ----
> glassfish-web 3.1-43 installed ----
> glassfish-web-incorporation 3.1-43 installed ----
> javadb-client 10.6.2.1-1 installed ----
> javadb-common 10.6.2.1-1 installed ----
> javadb-core 10.6.2.1-1 installed ----
> jersey 1.5-1.0 installed ----
> metro 2.1-30 installed ----
> pkg 1.122.2-52.2817 installed ----
> pkg-java 1.122-52.2817 installed ----
> pkg-toolkit-incorporation 2.3.3-52.2817 installed ----
> python2.4-minimal 2.4.4.0-52.2817 installed ----
> shoal 1.5.29-0 installed ----
> updatetool 2.3.3-52.2817 installed ----
> wxpython2.8-minimal 2.8.10.1-52.2817 installed ----
>
>
>
> Maybe I have to do some reinstallation or uninstallation?
>
>
>
> Any help is appreciated.
>
>
>
> Thomas
>
>
>
>
> "thomas_at_randspringer.de" <thomas_at_randspringer.de> hat am 1. März 2011 um 17:19 geschrieben:
>
> > Ok. Admin is informed. Hopefully I can report success tomorrow.
> >
> >
> > Thomas
> >
> >
> >
> >
> > Tim Quinn <tim.quinn_at_oracle.com> hat am 1. März 2011 um 17:11 geschrieben:
> >
> > > Hello, Thomas.
> > >
> > > I believe that these new symptoms - as well as the ones you described
> > > earlier - are the result of the way the Java runtime has addressed the
> > > problem in the SSL protocol Tom mentioned earlier.
> > >
> > > You should run Java 1.6.0_22 or later on both the client and server
> > > side. That is the minimum version of Java which GlassFish 3.1
> > > requires, partly because of the SSL security issue in earlier releases
> > > of Java.
> > >
> > > GlassFish 3.1 and 3.0.1 are different in significant ways. One of
> > > them is improved security of admin traffic which requires Java
> > > 1.6.0_22 or later to work correctly, which 3.0.1 did not require. We
> > > do not recommend that users set the various security properties that
> > > might allow you to use earlier releases because that leaves your
> > > system more vulnerable.
> > >
> > > - Tim
> > >
> > > On Mar 1, 2011, at 9:55 AM, thomas_at_randspringer.de wrote:
> > >
> > > > Hm,
> > > >
> > > > it worked with 3.0.1.
> > > >
> > > > After I deinstalled some packagages(e.g. this cluster stuff) now GF
> > > > at least talked to me when I added the --verbose option.
> > > >
> > > > First I got this error:
> > > > http://java.net/jira/browse/GLASSFISH-12041
> > > >
> > > > I added the property:
> > > > -Dsun.security.ssl.allowUnsafeRenegotiation=true
> > > > to my domain.xml
> > > >
> > > > and now I get:
> > > >
> > > > java.lang.RuntimeException: ClientAbortException:
> > > > java.io.IOException: SSLOutputWriter: CLOSED
> > > > at
> > > > org
> > > > .glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java:
> > > > 200)
> > > > at
> > > > org
> > > > .glassfish
> > > > .admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453)
> > > > at
> > > > org
> > > > .glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:
> > > > 209)
> > > >
> > > > What can I now do?
> > > > I can not simply deinstall jersey because glassfish-gui and
> > > > glassfish-management depends on it.
> > > >
> > > > Thomas
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Tom Mueller <tom.mueller_at_oracle.com> hat am 1. März 2011 um 16:13
> > > > geschrieben:
> > > >
> > > > > I'm not sure that this is the problem, but GlassFish 3.1 running
> > > > in with
> > > > > secure admin enabled requires a minimum JVM version of 1.6.0_22. I
> > > > see
> > > > > from your jvm.log file that you are running 1.6.0_20.
> > > > >
> > > > > There was an SSL vulnerability that was fixed in _22. When
> > > > running with
> > > > > an older VM, the behavior of start-domain --secure is that it
> > > > appears to
> > > > > hang even though the DAS actually started, because start-domain
> > > > cannot
> > > > > establish a connection to the DAS to verify that it is up.
> > > > >
> > > > > Tom
> > > > >
> > > > >
> > > > > On 3/1/2011 6:52 AM, thomas_at_randspringer.de wrote:
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > today I tried to upgrade our GF 3.0.1 to 3.1. We use it only as an
> > > > > > servlet container for our rails-application.
> > > > > >
> > > > > > I upgraded via the "updatetool" (source=stable.glassfish.org).
> > > > > >
> > > > > > After installing the new packages I stopped the domain and I
> > > > started
> > > > > > it with the --upgrade option like suggested.
> > > > > >
> > > > > > However now
> > > > > >
> > > > > > asadmin --secure=true start-domain domain1
> > > > > >
> > > > > > does not come back.
> > > > > >
> > > > > > jvm.log and server.log are available from
> > > > > >
> > > > > > http://www.randspringer.de/jvm.log
> > > > > >
> > > > > > http://www.randspringer.de/server.log
> > > > > >
> > > > > > What is the problem and how can I get the glassfish running again?
> > > > > >
> > > > > > Thomas
> > > > > >
> > >
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.