users@glassfish.java.net

Re: upgrade problem

From: BAMOSS <bamoss_at_sceats.com>
Date: Fri, 04 Mar 2011 09:12:33 -0800

Hi Thomas,

We experienced this error message on GFv2.1.1 when the certificate
hadn't been added to cacerts.jks. This issue occurred when there were
two GF servers with self-signed certificates. We needed to add the cert
from server1 to the cacerts.jks of server2 and vice versa. When using
more than one server, it is useful to create unique keypair aliases for
each server (eg: alias-server1 for server1.example.com). Hope this helps.

Derek



On 03/04/2011 08:17 AM, thomas_at_randspringer.de wrote:
>
> Hi,
>
>
> I reinstalled glassfish-full-profile (BTW, why do I need
> cluster-feature when I want a secured admin access?).
>
> Now the enable-secure-admin command was available.
>
> I did:
>
> $>asadmin --secure=true enable-secure-admin
> Enter admin user name> admin
> Enter admin password for user "admin">
> Command enable-secure-admin executed successfully.
>
> $>asadmin --secure=true stop-domain domain1
> It appears that server [localhost:4848] accepts secure connections only.
> Retrying the command with --secure=true...
> CLI306 Warning - server is not running.
> Command stop-domain executed successfully.
>
> A "ps -ef | grep java" told me that it is still running. I killed the
> java process.
>
> $>asadmin --secure=true start-domain domain1
> Waiting for domain1 to start
> ....................................................................
> Successfully started the domain : domain1
>
> ...
>
> ...
>
> Admin Port: 4848
> Command start-domain executed successfully.
>
> $>asadmin --secure=true stop-domain domain1
> [
> [
> Version: V3
> Subject: xxx
> Signature Algorithm: SHA1withRSA, OID = XXX
>
> Key: Sun RSA public key, 1024 bits
> modulus:
> ...
>
> ...
>
> ]
> Do you trust the above certificate [y|N] -->Y
> Waiting for the domain to stop ....
> Command stop-domain executed successfully.
>
>
> Now I started the domain again and tried to access the admin-gui via
> https.
>
> I got a new exception:
>
> >snip
> Caused by: com.sun.jersey.api.client.ClientHandlerException:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> at
> com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131)
> at com.sun.jersey.api.client.Client.handle(Client.java:629)
> at
> com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)
> at
> com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
>
> >snip
>
> The full server.log is at:
>
> http://www.randspringer.de/server.log
>
> What I did with GF 3.0.1 was:
> 1. I enabled https in the admin-gui
>
> After that, I observed that I have to do a
> asadmin --secure=true --user admin --passwordfile <my_password.txt>
> deploy my.war
> instead of the
> asadmin deploy my.war
>
> And the start-domain, stop-domain and restart-domain command required
> a additionally "--secure=true" option.
>
> Thomas
>
>
>
> Snjezana Sevo-Zenzerovic <snjezana.sevozenzerovic_at_oracle.com> hat am
> 2. März 2011 um 20:57 geschrieben:
>
> >
> >
> > Could you try getting back to the original content of 3.1
> distribution by reinstalling glassfish-full-profile package (its
> screen name in updatetool should be "GlassFish Full Platform")? This
> will bring back packages such as glassfish-cluster and glassfish-ha .
> glassfish-cluster package contains enable-secure-admin command Anissa
> mentioned.
> >
> > I am not sure that will completely resolve your Admin GUI issue, but
> it will bring you closer to the distribution content that has been tested.
> >
> > Thanks,
> >
> > Snjezana
> >
> > ----- Original Message -----
> > From: thomas_at_randspringer.de
> > To: users_at_glassfish.java.net
> > Sent: Wednesday, March 2, 2011 9:34:49 AM GMT -08:00 US/Canada Pacific
> > Subject: Re: upgrade problem
> >
> >
> >
> >
> > Hi,
> >
> >
> >
> >
> > I run now
> >
> >
> >
> >
> > java version "1.6.0_24"
> > Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
> > Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)
> >
> >
> >
> > I removed the -Dsun.security.ssl.allowUnsafeRenegotiation=true
> property from domain.xml
> >
> > stopped the server and startet it again.
> >
> >
> >
> > The server started without error messages. But when I access the
> admin-console via https I get a lot of exceptions.
> >
> >
> >
> >
> [#|2011-03-02T13:28:34.149+0100|SEVERE|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|service
> exception
> > java.lang.RuntimeException: ClientAbortException:
> java.io.IOException: SSLOutputWriter: CLOSED
> > at
> org.glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java:200)
> > at
> org.glassfish.admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453)
> > at
> org.glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:209)
> >
> >
> >
> > The full jvm.log and server.log is here:
> >
> >
> >
> > http://www.randspringer.de/jvm.log
> > http://www.randspringer.de/server.log
> >
> >
> >
> > I see a lot of dependency errors in jvm.log. Which packages are
> necessary to run GF as pure servlet container.
> >
> > We need it for 3 WARs:
> >
> > 1. our own rails-application-WAR
> >
> > 2. hudson WAR
> >
> > 3. apache-solr-WAR
> >
> >
> >
> >
> >
> > pkg list
> >
> > gives:
> >
> >
> >
> > NAME (PUBLISHER) VERSION STATE UFIX
> > felix 3.0.8-0 installed ----
> > glassfish-appclient 3.1-43 installed ----
> > glassfish-common 3.1-43 installed ----
> > glassfish-common-full 3.1-43 installed ----
> > glassfish-corba 3.1.0-27 installed ----
> > glassfish-corba-base 3.1.0-27 installed ----
> > glassfish-ejb 3.1-43 installed ----
> > glassfish-ejb-lite 3.1-43 installed ----
> > glassfish-full-incorporation 3.1-43 installed ----
> > glassfish-grizzly 1.9.31-1 installed ----
> > glassfish-grizzly-full 1.9.31-1 installed ----
> > glassfish-gui 3.1-43 installed ----
> > glassfish-hk2 3.1-43 installed ----
> > glassfish-jca 3.1-43 installed ----
> > glassfish-jcdi 3.1-43 installed ----
> > glassfish-jdbc 3.1-43 installed ----
> > glassfish-jpa 3.1-43 installed ----
> > glassfish-jsf 2.1.0-11 installed ----
> > glassfish-jta 3.1-43 installed ----
> > glassfish-jts 3.1-43 installed ----
> > glassfish-management 3.1-43 installed ----
> > glassfish-nucleus 3.1-43 installed ----
> > glassfish-registration 3.1-43 installed ----
> > glassfish-scripting 3.1-41 installed ----
> > glassfish-web 3.1-43 installed ----
> > glassfish-web-incorporation 3.1-43 installed ----
> > javadb-client 10.6.2.1-1 installed ----
> > javadb-common 10.6.2.1-1 installed ----
> > javadb-core 10.6.2.1-1 installed ----
> > jersey 1.5-1.0 installed ----
> > metro 2.1-30 installed ----
> > pkg 1.122.2-52.2817 installed ----
> > pkg-java 1.122-52.2817 installed ----
> > pkg-toolkit-incorporation 2.3.3-52.2817 installed ----
> > python2.4-minimal 2.4.4.0-52.2817 installed ----
> > shoal 1.5.29-0 installed ----
> > updatetool 2.3.3-52.2817 installed ----
> > wxpython2.8-minimal 2.8.10.1-52.2817 installed ----
> >
> >
> >
> > Maybe I have to do some reinstallation or uninstallation?
> >
> >
> >
> > Any help is appreciated.
> >
> >
> >
> > Thomas
> >
> >
> >
> >
> > "thomas_at_randspringer.de" <thomas_at_randspringer.de> hat am 1. März
> 2011 um 17:19 geschrieben:
> >
> > > Ok. Admin is informed. Hopefully I can report success tomorrow.
> > >
> > >
> > > Thomas
> > >
> > >
> > >
> > >
> > > Tim Quinn <tim.quinn_at_oracle.com> hat am 1. März 2011 um 17:11
> geschrieben:
> > >
> > > > Hello, Thomas.
> > > >
> > > > I believe that these new symptoms - as well as the ones you
> described
> > > > earlier - are the result of the way the Java runtime has
> addressed the
> > > > problem in the SSL protocol Tom mentioned earlier.
> > > >
> > > > You should run Java 1.6.0_22 or later on both the client and server
> > > > side. That is the minimum version of Java which GlassFish 3.1
> > > > requires, partly because of the SSL security issue in earlier
> releases
> > > > of Java.
> > > >
> > > > GlassFish 3.1 and 3.0.1 are different in significant ways. One of
> > > > them is improved security of admin traffic which requires Java
> > > > 1.6.0_22 or later to work correctly, which 3.0.1 did not require. We
> > > > do not recommend that users set the various security properties that
> > > > might allow you to use earlier releases because that leaves your
> > > > system more vulnerable.
> > > >
> > > > - Tim
> > > >
> > > > On Mar 1, 2011, at 9:55 AM, thomas_at_randspringer.de wrote:
> > > >
> > > > > Hm,
> > > > >
> > > > > it worked with 3.0.1.
> > > > >
> > > > > After I deinstalled some packagages(e.g. this cluster stuff)
> now GF
> > > > > at least talked to me when I added the --verbose option.
> > > > >
> > > > > First I got this error:
> > > > > http://java.net/jira/browse/GLASSFISH-12041
> > > > >
> > > > > I added the property:
> > > > > -Dsun.security.ssl.allowUnsafeRenegotiation=true
> > > > > to my domain.xml
> > > > >
> > > > > and now I get:
> > > > >
> > > > > java.lang.RuntimeException: ClientAbortException:
> > > > > java.io.IOException: SSLOutputWriter: CLOSED
> > > > > at
> > > > > org
> > > > >
> .glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java:
> > > > > 200)
> > > > > at
> > > > > org
> > > > > .glassfish
> > > > > .admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453)
> > > > > at
> > > > > org
> > > > >
> .glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:
> > > > > 209)
> > > > >
> > > > > What can I now do?
> > > > > I can not simply deinstall jersey because glassfish-gui and
> > > > > glassfish-management depends on it.
> > > > >
> > > > > Thomas
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > Tom Mueller <tom.mueller_at_oracle.com> hat am 1. März 2011 um 16:13
> > > > > geschrieben:
> > > > >
> > > > > > I'm not sure that this is the problem, but GlassFish 3.1 running
> > > > > in with
> > > > > > secure admin enabled requires a minimum JVM version of
> 1.6.0_22. I
> > > > > see
> > > > > > from your jvm.log file that you are running 1.6.0_20.
> > > > > >
> > > > > > There was an SSL vulnerability that was fixed in _22. When
> > > > > running with
> > > > > > an older VM, the behavior of start-domain --secure is that it
> > > > > appears to
> > > > > > hang even though the DAS actually started, because start-domain
> > > > > cannot
> > > > > > establish a connection to the DAS to verify that it is up.
> > > > > >
> > > > > > Tom
> > > > > >
> > > > > >
> > > > > > On 3/1/2011 6:52 AM, thomas_at_randspringer.de wrote:
> > > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > today I tried to upgrade our GF 3.0.1 to 3.1. We use it
> only as an
> > > > > > > servlet container for our rails-application.
> > > > > > >
> > > > > > > I upgraded via the "updatetool" (source=stable.glassfish.org).
> > > > > > >
> > > > > > > After installing the new packages I stopped the domain and I
> > > > > started
> > > > > > > it with the --upgrade option like suggested.
> > > > > > >
> > > > > > > However now
> > > > > > >
> > > > > > > asadmin --secure=true start-domain domain1
> > > > > > >
> > > > > > > does not come back.
> > > > > > >
> > > > > > > jvm.log and server.log are available from
> > > > > > >
> > > > > > > http://www.randspringer.de/jvm.log
> > > > > > >
> > > > > > > http://www.randspringer.de/server.log
> > > > > > >
> > > > > > > What is the problem and how can I get the glassfish
> running again?
> > > > > > >
> > > > > > > Thomas
> > > > > > >
> > > >