users@glassfish.java.net

Re: upgrade problem

From: <thomas_at_randspringer.de>
Date: Mon, 7 Mar 2011 10:24:38 +0100 (CET)

Hi,


thank you for your answer.
 
I have two things to clarify.
 
First I went one step back and disabled-secure-admin with
 
asadmin --secure=true disable-secure-admin
 
The command was successful.
I stopped and restarted GF without the --secure=true option - no exceptions in server.log.
In the domain.xml I saw that the security-enabled="true" property is not longer active.
 
<protocol  name="admin-listener">
...
 
Then accessed the admin-gui with http://localhost:4848.
I only got an empty page and no action in the server.log.
I then called https://localhost:4848
                  ^
and I got the "SSLOutputWriter: CLOSED" exception again.
The admin-gui started to load in the browser.
 
I have now no neither a secure admin-gui nor a unsecure admin-gui.
Why do I have no access via http when I successfully called "asadmin --secure=true disable-secure-admin"?
 
Second point is regarding your tip.
On this host I have only one GF installation.
Because I played with SSL-access for our application I created a self-signed certificate
and finally got GF running on port 8181 with https. However finally we decided not to
use SSL in GF for application but to use a apache for this purpose.
(We can now use standard SSL-port 443 for that.)
We have: client --> apache(https) --> GF(localhost:8080)
But this has nothing to do with SSL for admin-gui.
The https for admin-gui I simple configured via the gui and I did not create any certificate manually.
 
What happens in the background when SSL is enabled for the admin-gui?
Which certificates are used?

Thomas
 

BAMOSS <bamoss_at_sceats.com> hat am 4. März 2011 um 18:12 geschrieben:

> Hi Thomas,
>
> We experienced this error message on GFv2.1.1 when the certificate
> hadn't been added to cacerts.jks.  This issue occurred when there were
> two GF servers with self-signed certificates.  We needed to add the cert
> from server1 to the cacerts.jks of server2 and vice versa.  When using
> more than one server, it is useful to create unique keypair aliases for
> each server (eg: alias-server1 for server1.example.com).  Hope this helps.
>
> Derek
>
>
>
> On 03/04/2011 08:17 AM, thomas_at_randspringer.de wrote:
> >
> > Hi,
> >
> >
> > I reinstalled glassfish-full-profile (BTW, why do I need
> > cluster-feature when I want a secured admin access?).
> >
> > Now the enable-secure-admin command was available.
> >
> > I did:
> >
> > $>asadmin --secure=true enable-secure-admin
> > Enter admin user name>  admin
> > Enter admin password for user "admin">
> > Command enable-secure-admin executed successfully.
> >
> > $>asadmin --secure=true stop-domain domain1
> > It appears that server [localhost:4848] accepts secure connections only.
> > Retrying the command with --secure=true...
> > CLI306 Warning - server is not running.
> > Command stop-domain executed successfully.
> >
> > A "ps -ef | grep java" told me that it is still running. I killed the
> > java process.
> >
> > $>asadmin --secure=true start-domain domain1
> > Waiting for domain1 to start
> > ....................................................................
> > Successfully started the domain : domain1
> >
> > ...
> >
> > ...
> >
> > Admin Port: 4848
> > Command start-domain executed successfully.
> >
> > $>asadmin --secure=true stop-domain domain1
> > [
> > [
> >   Version: V3
> >   Subject: xxx
> >   Signature Algorithm: SHA1withRSA, OID = XXX
> >
> >   Key:  Sun RSA public key, 1024 bits
> >   modulus:
> > ...
> >
> > ...
> >
> > ]
> > Do you trust the above certificate [y|N] -->Y
> > Waiting for the domain to stop ....
> > Command stop-domain executed successfully.
> >
> >
> > Now I started the domain again and tried to access the admin-gui via
> > https.
> >
> > I got a new exception:
> >
> > >snip
> > Caused by: com.sun.jersey.api.client.ClientHandlerException:
> > javax.net.ssl.SSLHandshakeException:
> > sun.security.validator.ValidatorException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > find valid certification path to requested target
> >         at
> > com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131)
> >         at com.sun.jersey.api.client.Client.handle(Client.java:629)
> >         at
> > com.sun.jersey.api.client.WebResource.handle(WebResource.java:601)
> >         at
> > com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
> >
> > >snip
> >
> > The full server.log is at:
> >
> >  http://www.randspringer.de/server.log
> >
> > What I did with GF 3.0.1 was:
> > 1. I enabled https in the admin-gui
> >
> > After that, I observed that I have to do a
> >  asadmin --secure=true --user admin --passwordfile <my_password.txt>
> > deploy my.war
> > instead of the
> >  asadmin deploy my.war
> >
> > And the start-domain, stop-domain and restart-domain command required
> > a additionally "--secure=true" option.
> >
> > Thomas
> >
> >
> >
> > Snjezana Sevo-Zenzerovic <snjezana.sevozenzerovic_at_oracle.com> hat am
> > 2. März 2011 um 20:57 geschrieben:
> >
> > >
> > >
> > > Could you try getting back to the original content of 3.1
> > distribution by reinstalling glassfish-full-profile package (its
> > screen name in updatetool should be "GlassFish Full Platform")? This
> > will bring back packages such as glassfish-cluster and glassfish-ha .
> > glassfish-cluster package contains enable-secure-admin command Anissa
> > mentioned.
> > >
> > > I am not sure that will completely resolve your Admin GUI issue, but
> > it will bring you closer to the distribution content that has been tested.
> > >
> > > Thanks,
> > >
> > > Snjezana
> > >
> > > ----- Original Message -----
> > > From: thomas_at_randspringer.de
> > > To: users_at_glassfish.java.net
> > > Sent: Wednesday, March 2, 2011 9:34:49 AM GMT -08:00 US/Canada Pacific
> > > Subject: Re: upgrade problem
> > >
> > >
> > >
> > >
> > > Hi,
> > >
> > >
> > >
> > >
> > > I run now
> > >
> > >
> > >
> > >
> > > java version "1.6.0_24"
> > > Java(TM) SE Runtime Environment (build 1.6.0_24-b07)
> > > Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)
> > >
> > >
> > >
> > > I removed the -Dsun.security.ssl.allowUnsafeRenegotiation=true
> > property from domain.xml
> > >
> > > stopped the server and startet it again.
> > >
> > >
> > >
> > > The server started without error messages. But when I access the
> > admin-console via https I get a lot of exceptions.
> > >
> > >
> > >
> > >
> > [#|2011-03-02T13:28:34.149+0100|SEVERE|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|service
> > exception
> > > java.lang.RuntimeException: ClientAbortException:
> > java.io.IOException: SSLOutputWriter: CLOSED
> > > at
> > org.glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java:200)
> > > at
> > org.glassfish.admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453)
> > > at
> > org.glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:209)
> > >
> > >
> > >
> > > The full jvm.log and server.log is here:
> > >
> > >
> > >
> > > http://www.randspringer.de/jvm.log
> > > http://www.randspringer.de/server.log
> > >
> > >
> > >
> > > I see a lot of dependency errors in jvm.log. Which packages are
> > necessary to run GF as pure servlet container.
> > >
> > > We need it for 3 WARs:
> > >
> > > 1. our own rails-application-WAR
> > >
> > > 2. hudson WAR
> > >
> > > 3. apache-solr-WAR
> > >
> > >
> > >
> > >
> > >
> > > pkg list
> > >
> > > gives:
> > >
> > >
> > >
> > > NAME (PUBLISHER) VERSION STATE UFIX
> > > felix 3.0.8-0 installed ----
> > > glassfish-appclient 3.1-43 installed ----
> > > glassfish-common 3.1-43 installed ----
> > > glassfish-common-full 3.1-43 installed ----
> > > glassfish-corba 3.1.0-27 installed ----
> > > glassfish-corba-base 3.1.0-27 installed ----
> > > glassfish-ejb 3.1-43 installed ----
> > > glassfish-ejb-lite 3.1-43 installed ----
> > > glassfish-full-incorporation 3.1-43 installed ----
> > > glassfish-grizzly 1.9.31-1 installed ----
> > > glassfish-grizzly-full 1.9.31-1 installed ----
> > > glassfish-gui 3.1-43 installed ----
> > > glassfish-hk2 3.1-43 installed ----
> > > glassfish-jca 3.1-43 installed ----
> > > glassfish-jcdi 3.1-43 installed ----
> > > glassfish-jdbc 3.1-43 installed ----
> > > glassfish-jpa 3.1-43 installed ----
> > > glassfish-jsf 2.1.0-11 installed ----
> > > glassfish-jta 3.1-43 installed ----
> > > glassfish-jts 3.1-43 installed ----
> > > glassfish-management 3.1-43 installed ----
> > > glassfish-nucleus 3.1-43 installed ----
> > > glassfish-registration 3.1-43 installed ----
> > > glassfish-scripting 3.1-41 installed ----
> > > glassfish-web 3.1-43 installed ----
> > > glassfish-web-incorporation 3.1-43 installed ----
> > > javadb-client 10.6.2.1-1 installed ----
> > > javadb-common 10.6.2.1-1 installed ----
> > > javadb-core 10.6.2.1-1 installed ----
> > > jersey 1.5-1.0 installed ----
> > > metro 2.1-30 installed ----
> > > pkg 1.122.2-52.2817 installed ----
> > > pkg-java 1.122-52.2817 installed ----
> > > pkg-toolkit-incorporation 2.3.3-52.2817 installed ----
> > > python2.4-minimal 2.4.4.0-52.2817 installed ----
> > > shoal 1.5.29-0 installed ----
> > > updatetool 2.3.3-52.2817 installed ----
> > > wxpython2.8-minimal 2.8.10.1-52.2817 installed ----
> > >
> > >
> > >
> > > Maybe I have to do some reinstallation or uninstallation?
> > >
> > >
> > >
> > > Any help is appreciated.
> > >
> > >
> > >
> > > Thomas
> > >
> > >
> > >
> > >
> > > "thomas_at_randspringer.de" <thomas_at_randspringer.de> hat am 1. März
> > 2011 um 17:19 geschrieben:
> > >
> > > > Ok. Admin is informed. Hopefully I can report success tomorrow.
> > > >
> > > >
> > > > Thomas
> > > >
> > > >
> > > >
> > > >
> > > > Tim Quinn <tim.quinn_at_oracle.com> hat am 1. März 2011 um 17:11
> > geschrieben:
> > > >
> > > > > Hello, Thomas.
> > > > >
> > > > > I believe that these new symptoms - as well as the ones you
> > described
> > > > > earlier - are the result of the way the Java runtime has
> > addressed the
> > > > > problem in the SSL protocol Tom mentioned earlier.
> > > > >
> > > > > You should run Java 1.6.0_22 or later on both the client and server
> > > > > side. That is the minimum version of Java which GlassFish 3.1
> > > > > requires, partly because of the SSL security issue in earlier
> > releases
> > > > > of Java.
> > > > >
> > > > > GlassFish 3.1 and 3.0.1 are different in significant ways. One of
> > > > > them is improved security of admin traffic which requires Java
> > > > > 1.6.0_22 or later to work correctly, which 3.0.1 did not require. We
> > > > > do not recommend that users set the various security properties that
> > > > > might allow you to use earlier releases because that leaves your
> > > > > system more vulnerable.
> > > > >
> > > > > - Tim
> > > > >
> > > > > On Mar 1, 2011, at 9:55 AM, thomas_at_randspringer.de wrote:
> > > > >
> > > > > > Hm,
> > > > > >
> > > > > > it worked with 3.0.1.
> > > > > >
> > > > > > After I deinstalled some packagages(e.g. this cluster stuff)
> > now GF
> > > > > > at least talked to me when I added the --verbose option.
> > > > > >
> > > > > > First I got this error:
> > > > > > http://java.net/jira/browse/GLASSFISH-12041
> > > > > >
> > > > > > I added the property:
> > > > > > -Dsun.security.ssl.allowUnsafeRenegotiation=true
> > > > > > to my domain.xml
> > > > > >
> > > > > > and now I get:
> > > > > >
> > > > > > java.lang.RuntimeException: ClientAbortException:
> > > > > > java.io.IOException: SSLOutputWriter: CLOSED
> > > > > > at
> > > > > > org
> > > > > >
> > .glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java:
> > > > > > 200)
> > > > > > at
> > > > > > org
> > > > > > .glassfish
> > > > > > .admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453)
> > > > > > at
> > > > > > org
> > > > > >
> > .glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:
> > > > > > 209)
> > > > > >
> > > > > > What can I now do?
> > > > > > I can not simply deinstall jersey because glassfish-gui and
> > > > > > glassfish-management depends on it.
> > > > > >
> > > > > > Thomas
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > Tom Mueller <tom.mueller_at_oracle.com> hat am 1. März 2011 um 16:13
> > > > > > geschrieben:
> > > > > >
> > > > > > > I'm not sure that this is the problem, but GlassFish 3.1 running
> > > > > > in with
> > > > > > > secure admin enabled requires a minimum JVM version of
> > 1.6.0_22. I
> > > > > > see
> > > > > > > from your jvm.log file that you are running 1.6.0_20.
> > > > > > >
> > > > > > > There was an SSL vulnerability that was fixed in _22. When
> > > > > > running with
> > > > > > > an older VM, the behavior of start-domain --secure is that it
> > > > > > appears to
> > > > > > > hang even though the DAS actually started, because start-domain
> > > > > > cannot
> > > > > > > establish a connection to the DAS to verify that it is up.
> > > > > > >
> > > > > > > Tom
> > > > > > >
> > > > > > >
> > > > > > > On 3/1/2011 6:52 AM, thomas_at_randspringer.de wrote:
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > today I tried to upgrade our GF 3.0.1 to 3.1. We use it
> > only as an
> > > > > > > > servlet container for our rails-application.
> > > > > > > >
> > > > > > > > I upgraded via the "updatetool" (source=stable.glassfish.org).
> > > > > > > >
> > > > > > > > After installing the new packages I stopped the domain and I
> > > > > > started
> > > > > > > > it with the --upgrade option like suggested.
> > > > > > > >
> > > > > > > > However now
> > > > > > > >
> > > > > > > > asadmin --secure=true start-domain domain1
> > > > > > > >
> > > > > > > > does not come back.
> > > > > > > >
> > > > > > > > jvm.log and server.log are available from
> > > > > > > >
> > > > > > > > http://www.randspringer.de/jvm.log
> > > > > > > >
> > > > > > > > http://www.randspringer.de/server.log
> > > > > > > >
> > > > > > > > What is the problem and how can I get the glassfish
> > running again?
> > > > > > > >
> > > > > > > > Thomas
> > > > > > > >
> > > > >
>