RE: upgrade problem - bam...@sceats.com - net.java.dev.glassfish.users

16 messages in net.java.dev.glassfish.usersRE: upgrade problem

From	Sent On	Attachments
tho...@randspringer.de	Mar 1, 2011 4:52 am
Tom Mueller	Mar 1, 2011 7:12 am
tho...@randspringer.de	Mar 1, 2011 7:54 am
Tim Quinn	Mar 1, 2011 8:11 am
tho...@randspringer.de	Mar 1, 2011 8:19 am
Anissa Lam	Mar 1, 2011 8:34 am
tho...@randspringer.de	Mar 2, 2011 5:15 am
tho...@randspringer.de	Mar 2, 2011 6:27 am
rjfeng	Mar 2, 2011 7:04 am
Martin Gainty	Mar 2, 2011 11:12 am
Snjezana Sevo-Zenzerovic	Mar 2, 2011 11:57 am
rjfeng	Mar 2, 2011 7:29 pm
tho...@randspringer.de	Mar 4, 2011 8:17 am
BAMOSS	Mar 4, 2011 9:12 am
tho...@randspringer.de	Mar 7, 2011 1:24 am
bam...@sceats.com	Mar 9, 2011 10:19 am

Subject:	RE: upgrade problem
From:	bam...@sceats.com (bam...@sceats.com)
Date:	Mar 9, 2011 10:19:34 am
List:	net.java.dev.glassfish.users

Hi Thomas,

I am not using GF 3.1, so am unable to address your questions, as I am not familiar with the GF 3.x UI and commands.

In reference to GF 2.1.1, a self-signed cert is generated when GF is built, and this is populated in /domains/domain1/config in the keystore.jks and cacerts.jks keystores. When I have generated a new keypair and had the cert signed, I import root, intermediary and signed certs into keystore.jks; and I import root and intermediary certs into cacerts.jks.

Sorry I can't be of more assistance.

Derek

-------- Original Message -------- Subject: Re: upgrade problem From: "[1]tho...@randspringer.de" <[2]tho...@randspringer.de> Date: Mon, March 07, 2011 2:24 am To: [3]use...@glassfish.java.net

Hi, thank you for your answer.

I have two things to clarify.

First I went one step back and disabled-secure-admin with

asadmin --secure=true disable-secure-admin

The command was successful. I stopped and restarted GF without the --secure=true option - no exceptions in server.log. In the domain.xml I saw that the security-enabled="true" property is not longer active.

<protocol name="admin-listener"> ...

Then accessed the admin-gui with http://localhost:4848. I only got an empty page and no action in the server.log. I then called https://localhost:4848 ^ and I got the "SSLOutputWriter: CLOSED" exception again. The admin-gui started to load in the browser.

I have now no neither a secure admin-gui nor a unsecure admin-gui. Why do I have no access via http when I successfully called "asadmin --secure=true disable-secure-admin"?

Second point is regarding your tip. On this host I have only one GF installation. Because I played with SSL-access for our application I created a self-signed certificate and finally got GF running on port 8181 with https. However finally we decided not to use SSL in GF for application but to use a apache for this purpose. (We can now use standard SSL-port 443 for that.) We have: client --> apache(https) --> GF(localhost:8080) But this has nothing to do with SSL for admin-gui. The https for admin-gui I simple configured via the gui and I did not create any certificate manually.

What happens in the background when SSL is enabled for the admin-gui? Which certificates are used? Thomas

BAMOSS <[4]bam...@sceats.com> hat am 4. März 2011 um 18:12 geschrieben:

> Hi Thomas, > > We experienced this error message on GFv2.1.1 when the certificate > hadn't been added to cacerts.jks. This issue occurred when there were > two GF servers with self-signed certificates. We needed to add the cert > from server1 to the cacerts.jks of server2 and vice versa. When using > more than one server, it is useful to create unique keypair aliases for > each server (eg: alias-server1 for [5]server1.example.com). ; Hope this helps. > > Derek > > > > On 03/04/2011 08:17 AM, [6]tho...@randspringer.de wrote: > > > > Hi, > > > > > > I reinstalled glassfish-full-profile (BTW, why do I need > > cluster-feature when I want a secured admin access?). > > > > Now the enable-secure-admin command was available. > > > > I did: > > > > $>asadmin --secure=true enable-secure-admin > > Enter admin user name> admin > > Enter admin password for user "admin"> > > Command enable-secure-admin executed successfully. > > > > $>asadmin --secure=true stop-domain domain1 > > It appears that server [localhost:4848] accepts secure connections only. > > Retrying the command with --secure=true... > > CLI306 Warning - server is not running. > > Command stop-domain executed successfully. > > > > A "ps -ef | grep java" told me that it is still running. I killed the > > java process. > > > > $>asadmin --secure=true start-domain domain1 > > Waiting for domain1 to start > > .................................................................... > > Successfully started the domain : domain1 > > > > ... > > > > ... > > > > Admin Port: 4848 > > Command start-domain executed successfully. > > > > $>asadmin --secure=true stop-domain domain1 > > [ > > [ > > Version: V3 > > Subject: xxx > > Signature Algorithm: SHA1withRSA, OID = XXX > > > > Key: Sun RSA public key, 1024 bits > > modulus: > > ... > > > > ... > > > > ] > > Do you trust the above certificate [y|N] -->Y > > Waiting for the domain to stop .... > > Command stop-domain executed successfully. > > > > > > Now I started the domain again and tried to access the admin-gui via > > https. > > > > I got a new exception: > > > > >snip > > Caused by: [7]com.sun.jersey.api.client.ClientHandlerException: > > [8]javax.net.ssl.SSLHandshakeException: > > [9]sun.security.validator.ValidatorException: PKIX path building failed: > > [10]sun.security.provider.certpath.SunCertPathBuilderException: unable to > > find valid certification path to requested target > > at > > [11]com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131) > > at [12]com.sun.jersey.api.client.Client.handle(Client.java:629) > > at > > [13]com.sun.jersey.api.client.WebResource.handle(WebResource.java:601) > > at > > [14]com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) > > > > >snip > > > > The full server.log is at: > > > > [15]http://www.randspringer.de/server.log > > > > What I did with GF 3.0.1 was: > > 1. I enabled https in the admin-gui > > > > After that, I observed that I have to do a > > asadmin --secure=true --user admin --passwordfile <my_password.txt> > > deploy my.war > > instead of the > > asadmin deploy my.war > > > > And the start-domain, stop-domain and restart-domain command required > > a additionally "--secure=true" option. > > > > Thomas > > > > > > > > Snjezana Sevo-Zenzerovic <[16]snje...@oracle.com>; hat am > > 2. März 2011 um 20:57 geschrieben: > > > > > > > > > > > Could you try getting back to the original content of 3.1 > > distribution by reinstalling glassfish-full-profile package (its > > screen name in updatetool should be "GlassFish Full Platform")? This > > will bring back packages such as glassfish-cluster and glassfish-ha . > > glassfish-cluster package contains enable-secure-admin command Anissa > > mentioned. > > > > > > I am not sure that will completely resolve your Admin GUI issue, but > > it will bring you closer to the distribution content that has been tested. > > > > > > Thanks, > > > > > > Snjezana > > > > > > ----- Original Message ----- > > > From: [17]tho...@randspringer.de > > > To: [18]use...@glassfish.java.net > > > Sent: Wednesday, March 2, 2011 9:34:49 AM GMT -08:00 US/Canada Pacific > > > Subject: Re: upgrade problem > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > I run now > > > > > > > > > > > > > > > java version "1.6.0_24" > > > Java(TM) SE Runtime Environment (build 1.6.0_24-b07) > > > Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode) > > > > > > > > > > > > I removed the [19]-Dsun.security.ssl.allowUnsafeRenegotiation=true > > property from domain.xml > > > > > > stopped the server and startet it again. > > > > > > > > > > > > The server started without error messages. But when I access the > > admin-console via https I get a lot of exceptions. > > > > > > > > > > > > > > [#|2011-03-02T13:28:34.149+0100|SEVERE|glassfish3.1|[20]com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=24;_ThreadName=Thread-1;|service > > exception > > > [21]java.lang.RuntimeException: ClientAbortException: > > [22]java.io.IOException: SSLOutputWriter: CLOSED > > > at > > [23]org.glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java:200) > > > at > > [24]org.glassfish.admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453) > > > at > > [25]org.glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:209) > > > > > > > > > > > > The full jvm.log and server.log is here: > > > > > > > > > > > > [26]http://www.randspringer.de/jvm.log > > > [27]http://www.randspringer.de/server.log > > > > > > > > > > > > I see a lot of dependency errors in jvm.log. Which packages are > > necessary to run GF as pure servlet container. > > > > > > We need it for 3 WARs: > > > > > > 1. our own rails-application-WAR > > > > > > 2. hudson WAR > > > > > > 3. apache-solr-WAR > > > > > > > > > > > > > > > > > > pkg list > > > > > > gives: > > > > > > > > > > > > NAME (PUBLISHER) VERSION STATE UFIX > > > felix 3.0.8-0 installed ---- > > > glassfish-appclient 3.1-43 installed ---- > > > glassfish-common 3.1-43 installed ---- > > > glassfish-common-full 3.1-43 installed ---- > > > glassfish-corba 3.1.0-27 installed ---- > > > glassfish-corba-base 3.1.0-27 installed ---- > > > glassfish-ejb 3.1-43 installed ---- > > > glassfish-ejb-lite 3.1-43 installed ---- > > > glassfish-full-incorporation 3.1-43 installed ---- > > > glassfish-grizzly 1.9.31-1 installed ---- > > > glassfish-grizzly-full 1.9.31-1 installed ---- > > > glassfish-gui 3.1-43 installed ---- > > > glassfish-hk2 3.1-43 installed ---- > > > glassfish-jca 3.1-43 installed ---- > > > glassfish-jcdi 3.1-43 installed ---- > > > glassfish-jdbc 3.1-43 installed ---- > > > glassfish-jpa 3.1-43 installed ---- > > > glassfish-jsf 2.1.0-11 installed ---- > > > glassfish-jta 3.1-43 installed ---- > > > glassfish-jts 3.1-43 installed ---- > > > glassfish-management 3.1-43 installed ---- > > > glassfish-nucleus 3.1-43 installed ---- > > > glassfish-registration 3.1-43 installed ---- > > > glassfish-scripting 3.1-41 installed ---- > > > glassfish-web 3.1-43 installed ---- > > > glassfish-web-incorporation 3.1-43 installed ---- > > > javadb-client 10.6.2.1-1 installed ---- > > > javadb-common 10.6.2.1-1 installed ---- > > > javadb-core 10.6.2.1-1 installed ---- > > > jersey 1.5-1.0 installed ---- > > > metro 2.1-30 installed ---- > > > pkg 1.122.2-52.2817 installed ---- > > > pkg-java 1.122-52.2817 installed ---- > > > pkg-toolkit-incorporation 2.3.3-52.2817 installed ---- > > > python2.4-minimal 2.4.4.0-52.2817 installed ---- > > > shoal 1.5.29-0 installed ---- > > > updatetool 2.3.3-52.2817 installed ---- > > > wxpython2.8-minimal 2.8.10.1-52.2817 installed ---- > > > > > > > > > > > > Maybe I have to do some reinstallation or uninstallation? > > > > > > > > > > > > Any help is appreciated. > > > > > > > > > > > > Thomas > > > > > > > > > > > > > > > "[28]tho...@randspringer.de" <[29]tho...@randspringer.de> hat am 1. März > > 2011 um 17:19 geschrieben: > > > > > > > Ok. Admin is informed. Hopefully I can report success tomorrow. > > > > > > > > > > > > Thomas > > > > > > > > > > > > > > > > > > > > Tim Quinn <[30]tim....@oracle.com> hat am 1. März 2011 um 17:11 > > geschrieben: > > > > > > > > > Hello, Thomas. > > > > > > > > > > I believe that these new symptoms - as well as the ones you > > described > > > > > earlier - are the result of the way the Java runtime has > > addressed the > > > > > problem in the SSL protocol Tom mentioned earlier. > > > > > > > > > > You should run Java 1.6.0_22 or later on both the client and server > > > > > side. That is the minimum version of Java which GlassFish 3.1 > > > > > requires, partly because of the SSL security issue in earlier > > releases > > > > > of Java. > > > > > > > > > > GlassFish 3.1 and 3.0.1 are different in significant ways. One of > > > > > them is improved security of admin traffic which requires Java > > > > > 1.6.0_22 or later to work correctly, which 3.0.1 did not require. We > > > > > do not recommend that users set the various security properties that > > > > > might allow you to use earlier releases because that leaves your > > > > > system more vulnerable. > > > > > > > > > > - Tim > > > > > > > > > > On Mar 1, 2011, at 9:55 AM, [31]tho...@randspringer.de wrote: > > > > > > > > > > > Hm, > > > > > > > > > > > > it worked with 3.0.1. > > > > > > > > > > > > After I deinstalled some packagages(e.g. this cluster stuff) > > now GF > > > > > > at least talked to me when I added the --verbose option. > > > > > > > > > > > > First I got this error: > > > > > > [32]http://java.net/jira/browse/GLASSFISH-12041 > > > > > > > > > > > > I added the property: > > > > > > [33]-Dsun.security.ssl.allowUnsafeRenegotiation=true > > > > > > to my domain.xml > > > > > > > > > > > > and now I get: > > > > > > > > > > > > [34]java.lang.RuntimeException: ClientAbortException: > > > > > > [35]java.io.IOException: SSLOutputWriter: CLOSED > > > > > > at > > > > > > org > > > > > > > > .[36]glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java: > > > > > > 200) > > > > > > at > > > > > > org > > > > > > .glassfish > > > > > > .[37]admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453) > > > > > > at > > > > > > org > > > > > > > > .[38]glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java: > > > > > > 209) > > > > > > > > > > > > What can I now do? > > > > > > I can not simply deinstall jersey because glassfish-gui and > > > > > > glassfish-management depends on it. > > > > > > > > > > > > Thomas > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tom Mueller <[39]tom....@oracle.com>; hat am 1. März 2011 um 16:13 > > > > > > geschrieben: > > > > > > > > > > > > > I'm not sure that this is the problem, but GlassFish 3.1 running > > > > > > in with > > > > > > > secure admin enabled requires a minimum JVM version of > > 1.6.0_22. I > > > > > > see > > > > > > > from your jvm.log file that you are running 1.6.0_20. > > > > > > > > > > > > > > There was an SSL vulnerability that was fixed in _22. When > > > > > > running with > > > > > > > an older VM, the behavior of start-domain --secure is that it > > > > > > appears to > > > > > > > hang even though the DAS actually started, because start-domain > > > > > > cannot > > > > > > > establish a connection to the DAS to verify that it is up. > > > > > > > > > > > > > > Tom > > > > > > > > > > > > > > > > > > > > > On 3/1/2011 6:52 AM, [40]tho...@randspringer.de wrote: > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > today I tried to upgrade our GF 3.0.1 to 3.1. We use it > > only as an > > > > > > > > servlet container for our rails-application. > > > > > > > > > > > > > > > > I upgraded via the "updatetool" (source=[41]stable.glassfish.org). > > > > > > > > > > > > > > > > After installing the new packages I stopped the domain and I > > > > > > started > > > > > > > > it with the --upgrade option like suggested. > > > > > > > > > > > > > > > > However now > > > > > > > > > > > > > > > > asadmin --secure=true start-domain domain1 > > > > > > > > > > > > > > > > does not come back. > > > > > > > > > > > > > > > > jvm.log and server.log are available from > > > > > > > > > > > > > > > > [42]http://www.randspringer.de/jvm.log > > > > > > > > > > > > > > > > [43]http://www.randspringer.de/server.log > > > > > > > > > > > > > > > > What is the problem and how can I get the glassfish > > running again? > > > > > > > > > > > > > > > > Thomas > > > > > > > > > > > > > >

References

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets