Re: upgrade problem - tho...@randspringer.de - net.java.dev.glassfish.users

16 messages in net.java.dev.glassfish.usersRe: upgrade problem

From	Sent On	Attachments
tho...@randspringer.de	Mar 1, 2011 4:52 am
Tom Mueller	Mar 1, 2011 7:12 am
tho...@randspringer.de	Mar 1, 2011 7:54 am
Tim Quinn	Mar 1, 2011 8:11 am
tho...@randspringer.de	Mar 1, 2011 8:19 am
Anissa Lam	Mar 1, 2011 8:34 am
tho...@randspringer.de	Mar 2, 2011 5:15 am
tho...@randspringer.de	Mar 2, 2011 6:27 am
rjfeng	Mar 2, 2011 7:04 am
Martin Gainty	Mar 2, 2011 11:12 am
Snjezana Sevo-Zenzerovic	Mar 2, 2011 11:57 am
rjfeng	Mar 2, 2011 7:29 pm
tho...@randspringer.de	Mar 4, 2011 8:17 am
BAMOSS	Mar 4, 2011 9:12 am
tho...@randspringer.de	Mar 7, 2011 1:24 am
bam...@sceats.com	Mar 9, 2011 10:19 am

Subject:	Re: upgrade problem
From:	tho...@randspringer.de (tho...@randspringer.de)
Date:	Mar 7, 2011 1:24:15 am
List:	net.java.dev.glassfish.users

Hi,

thank you for your answer. I have two things to clarify. First I went one step back and disabled-secure-admin with asadmin --secure=true disable-secure-admin The command was successful. I stopped and restarted GF without the --secure=true option - no exceptions in
server.log. In the domain.xml I saw that the security-enabled="true" property is not longer
active. <protocol name="admin-listener"> ... Then accessed the admin-gui with http://localhost:4848. I only got an empty page and no action in the server.log. I then called https://localhost:4848 ^ and I got the "SSLOutputWriter: CLOSED" exception again. The admin-gui started to load in the browser. I have now no neither a secure admin-gui nor a unsecure admin-gui. Why do I have no access via http when I successfully called "asadmin
--secure=true disable-secure-admin"? Second point is regarding your tip. On this host I have only one GF installation. Because I played with SSL-access for our application I created a self-signed
certificate and finally got GF running on port 8181 with https. However finally we decided
not to use SSL in GF for application but to use a apache for this purpose. (We can now use standard SSL-port 443 for that.) We have: client --> apache(https) --> GF(localhost:8080) But this has nothing to do with SSL for admin-gui. The https for admin-gui I simple configured via the gui and I did not create any
certificate manually. What happens in the background when SSL is enabled for the admin-gui? Which certificates are used?

Thomas

BAMOSS <bam...@sceats.com> hat am 4. März 2011 um 18:12 geschrieben:

Hi Thomas,

We experienced this error message on GFv2.1.1 when the certificate hadn't been added to cacerts.jks. This issue occurred when there were two GF servers with self-signed certificates. We needed to add the cert from server1 to the cacerts.jks of server2 and vice versa. When using more than one server, it is useful to create unique keypair aliases for each server (eg: alias-server1 for server1.example.com). Hope this helps.

On 03/04/2011 08:17 AM, tho...@randspringer.de wrote:

Hi,

I reinstalled glassfish-full-profile (BTW, why do I need cluster-feature when I want a secured admin access?).

Now the enable-secure-admin command was available.

I did:

$>asadmin --secure=true enable-secure-admin Enter admin user name> admin Enter admin password for user "admin"> Command enable-secure-admin executed successfully.

$>asadmin --secure=true stop-domain domain1 It appears that server [localhost:4848] accepts secure connections only. Retrying the command with --secure=true... CLI306 Warning - server is not running. Command stop-domain executed successfully.

A "ps -ef | grep java" told me that it is still running. I killed the java process.

$>asadmin --secure=true start-domain domain1 Waiting for domain1 to start .................................................................... Successfully started the domain : domain1

...

Admin Port: 4848 Command start-domain executed successfully.

$>asadmin --secure=true stop-domain domain1 [ [ Version: V3 Subject: xxx Signature Algorithm: SHA1withRSA, OID = XXX

Key: Sun RSA public key, 1024 bits modulus: ...

...

] Do you trust the above certificate [y|N] -->Y Waiting for the domain to stop .... Command stop-domain executed successfully.

Now I started the domain again and tried to access the admin-gui via https.

I got a new exception:

snip

Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:131) at com.sun.jersey.api.client.Client.handle(Client.java:629) at com.sun.jersey.api.client.WebResource.handle(WebResource.java:601) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)

snip

The full server.log is at:

http://www.randspringer.de/server.log

What I did with GF 3.0.1 was: 1. I enabled https in the admin-gui

After that, I observed that I have to do a asadmin --secure=true --user admin --passwordfile <my_password.txt> deploy my.war instead of the asadmin deploy my.war

And the start-domain, stop-domain and restart-domain command required a additionally "--secure=true" option.

Thomas

Snjezana Sevo-Zenzerovic <snje...@oracle.com> hat am 2. März 2011 um 20:57 geschrieben:

Could you try getting back to the original content of 3.1

distribution by reinstalling glassfish-full-profile package (its screen name in updatetool should be "GlassFish Full Platform")? This will bring back packages such as glassfish-cluster and glassfish-ha . glassfish-cluster package contains enable-secure-admin command Anissa mentioned.

I am not sure that will completely resolve your Admin GUI issue, but it will bring you closer to the distribution content that has been tested.

Thanks,

Snjezana

----- Original Message ----- From: tho...@randspringer.de To: use...@glassfish.java.net Sent: Wednesday, March 2, 2011 9:34:49 AM GMT -08:00 US/Canada Pacific Subject: Re: upgrade problem

Hi,

I run now

java version "1.6.0_24" Java(TM) SE Runtime Environment (build 1.6.0_24-b07) Java HotSpot(TM) 64-Bit Server VM (build 19.1-b02, mixed mode)

I removed the -Dsun.security.ssl.allowUnsafeRenegotiation=true property from domain.xml

stopped the server and startet it again.

The server started without error messages. But when I access the admin-console via https I get a lot of exceptions.

java.lang.RuntimeException: ClientAbortException: java.io.IOException: SSLOutputWriter: CLOSED at org.glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java:200) at org.glassfish.admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453) at org.glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:209)

The full jvm.log and server.log is here:

http://www.randspringer.de/jvm.log http://www.randspringer.de/server.log

I see a lot of dependency errors in jvm.log. Which packages are necessary to run GF as pure servlet container.

We need it for 3 WARs:

1. our own rails-application-WAR

2. hudson WAR

3. apache-solr-WAR

pkg list

gives:

NAME (PUBLISHER) VERSION STATE UFIX felix 3.0.8-0 installed ---- glassfish-appclient 3.1-43 installed ---- glassfish-common 3.1-43 installed ---- glassfish-common-full 3.1-43 installed ---- glassfish-corba 3.1.0-27 installed ---- glassfish-corba-base 3.1.0-27 installed ---- glassfish-ejb 3.1-43 installed ---- glassfish-ejb-lite 3.1-43 installed ---- glassfish-full-incorporation 3.1-43 installed ---- glassfish-grizzly 1.9.31-1 installed ---- glassfish-grizzly-full 1.9.31-1 installed ---- glassfish-gui 3.1-43 installed ---- glassfish-hk2 3.1-43 installed ---- glassfish-jca 3.1-43 installed ---- glassfish-jcdi 3.1-43 installed ---- glassfish-jdbc 3.1-43 installed ---- glassfish-jpa 3.1-43 installed ---- glassfish-jsf 2.1.0-11 installed ---- glassfish-jta 3.1-43 installed ---- glassfish-jts 3.1-43 installed ---- glassfish-management 3.1-43 installed ---- glassfish-nucleus 3.1-43 installed ---- glassfish-registration 3.1-43 installed ---- glassfish-scripting 3.1-41 installed ---- glassfish-web 3.1-43 installed ---- glassfish-web-incorporation 3.1-43 installed ---- javadb-client 10.6.2.1-1 installed ---- javadb-common 10.6.2.1-1 installed ---- javadb-core 10.6.2.1-1 installed ---- jersey 1.5-1.0 installed ---- metro 2.1-30 installed ---- pkg 1.122.2-52.2817 installed ---- pkg-java 1.122-52.2817 installed ---- pkg-toolkit-incorporation 2.3.3-52.2817 installed ---- python2.4-minimal 2.4.4.0-52.2817 installed ---- shoal 1.5.29-0 installed ---- updatetool 2.3.3-52.2817 installed ---- wxpython2.8-minimal 2.8.10.1-52.2817 installed ----

Maybe I have to do some reinstallation or uninstallation?

Any help is appreciated.

"tho...@randspringer.de" <tho...@randspringer.de> hat am 1. März 2011 um 17:19 geschrieben:

Ok. Admin is informed. Hopefully I can report success tomorrow.

Tim Quinn <tim....@oracle.com> hat am 1. März 2011 um 17:11 geschrieben:

Hello, Thomas.

I believe that these new symptoms - as well as the ones you described earlier - are the result of the way the Java runtime has addressed the problem in the SSL protocol Tom mentioned earlier.

You should run Java 1.6.0_22 or later on both the client and server side. That is the minimum version of Java which GlassFish 3.1 requires, partly because of the SSL security issue in earlier releases of Java.

GlassFish 3.1 and 3.0.1 are different in significant ways. One of them is improved security of admin traffic which requires Java 1.6.0_22 or later to work correctly, which 3.0.1 did not require. We do not recommend that users set the various security properties that might allow you to use earlier releases because that leaves your system more vulnerable.

On Mar 1, 2011, at 9:55 AM, tho...@randspringer.de wrote:

Hm,

it worked with 3.0.1.

After I deinstalled some packagages(e.g. this cluster stuff) now GF at least talked to me when I added the --verbose option.

First I got this error: http://java.net/jira/browse/GLASSFISH-12041

I added the property: -Dsun.security.ssl.allowUnsafeRenegotiation=true to my domain.xml

and now I get:

java.lang.RuntimeException: ClientAbortException: java.io.IOException: SSLOutputWriter: CLOSED at org

.glassfish.admin.rest.LazyJerseyInit.reportError(LazyJerseyInit.java:

200) at org .glassfish .admin.rest.adapter.RestAdapter.reportError(RestAdapter.java:453) at org

.glassfish.admin.rest.adapter.RestAdapter.service(RestAdapter.java:

209)

What can I now do? I can not simply deinstall jersey because glassfish-gui and glassfish-management depends on it.

Thomas

Tom Mueller <tom....@oracle.com> hat am 1. März 2011 um 16:13 geschrieben:

I'm not sure that this is the problem, but GlassFish 3.1 running in with secure admin enabled requires a minimum JVM version of

1.6.0_22. I

see

from your jvm.log file that you are running 1.6.0_20.

There was an SSL vulnerability that was fixed in _22. When running with an older VM, the behavior of start-domain --secure is that it appears to hang even though the DAS actually started, because start-domain cannot establish a connection to the DAS to verify that it is up.

On 3/1/2011 6:52 AM, tho...@randspringer.de wrote:

Hi,

today I tried to upgrade our GF 3.0.1 to 3.1. We use it only as an servlet container for our rails-application.

I upgraded via the "updatetool" (source=stable.glassfish.org).

After installing the new packages I stopped the domain and I started it with the --upgrade option like suggested.

However now

asadmin --secure=true start-domain domain1

does not come back.

jvm.log and server.log are available from

http://www.randspringer.de/jvm.log

http://www.randspringer.de/server.log

What is the problem and how can I get the glassfish running again?

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets