Error after adding in failover DB in ServiceBus - servicebus

we were testing in our test ServiceBus to add in the failover DB instance in the Service Bus connection string. After successfully following the steps below, we encounter the error "Security token service finished processing a request with failure" in events logs almost every minute.
I have a case with Microsoft for 3 weeks and they seem unable to find out the root cause. Would anyone here seen such similar token service error ?
Why would the connection string is going to a local host -> https://localhost:9355/ServiceBusDefaultNamespace/$STS/OAuth/
Steps to add in DB failover string:
1. Execute “SB-GetFarm” cmdlet, to collect information about your current configuration: Certificates thumbprint, connection string, RunAsAccount , MessageBrokerPort , etc. You will need that info on step 3.
2. Remove all nodes from the Service Bus Farm
3. On one of the farm nodes, Restore the SBFarm using the new Connection string. As an example, let’s imagine that we need to modify SB connection string to add “Failover Partner” attribute. The cmdlet would be like below:
Restore-SBFarm -FarmCertificateThumbprint F91C37410FBE53B92E1B24FAC7A0D82EA4391B81 -GatewayDBConnectionString “Data Source=<SQL Server>;Failover Partner=<SQL Mirroring Server>;Initial Catalog=SbGatewayDatabase;Integrated Security=True;Encrypt=False” -SBFarmDBConnectionString “Data Source=<SQL Server>;Failover Partner= Mirroring Server>;Initial Catalog=SbManagementDBNew;Integrated Security=True;Encrypt=False” -EncryptionCertificateThumbprint 91C37410FBE53B92E1B24FAC7A0D82EA4391B81 -RunAsAccount <YourAccount> -MessageBrokerPort <MessageBrokerPort> -HttpsPort <HttpsPort> -TCPPort <TCPPort>
Note: The Restore-SBFarm cmdlet creates a new Service Bus for Windows Server farm database (SbManagementDBNew). You can delete the old Service Bus for Windows Server farm database. Once above cmdlet is executed, next two connections strings will have been changed: GatewayDBConnectionString and SBFarmDBConnectionString
4. On all new farm nodes, run the Add-SBHost :
$secure_string_pwd = convertto-securestring “<Your Password>” -asplaintext -force
Add-SBHost -SBFarmDBConnectionString “Data Source=<SQL Server>;Failover Partner=<SQL Mirroring Server>;Initial Catalog=SbManagementDBNew;Integrated Security=True;Encrypt=False” -RunAsPassword $secure_string_pwd -EnableFirewallRules $T
5. Call the Stop-SBFarm cmdlet to stop all Service Bus for Windows Server services on all hosts, that’s a prerequisite for next step.
6. Restore the message containers. This step is required to modify the connection string to the message containers. Remember that you can have more than one (For more information, see the Get-SBMessageContainer cmdlet).
Restore-SBMessageContainer -Id 1 –ContainerDBConnectionString “Data Source=<SQL Server>;Failover Partner=<SQL Mirroring Server>;Initial Catalog=SBMessageContainer01;Integrated Security=True;Encrypt=False”
7. Call the Start-SBFarm cmdlet to start all Service Bus for Windows Server services on all hosts.
Error after update connection string for failover DB:
Security token service finished processing a request with failure. TrackingId: dff19ba2-f023-42fc-9cdd-150cd2d21f47_GCE-MAS-0021, Absolute Uri: https://localhost:9355/ServiceBusDefaultNamespace/$STS/OAuth/, Message: System.FormatException: Cannot resolve a namespace for scope: https://localhost:9355/ServiceBusDefaultNamespace.
at Microsoft.Cloud.ServiceBus.Security.OAuthAuthenticationRequest.Parse(Message message, Int32 maxArrayLength)
at Microsoft.Cloud.ServiceBus.Security.SecurityTokenServiceProtocolHandler.GetTokenAsyncResult.ParseAuthenticationRequest(Message requestMessage, Int32 maxArrayLength)
at Microsoft.Cloud.ServiceBus.Security.SecurityTokenServiceProtocolHandler.GetTokenAsyncResult.<GetAsyncSteps>d__2c.MoveNext()
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.EnumerateSteps(CurrentThreadType state)
at Microsoft.ServiceBus.Messaging.IteratorAsyncResult`1.Start()

Related

Websphere application server LDAP connection pool

We are using websphere application server 8.5.0.0. we have a requirement where we have to query a LDAP server to get the customer details. I tried to configure the connection pool as described here and here.
I passed the below JVM arguments
-Dcom.sun.jndi.ldap.connect.pool.maxsize=5
-Dcom.sun.jndi.ldap.connect.pool.timeout=60000
-Dcom.sun.jndi.ldap.connect.pool.debug=all
Below is a sample code snippet
Hashtable<String,String> env = new Hashtable<String,String>();
...
...
env.put("com.sun.jndi.ldap.connect.pool", "true");
env.put("com.sun.jndi.ldap.connect.timeout", "5000");
InitialDirContext c = new InitialDirContext(env);
...
...
c.close();
I have two issues here
When I am calling the service for the 6th time, I am getting javax.naming.ConnectionException: Timeout exceeded while waiting for a connection: 5000ms. I checked the connection pool debug logs and I noticed the connections are not returning back to the pool immediately despite closing the context safely in a finally block. The connections are released after some time and expired after sometime after the release. There after if I call the service again, it connects to the LDAP server but new connections are being created.
I tried to execute the code and I am able to see the connection pool debug logs. But the logs are being logged in System.Err log. Is this an issue? Can I ignore it?
But when I run the code as a standalone application(multithreaded with loop of 50 times), the connections are returned/released immediately.
Can anyone please let me know what am I doing wrong?

Configuring SSL channel connectivity on MQ client machine

From Linux server with MQ client installed we are trying to set up connection to secured channel. I am ETL person and our MQ admin is struggling. Anyways I will explain what I tried (which obviously hasn't worked yet ) and anyone please let me know what else needs to be done to set up the connectivity.. Thanks :)
tmp/mqmutility/keyrepmodmq> ls
AMQCLCHL.TAB key.kdb key.rdb key.sth MODE_MODELTAP_DEV_keyStLst.txt
export MQSSLKEYR=/tmp/mqmutility/keyrepmodmq/key
export MQCHLLIB=/tmp/mqmutility/keyrepmodmq
export MQCHLTAB=AMQCLCHL.TAB
/opt/mqm/samp/bin> amqsputc <queue_name> <queue_manager_name>
Sample AMQSPUT0 start
MQCONN ended with reason code 2058
Note: I can connect to the same queue manager for a non-SSL channel.
Any help will be great and other approaches you follow for SSL channel connectivity from client machine will also be helpful.
When using a Client Channel Definition Table (CCDT) file - your AMQCLCHL.TAB file, a return code of 2058 usually means that the queue manager name the application tried to use - your 'queue_manager_name' - was not found in any of the channel entries in the CCDT file.
If you're using. MQ V8 you can very easily display the entries in your CCDT file and the queue manager names they are configured for using the following command:
runmqsc -n
DISPLAY CHANNEL(*) QMNAME
If none of the channels in your file have the queue manager name you are using when running the amqsputc sample then this is the cause of your 2058 reason code.
Hopefully it will be clear when you see the entries in the file listed out which queue manager name you should be using, but if not, update your question with some more details (like the contents of said file and the queue manager details) and we can help further.
You must ensure that you have a CLNTCONN channel defined which has the queue manager name you want to use in the QMNAME field, and that you have a matching named SVRCONN channel defined on the queue manager. Since you are using SSL, you must also ensure that these two channels are using the same SSLCIPH.
Please read Creating server-connection and client-connection definitions on the server and it's child topics.

Registering new devices to Azure IOT hub

Just simple question:
I have created a new Service bus, Event hub and some shared access tokens with all rights, but registering a new device with iothub-explorer fails to 'unauthorized' message in Azure.
[tuomas#raspberry ~]$ iothub-explorer login "HostName=mynew-iot.servicebus.windows.net;SharedAccessKeyName=mynewdevice-1;SharedAccessKey=NptRRzI9mhiXO2QKuhZq47iY24A7cbtxRpUDSQO5aSI=" --connection-string
Session started, expires Tue Apr 12 2016 20:02:13 GMT+0300 (EEST)
[tuomas#raspberry ~]$ iothub-explorer "HostName=mynew-iot.servicebus.windows.net;SharedAccessKeyName=device-1;SharedAccessKey=NptRRzI9mhiXO2QKuhZq47iY24A7cbtxRpUDSQO5aSI=" create dummydev
Error Unauthorized
Any toughts?
With Thanks,
~T
I don't know if it's on purpose or not but the connection string in the second command doesn't match the one in the first one: the SharedAccessKeyName is different. Maybe it's just that.
If it's not just that, due to the way it's named I'm under the impression that you are using a device connection string when you should be using the service connection string (with a policy name in the SharedAccessKeyName field, such as the iothubowner). Whatever the policy is it should have the permissions to read and write to the registry. Unless you named such a policy "mynewdevice-1" ? One simple way to debug this is to use the iothubowner policy and associated key since it has full permissions.
Last thing, if you're using the "login" command, you don't need to specify the connectionstring again in subsequent commands (except to receive messages sent by devices, since this is done on the event hubs endpoint).
Thanks, I have really messed these old and new portals.
After creating a new Service bus and event hub in new portal I can register my devices. The rest .... new question perhaps...
With thanks.

WCF and MsmqBinding to remote private queue

We have a WCF log service that uses MsmqBinding and WAS. The issue is that I try to use it from remote computer and that message seems to never reach the destination queue. Here are the facts :
Server config
List item
destination machine name : logserver.domain.ext
destination queue : private$/logservice.svc (journaling enabled)
security on the queue : everyone : full control, NETWORK SERVICE : Full Control
IgnoreOSNameValidation registry key : set
Client config
client endpoint address : logserver.domain.ext/private/logservice.svc
Observed behaviour
the output queue is well created ans has status Connected and 0 message wainting
if I pause the output queue, I see messages appearing and then desapearing when resume the queue
no message can be seen in the remote queue or the journal
and the worth is :
var queue = new MessageQueue(#"FormatName:DIRECT=OS:logserver.domain.ext\private$\logservice.svc");
queue.Send("hello");
works !
You do not mention permissions for the ANONYMOUS LOGON account. This is the account that remote private queue access will happen under if you are not explicitly using Windows security on the binding.
I was facing the same issue, and it turned out that the issue was with Distributed Transaction Coordinator configuration. This MSDN document helped me solve it.

can't enable net.tcp port sharing

I'm doing my dev work on a Window 7 x64 machine, deploying to a Windows 2008 x32 server. At the moment I'm adding WCF services to some internal apps so that we can build smaller clients using net.tcp bindings that report to the user what the server is doing without running multiple instances of the server. To cut back on how much administration the apps will require, I tried enabling port sharing on my first server app. I'm using the app to self-host the WCF service so they can be easily moved from one server to another if necessary. Here's the code starting the server:
Dim _service_host As ServiceHost
Dim active_server_address As Uri = New UriBuilder("net.tcp", "localhost", CInt(My.Settings.ServerPort)).Uri
_service_host = New ServiceHost(GetType(UpdateServiceOps), active_server_address)
_service_host.AddServiceEndpoint(GetType(IUpdateService), New NetTcpBinding With {.Name = "endpoint_tcp"}, "MiddlewareEndpoint")
_service_host.Description.Behaviors.Add(New ServiceMetadataBehavior)
_service_host.AddServiceEndpoint(GetType(IMetadataExchange), MetadataExchangeBindings.CreateMexTcpBinding, "mex")
_service_host.Open()
That works great. When I change it to what's below, however, I get an error. Here's the code:
Dim _service_host As ServiceHost
Dim active_server_address As Uri = New UriBuilder("net.tcp", "localhost", CInt(My.Settings.ServerPort)).Uri
_service_host = New ServiceHost(GetType(UpdateServiceOps), active_server_address)
_service_host.AddServiceEndpoint(GetType(IUpdateService), New NetTcpBinding With {.Name = "endpoint_tcp", .PortSharingEnabled = True}, "MiddlewareEndpoint")
_service_host.Description.Behaviors.Add(New ServiceMetadataBehavior)
_service_host.AddServiceEndpoint(GetType(IMetadataExchange), MetadataExchangeBindings.CreateMexTcpBinding, "mex")
_service_host.Open()
I get the following error when I put a breakpoint at the last line: Unable to automatically step into the server. Connecting to the server machine 'nettcpportsharing' failed. The requested name is valid, but no data of the requested type was found. The Try...Catch block housing that code says the exception type is AddressAlreadyInUseException...but when I run netstat I don't see anything else listening on that address. There's no occurrence of 'nettcpportsharing' anywhere in my solution. I've checked to make sure that the Net.Tcp Port Sharing service is started. Any ideas?
I think this may be a permissions issue. Please see the associated article which explains how to configure the port sharing service to support self-hosted services.
(For production purposes I would strongly recommend using IIS Hosting with WAS anyway - it makes management of the services much cleaner and you get dynamic startup/shutdown for free.)