We are using the JAX-RS 2.0 Client in our WebSphere Liberty Profile application to call an external service. It works fine on WLP 16.0.0.4 with Java 8.0. When I try to run the same application on 17.0.0.4, we are getting certificate errors on the truststore.
After a lot of trial and error, it seems that WLP is no longer loading the truststore from the following property (this is from my jvm.options file):
-Djavax.net.ssl.trustStore=../../shared/resources/security/trust_yourIBM_TEST.jks
The above worked in 16.0.0.4, but the javax.net.ssl.trustStore property is no longer being used to point to the truststore (if I point the property to a missing file in 16.0.0.4, I get an error that the file is not found, but in 17.0.0.4, I don't get the error). So I added the following:
-Djavax.net.ssl.trustStore=../../shared/resources/security/trust_yourIBM_TEST.jks
-Dcom.ibm.ssl.trustStore=../../shared/resources/security/trust_yourIBM_TEST.jks
This is still not working. I cannot find WLP release notes anywhere that explain that JAX-RS behaves differently in WLP 17.x.
Does anyone know how I can point to the truststore in WLP 17.0.0.4?
==========================================
UPDATE #1 - 2018/01/24
I am using the exact same JDK, server.xml, bootstrap.properties, and jvm.options files, as well as the same application files. The only difference is the WLP instance. I am also using the same entries for the default truststore, which is pointing to the same file as I am pointing to in the jvm.properties I pasted above. Here are the startup log entries:
17.0.0.4
product = WebSphere Application Server 17.0.0.4 (wlp-1.0.19.201712061531)
wlp.install.dir = C:/IBM/WLP_17.0.0.4/
java.home = C:\IBMJava80\jre
java.version = 1.8.0_151
java.runtime = Java(TM) SE Runtime Environment (8.0.5.7 - pwa6480sr5fp7-20171216_01(SR5 FP7))
16.0.0.4
product = WebSphere Application Server 16.0.0.4 (wlp-1.0.15.cl160420161113-0206)
wlp.install.dir = C:/IBM/WLP_16.0.0.4/
java.home = C:\IBMJava80\jre
java.version = 1.8.0_151
java.runtime = Java(TM) SE Runtime Environment (8.0.5.7 - pwa6480sr5fp7-20171216_01(SR5 FP7))
Here is the error I get in 16.0.0.4 when I change the truststore to a non-existent file:
[1/24/18 10:50:06:025 EST] 0000006e id= uribm.services.expensesaggregator.ejb.ExpensesEjbCommonUtils E callUnifiedProfile() Exception has occurred Exception encountered during call to UP: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://w3-services1.w3-969.ibm.com/myw3/unified-profile/v1/docs/instances/masterByEmail?email=dlwester%40us.ibm.com: java.security.cert.CertificateException: No X509TrustManager implementation available for [userId=dlwester#us.ibm.com] : javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://w3-services1.w3-969.ibm.com/myw3/unified-profile/v1/docs/instances/masterByEmail?email=dlwester%40us.ibm.com: java.security.cert.CertificateException: No X509TrustManager implementation available
And here are my keystore/truststore entries (the truststore points to the same file as the jvm.options):
<!-- default keystore -->
<keyStore id="defaultKeyStore"
location="${keystoreLocation}"
password="${keystorePassword}" />
<!-- default truststore -->
<keyStore id="defaultTrustStore"
location="${truststoreLocation}"
password="${truststorePassword}" />
<ssl id="sslConfig"
keyStoreRef="defaultKeyStore"
trustStoreRef="defaultTrustStore"
sslProtocol="SSL_TLSv2"
serverKeyAlias="${serverKeyAlias}" />
================
UPDATE #2
I added the transportSecurity-1.0 feature to WLP, and now I am getting an error in 17.0.0.4 if I point to a non-existing file. If I point to the correct truststore file, I am now getting a different error:
[1/24/18 12:03:19:905 EST] 0000003d id= com.ibm.w3.security.tai.OAuthDownStreamTAI E getSslSocketFactoryWithTrustStore() exception encountered on sslContext.init() for truststore C:/IBM/WLP_17.0.0.4/usr/shared/resources//security/trust_yourIBM_TEST.jks - java.security.KeyManagementException: Default SSLContext is initialized automatically
I need to look into this error.
Alaine steered me in the right direction, so credit for this answer goes to him!
Fortunately, the solution to this problem was not complicated. I had to use the WLP feature transportSecurity-1.0 instead of ssl-1.0.
I had to add the following to my SSL config in server.xml:
<sslDefault sslRef="sslConfig" />
I also ran into problems with our TAI for OIDC. I had to replace the following statement:
SSLContext sslContext = SSLContext.getDefault();
with:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
The issue in a nutshell is that the default SSL config is immutable, so you have to make sure you create your own config to override it, not change it.
I try to run an embedded ActiveMQ with Jboss 7.4.3 by following the installation tips I find on several sites like:
https://developer.jboss.org/wiki/EmbedActiveMQInJBossAS7
https://developer.jboss.org/wiki/JBoss6EAPOr7xxToApacheActiveMQ56Or7
In general I put activemq-rar-5.11.1.rar in standalone/deployments and add a resource-adapter config entry in the standalone.xml.
In the extensions section I added
and in the entry
i added
<mdb>
<resource-adapter-ref resource-adapter-name="activemq-rar-5.11.1.rar" />
<bean-instance-pool-ref pool-name="mdb-strict-max-pool" />
</mdb>
to make ActiveMQ the default JMS provider.
I get no errors on startup, but in the logfile I see nothing else than
JBAS018559: "activemq-rar-5.11.1.rar" deployed (runtime-name: "activemq-rar-5.11.1.rar")
I see nothing in the jndi bindings and trying to access the connectionFactory
#Resource(mappedName = "java:jboss/activemq/QueueConnectionFactory")
private ConnectionFactory connectionFactory;
results in this error:
service jboss.naming.context.java.jboss.activemq.QueueConnectionFactory (fehlende) Dependents: ...
Have I missed anything?
I am trying to connect to RabbitMQ over SSL. I have followed the RabbitMQ SSL documentation linked [here}(https://www.rabbitmq.com/ssl.html).
As per RabbitMQ SSL documentation connecting using SSLv3 and TLSv1 is not recommeded due to known vulnerabilities. Due to this I have disabled these protocols on RabbitMQ as per instructions.
I am using Spring AMQP 1.4.3 to connect to RabbitMQ.
ApplicationContext context = new GenericXmlApplicationContext("classpath:/testConfig/testrabbit-context.xml");
RabbitTemplate template = context.getBean(RabbitTemplate.class);
MessageProperties messageProperties = new MessageProperties();
org.springframework.amqp.core.Message amqpMessage = new org.springframework.amqp.core.Message("Test".getBytes(), messageProperties);
String routingKey = "TEST.businessevent.route";
template.send(routingKey, amqpMessage);
My config:
<rabbit:connection-factory id="rabbitConnectionFactory"
connection-factory="clientConnectionFactory"
host="localhost"
port="5671"
username="username"
password="password"
virtual-host="test_host" />
<rabbit:admin connection-factory="rabbitConnectionFactory" />
<rabbit:template id="rabbitTemplate"
connection-factory="rabbitConnectionFactory" exchange="test_topic" />
<rabbit:topic-exchange name="test_topic" durable="true" />
<bean id="clientConnectionFactory" class="org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean">
<property name="useSSL" value="true" />
<property name="sslPropertiesLocation" value="/testconfig/rabbitSSL.properties"/>
</bean>
rabbitSSL.properties:
keyStore=file:/client/keycert.p12
trustStore=file:/lib/security/rabbitStore
keyStore.passPhrase=testpassword
trustStore.passPhrase=testpassword
However when I use the above code and config to connect to RabbitMQ over SSL I am getting a fatal alert: protocol_version.
When I looked at the org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean class that Spring is using to connect to RabbitMQ, I can see that the protocol appears to be hard coded to SSLv3.
SSLContext context = SSLContext.getInstance("SSLv3");
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
this.connectionFactory.useSslProtocol(context);
This code works fine if I do not disable SSLv3 on RabbitMQ. However I need to connect to RabbitMQ using Tlsv1.2. Can I do that using Spring AMQP 1.4.3 or do I need to use another version.
Thanks for any help you can provide me with this issue.
While searching for RabbitMQ remote access I came across the below Spring application.properties configuration settings that can be done in Spring to configure the RabbitMQ connections.
https://www.oodlestechnologies.com/blogs/Connect-to-SSL-enabled-RabbitMQ-server-Springboot/
spring.rabbitmq.host=hostURL
spring.rabbitmq.port = hostPort
spring.rabbitmq.username = username
spring.rabbitmq.password = password
spring.rabbitmq.virtual-host=virtualHost
spring.rabbitmq.ssl.enabled=true
spring.rabbitmq.ssl.algorithm=TLSv1.2
https://www.baeldung.com/spring-remoting-amqp#2-configuration
I have opened a JIRA Issue for this.
In the meantime, the RabbitConnectionFactoryBean is just a convenience class to make configuring an underlying connection factory more "Spring friendly" with defaults.
Instead, you can perform this initialization in your own code (perhaps using a #Bean declaration using Java Configuration).
Okay, I was trying to connect by Spring Boot application(2.1.4.RELEASE) that uses spring-boot-starter-amqp (2.1.4.RELEASE) to an AWS Managed instance of RabbitMQ aka Amazon MQ and it would fail with a similar error. What worked for me was setting these properties.
spring.rabbitmq.ssl.enabled=true
spring.rabbitmq.ssl.algorithm=TLSv1.3
Setting these properties explicitly was not required in an application that was using Spring Boot and spring-boot-starter-amqp (2.7.8) and they worked out of the box. Here's a mention of the same in Spring AMQP Documentation.
https://docs.spring.io/spring-amqp/reference/html/#rabbitconnectionfactorybean-configuring-ssl
Is there a way to browse the content of an H2 or an HSQLDB in-memory database for viewing? For example, during a debugging session with Hibernate in order to check when the flush is executed; or to make sure the script that instantiates the DB gives the expected result.
Does it exist an addon or a library that you can embed with your code in order to allow this?
Please, mention which one you're talking about (H2 or HSQLDB) in case you have an answer specific to one of them.
You can run H2 web server within your application that will access the same in-memory database. You can also access the H2 running in server mode using any generic JDBC client like SquirrelSQL.
UPDATE:
Server webServer = Server.createWebServer("-web,-webAllowOthers,true,-webPort,8082").start();
Server server = Server.createTcpServer("-tcp,-tcpAllowOthers,true,-tcpPort,9092").start();
Now you can connect to your database via jdbc:h2:mem:foo_db URL within the same process or browse the foo_db database using localhost:8082. Remember to close both servers. See also: H2 database in memory mode cannot be accessed by Console.
You can also use Spring:
<bean id="h2Server" class="org.h2.tools.Server" factory-method="createTcpServer" init-method="start" destroy-method="stop" depends-on="h2WebServer">
<constructor-arg value="-tcp,-tcpAllowOthers,true,-tcpPort,9092"/>
</bean>
<bean id="h2WebServer" class="org.h2.tools.Server" factory-method="createWebServer" init-method="start" destroy-method="stop">
<constructor-arg value="-web,-webAllowOthers,true,-webPort,8082"/>
</bean>
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close" depends-on="h2Server">
<property name="driverClass" value="org.h2.Driver"/>
<property name="jdbcUrl" value="jdbc:h2:mem:foo_db"/>
</bean>
BTW you should only depend on assertions and not on manual peeking the database contents. Use this only for troubleshooting.
N.B. if you use Spring test framework you won't see changes made by a running transaction and this transaction will be rolled back immediately after the test.
For H2, you can start a web server within your code during a debugging session if you have a database connection object. You could add this line to your code, or as a 'watch expression' (dynamically):
org.h2.tools.Server.startWebServer(conn);
The server tool will start a web browser locally that allows you to access the database.
In H2, what works for me is:
I code, starting the server like:
server = Server.createTcpServer().start();
That starts the server on localhost port 9092.
Then, in code, establish a DB connection on the following JDBC URL:
jdbc:h2:tcp://localhost:9092/mem:test;DB_CLOSE_DELAY=-1;MODE=MySQL
While debugging, as a client to inspect the DB I use the one provided by H2, which is good enough, to launch it you just need to launch the following java main separately
org.h2.tools.Console
This will start a web server with an app on 8082, launch a browser on localhost:8082
And then you can enter the previous URL to see the DB
With HSQLDB, you have several built-in options.
There are two GUI database managers and a command line interface to the database. The classes for these are:
org.hsqldb.util.DatabaseManager
org.hsqldb.util.DatabaseManagerSwing
org.hsqldb.cmdline.SqlTool
You can start one of the above from your application and access the in-memory databases.
An example with JBoss is given here:
http://docs.jboss.org/jbpm/v3.2/userguide/html/ch07s03.html
You can also start a server with your application, pointing it to an in-memory database.
org.hsqldb.Server
For HSQLDB, The following worked for me:
DatabaseManager.threadedDBM();
And this brought up the GUI with my tables and data once I pointed it to the right named in-mem database.
It is basically the equivalent of newing up a DatabaseManager (the non Swing variety), which prompts for connection details, and is set to --noexit)
I also tried the Swing version, but it only had a main, and I was unsure of the arguments to pass. If anyone knows, please post here.
Just because I searched for hours for the right database name: The name of the database is the name of your datasource. So try with URL jdbc:hsqldb:mem:dataSource if you have a data source bean with id=dataSource. If this does not work, try testdb which is the default.
You can expose it as a JMX feature, startable via JConsole:
#ManagedResource
#Named
public class DbManager {
#ManagedOperation(description = "Start HSQL DatabaseManagerSwing.")
public void dbManager() {
String[] args = {"--url", "jdbc:hsqldb:mem:embeddedDataSource", "--noexit"};
DatabaseManagerSwing.main(args);
}
}
XML context:
<context:component-scan base-package="your.package.root" scoped-proxy="targetClass"/>
<context:annotation-config />
<context:mbean-server />
<context:mbean-export />
This is a Play 2 controller to initialize the H2 TCP and Web servers:
package controllers;
import org.h2.tools.Server;
import play.mvc.Controller;
import play.mvc.Result;
import java.sql.SQLException;
/**
* Play 2 controller to initialize H2 TCP Server and H2 Web Console Server.
*
* Once it's initialized, you can connect with a JDBC client with
* the URL `jdbc:h2:tcp://127.0.1.1:9092/mem:DBNAME`,
* or can be accessed with the web console at `http://localhost:8082`,
* and the URL JDBC `jdbc:h2:mem:DBNAME`.
*
* #author Mariano Ruiz <mrsarm#gmail.com>
*/
public class H2ServerController extends Controller {
private static Server h2Server = null;
private static Server h2WebServer = null;
public static synchronized Result debugH2() throws SQLException {
if (h2Server == null) {
h2Server = Server.createTcpServer("-tcp", "-tcpAllowOthers", "-tcpPort", "9092");
h2Server.start();
h2WebServer = Server.createWebServer("-web","-webAllowOthers","-webPort","8082");
h2WebServer.start();
return ok("H2 TCP/Web servers initialized");
} else {
return ok("H2 TCP/Web servers already initialized");
}
}
}
I've a problem with H2 version 1.4.190 remote connection to inMemory (as well as in file) with Connection is broken: "unexpected status 16843008" until do not downgrade to 1.3.176. See Grails accessing H2 TCP server hangs
This is more a comment to previous Thomas Mueller's post rather than an answer, but haven't got enough reputation for it. Another way of getting the connection if you are Spring JDBC Template is using the following:
jdbcTemplate.getDataSource().getConnection();
So on debug mode if you add to the "Expressions" view in Eclipse it will open the browser showing you the H2 Console:
org.h2.tools.Server.startWebServer(jdbcTemplate.getDataSource().getConnection());
Eclipse Expressions View
H2 Console
I don't know why is it working fine at yours machines, but I had to spend a day in order to get it is working.
The server works with Intellij Idea U via url "jdbc:h2:tcp://localhost:9092/~/default".
"localhost:8082" in the browser alse works fine.
I added this into the mvc-dispatcher-servlet.xml
<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close" depends-on="h2Server">
<property name="driverClassName" value="org.h2.Driver"/>
<property name="url" value="jdbc:h2:tcp://localhost:9092/~/default"/>
<property name="username" value="sa"/>
<property name="password" value=""/>
</bean>
<bean id="h2Server" class="org.h2.tools.Server" factory-method="createTcpServer" init-method="start" destroy-method="stop" depends-on="h2WebServer">
<constructor-arg>
<array>
<value>-tcp</value>
<value>-tcpAllowOthers</value>
<value>-tcpPort</value>
<value>9092</value>
</array>
</constructor-arg>
</bean>
<bean id="h2WebServer" class="org.h2.tools.Server" factory-method="createWebServer" init-method="start" destroy-method="stop">
<constructor-arg>
<array>
<value>-web</value>
<value>-webAllowOthers</value>
<value>-webPort</value>
<value>8082</value>
</array>
</constructor-arg>
</bean>
What about comfortably viewing (and also editing) the content over ODBC & MS-Access, Excel?
Softwareversions::
H2 Version:1.4.196
Win 10 Postgres ODBC Driver Version: psqlodbc_09_03_0210
For Win7 ODBC Client: win7_psqlodbc_09_00_0101-x64.msi
H2 Server:
/*
For JDBC Clients to connect:
jdbc:h2:tcp://localhost:9092/trader;CIPHER=AES;IFEXISTS=TRUE;MVCC=true;LOCK_TIMEOUT=60000;CACHE_SIZE=131072;CACHE_TYPE=TQ
*/
public class DBStarter {
public static final String BASEDIR = "/C:/Trader/db/";
public static final String DB_URL = BASEDIR + "trader;CIPHER=AES;IFEXISTS=TRUE;MVCC=true;LOCK_TIMEOUT=10000;CACHE_SIZE=131072;CACHE_TYPE=TQ";
static void startServer() throws SQLException {
Server tcpServer = Server.createTcpServer(
"-tcpPort", "9092",
"-tcpAllowOthers",
"-ifExists",
// "-trace",
"-baseDir", BASEDIR
);
tcpServer.start();
System.out.println("H2 JDBC Server started: " + tcpServer.getStatus());
Server pgServer = Server.createPgServer(
"-pgPort", "10022",
"-pgAllowOthers",
"-key", "traderdb", DB_URL
);
pgServer.start();
System.out.println("H2 ODBC PGServer started: " + pgServer.getStatus());
}
}
Windows10 ODBC Datasource Configuration which can be used by any ODBC client:
In Databse field the name given in '-key' parameter has to be used.
I'm trying to use SSL with the JMX connector that Active MQ creates, but with no success. I'm able to get SSL working with the JVM platform JMX connector, but that requires storing keystore and truststore passwords plaintext, which is a no-go for our project.
Using the instructions here, I set up managementContext in activemq.xml as follows:
<managementContext>
<managementContext createConnector="true">
<property xmlns="http://www.springframework.org/schema/beans" name="environment">
<map xmlns="http://www.springframework.org/schema/beans">
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.keyStore"
value="${activemq.base}/conf/keystore.jks"/>
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.keyStorePassword"
value="${keystore.password}"/>
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.trustStore"
value="${activemq.base}/conf/truststore.jks"/>
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.trustStorePassword"
value="${truststore.password}"/>
</map>
</property>
</managementContext>
</managementContext>
This section seems to be completely ignored when the connector starts up. I can connect without credentials. I also tried using username and password authentication instead of ssl for JMX, as seen here, and that worked fine.
Has anyone seen this before? Any ideas? Thanks!
Have you enabled jmx ssl in the activemq launch scripts? On windows in the activemq-admin or activemq batch files, uncomment and modify the SUNJMX settings.
JMX authentiation is independent of whether ssl is used. It is controlled by the authenticate attribute. By default it will use the jmx access files in your jre, so re-point them with the system properties shown below. You may get an error message stating that the files themselves must be access controlled, so set them with chmod on unix or cacls on windows. I would suggest even turning off the ssl and getting the authentication to work first. You can test with jconsole with a remote connection to confirm that it wants credentials. Then follow-up with the ssl stuff.
set SUNJMX=-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1199 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.password.file=%ACTIVEMQ_BASE%/conf/access/jmx.password -Dcom.sun.management.jmxremote.access.file=%ACTIVEMQ_BASE%/conf/access/jmx.access
I had the same issue regarding the ActiveMQ SSL configuration (keystore & password) in the XML not working.
My requirement was to enable remote JMX monitoring of ActiveMQ with SSL and authentication through a firewall.
I resolved it using a custom JMX connector (via a Java Agent), rather than using the JMX connector that Active MQ creates.
see: JMX connectivity through a firewall for an example (JMXAgent.java)
The important entries for configuring SSL in the JMXAgent.java are:
Map<String, Object> env = new HashMap<String, Object>();
SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, csf);
env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, ssf);
You can also specify your authentication files in the env Map:
env.put("jmx.remote.x.password.file", System.getProperty("password.file","<default_path>"));
env.put("jmx.remote.x.access.file", System.getProperty("access.file","<default_path>"));
The Java Agent needs to be compiled and put into a jar with a valid manifest file as described here
Add the following to the activemq launch configuration (depending on activemq version/ environment and run ActiveMQ:
-javaagent:<full_path_to_agent_jar_file> \
-Dpassword.file=<full_path_to_jmx.password_file> \
-Daccess.file=<full_path_to_jmx.access_file> \
-Djavax.net.ssl.keyStore=<full_path_to_keystore_file> \
-Djavax.net.ssl.keyStorePassword=<password>
You should then be able to connect through jconsole (with correct security parameters)
The remote JMX connection URL will be something like:
service:jmx:rmi://<host>:<rmi_server_port>/jndi/rmi://<host>:<port>/jmxrmi
Note - ports can be configured in the Java Agent.