Wishing to have a Worklight Console Authentication I followed the infocenter instructions from this link at infocenter.It seems to be working at the first glance as entering the console it prompts the login form.
Going to the console URL at http://192.168.168.154:9080/finance/console/#catalog it brings the login page right away. So far so good.
After entering the right username/password (both defined at worklight.properties) the login page redirects to the Worklight console at port 10080 and fails to load the page
Unable to connect
Firefox can't establish a connection to the server at 192.168.168.154:10080.
As you can read it tries to connect to http://192.168.168.154:10080/finance/console. It should not happen I guess, as port 10080 was not configured.
I have no idea why it is redirecting to this port. I searched inside the config files for 10080 and could not find any reference to it. I think somehow WL is getting this 10080 as a default as it is the port used for development.
Here is the files snippets I am using to enable Login Console:
worklight.properties:
#publicWorkLightHostname=localhost
# http or https
#publicWorkLightProtocol=http
# For default port leave empty
#publicWorkLightPort=10080 <-- it is commented out
console.username=finance
console.password=finance
authenticationConfig.xml
<staticResources>
<resource id="worklightConsole" securityTest="WorklightConsole">
<urlPatterns>/console*</urlPatterns>
</resource>
....
</staticResources>
<securityTests>
<customSecurityTest name="WorklightConsole">
<test realm="WorklightConsole" isInternalUserID="true"/>
</customSecurityTest>
...
</securityTests>
server.xml
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" >
<tcpOptions soReuseAddr="true"/>
</httpEndpoint>
<!-- Declare the JNDI properties for the IBM Worklight Console. -->
<jndiEntry jndiName="worklight/publicWorkLightProtocol" value='"http"'/>
<jndiEntry jndiName="worklight/publicWorkLightPort" value='"9080"'/>
<jndiEntry jndiName="worklight/serverSessionTimeout" value='"10"'/>
Any idea on how to solve this port mismatch issue ? Env is WL 6.0 on Liberty
P.S: Later on we plan to user LDAP instead. For now, having the username/passaword in the properties would suffice.
In worklight.properties, uncomment the #publicWorkLightPort=10080 property and change it to 9080.
worklight.properties is part of the Worklight project's .war file that is deployed into the application server; the application server may have its own port number set in server.xml, but the .war (project) has some specific properties of its own.
During my testing I encountered the same issue, but once uncommenting and changing the port value in worklight.properties, the re-direct then worked properly after logging-in.
Related
A user tries to connect to a tomcat application. Her password contains the € glyph.
On other applications, it works just fine.
On our in-house application, it fails.
We use a linux box, tomcat 8.5, jdk 1.8, with -Dfile.encoding=UTF-8, Basic auth with a JNDIrealm.
The header Basic XXXXXX is good.
<Realm
className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://someurl:389"
connectionName="someName"
connectionPassword="somePassword"
referrals="follow" userBase="DC=EXAMPLE,DC=COM"
userSearch="(sAMAccountName={0})"
userSubtree="true"
adCompat="true" />
What is wrong ?
Found it. You have to use a Valve with the encoding specified.
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
charset="UTF-8" />
See https://cwiki.apache.org/confluence/display/TOMCAT/Character+Encoding#CharacterEncoding-Q10HowtoconfiguretheBASICauthenticationschemetouseUTF-8
We are upgrading our ColdFusion 9 non-ssl application to ColdFusion 11 ssl enabled setup using Websphere.
We have a few flex components that utilize Flex2Gateway to call remote services. The application/Flex2gateway calls work fine with http but not on https.
The following urls give me a blank page which as per Adobe forums mean that Flex2Gateway is setup right:
http://example.com/flex2gateway
https://example.com/flex2gateway
The app calls the non-ssl url(not sure why):
http://example.com/flex2gateway and then gets redirected to
https://example.com/flex2gateway
When I look at the browser developer tools(IE, Chrome) the redirection from
http://example.com/flex2gateway to https://example.com/flex2gateway
seems to be working fine. Can anybody provide some insights on a possible solution?
Here is my remoting-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<service id="remoting-service"
class="flex.messaging.services.RemotingService"
messageTypes="flex.messaging.messages.RemotingMessage">
<adapters>
<adapter-definition id="cf-object"
class="coldfusion.flash.messaging.ColdFusionAdapter" default="true"/>
<adapter-definition id="java-object"
class="flex.messaging.services.remoting.adapters.JavaAdapter"/>
</adapters>
<default-channels>
<channel ref="my-cfamf-secure"/>
</default-channels>
<destination id="ColdFusion">
<channels>
<channel ref="my-cfamf-secure"/>
</channels>
<properties>
<source>*</source>
</properties>
</destination>
I do see the following in services-config.xml and I did uncomment the WebsphereLoginCommand option but saw no difference.
<security>
<login-command class="flex.messaging.security.JRunLoginCommand" server="JRun"/>
<!-- Uncomment the correct app server
<login-command class="flex.messaging.security.TomcatLoginCommand" server="Tomcat"/>
<login-command class="flex.messaging.security.WeblogicLoginCommand" server="Weblogic"/>
<login-command class="flex.messaging.security.WebSphereLoginCommand" server="WebSphere"/>
-->
UPDATE: I got https disabled on our server and receive the below error now when I try to access flex component:
faultCode:Client.Error.MessageSend faultString:'Send Failed' faultDetail:'Channel.Connect.Failed error NetConection.Call.Failed: HTTP: Failed:url: 'http://example.com/flex2gateway/"
I'm trying to use JMX with activeMQ for monitoring so far I've been using this and this as a reference but so far I'm unable to connect to jmx remotely and also I don't see any mention of jmx url in activemq logs. I'm wondering if there is another way to make sure jmx is working? is it supposed to be indicated in activemq logs?
PS I'm using jdk1.7 and activeMQ 5.14.2.
Thanks in advance!
EDIT
I set useJmx="true" in my activemq.xml file:
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="primary" useJmx="true" dataDirectory="${activemq.data}">
I tried two steps:
FIRST
I tried changing management context from createConnector="false" to :
<managementContext>
<managementContext createConnector="true" connectorPort="1099"/>
</managementContext>
FOR FIRST TIME THE PORT IS OPEN AND ACTIVEMQ RUNS FINE AND JMX URL GETS REPORTED IN LOGS ALTHOUGH I CAN NOT CONNECT IT TO IT REMOTLEY BUT IM ASSUMING ITS WORKING
SECOND
I reverted back the changes I made for managmentContext and I tried setting:
ACTIVEMQ_SUNJMX_START="-Dcom.sun.management.jmxremote.port=1099 -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_BASE}/jmx.password -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_BASE}/jmx.access"
in bin/activemq script and I set a username in conf/jmx.access file as:
admin readwrite
And also have set a password in conf/jmx.password:
admin activemq
NOW ACTIVEMQ IS NOT RUNNINT AT ALL BUT IT WILL RUN IF I SET
AUTHENTICATE=FALSE AND DELETE JMX.ACCESS AND JMX.PASSWORD
CONFIGURATION IN BIN/ACTIVEMQ FILE BUT I NEED USER NAME AND PASSWORD
FOR SECURITY REASONS
I found this post which has the exact same issue as mine. any ideas?
Password authentication for remote monitoring is enabled by default. To disable it, set the following system property when you start the JVM:
-Dcom.sun.management.jmxremote.authenticate=false like you done in second test but you need to add system property -Dcom.sun.management.jmxremote
Try to add these jvm param to env file and update host ip
-Djava.net.preferIPv4Stack=true -Djava.rmi.server.hostname=X.X.X.X
UPDATE
SO, to resume, i think that the FIRST step you tried is the best, for making it working these are the steps :
revert all jmx env file changes, like this :
# ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.port=1099 "
# ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_CONF}/jmx.password"
# ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_CONF}/jmx.access"
# ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.ssl=false"
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote"
<broker useJmx="true" ...
<managementContext>
<managementContext createConnector="true" connectorPort="1099" />
</managementContext>
verify that in AMQ logs you have
INFO | JMX consoles can connect to
service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi |
org.apache.activemq.broker.jmx.ManagementContext | JMX connector
NOTE : Assuming that 10.10.10.16 is the IP of AMQ host.
try to connect with jconsole from another machine than AMQ host with url "service:jmx:rmi:///jndi/rmi://10.10.10.16:1099/jmxrmi" without user/pwd.
if you cannot connect, try like this :
<managementContext>
<managementContext createConnector="true" connectorPort="1099" connectorHost="10.10.10.16" />
</managementContext>
verify that in AMQ logs you have
INFO | JMX consoles can connect to
service:jmx:rmi:///jndi/rmi://10.10.10.16:1099/jmxrmi |
org.apache.activemq.broker.jmx.ManagementContext | JMX connector
retry to connect, step 4
at this step normally you can connect with jconsole.
if you want to add security and authorizations, use this :
<managementContext>
<managementContext createConnector="true" connectorPort="1099" connectorHost="10.10.10.16" >
<property xmlns="http://www.springframework.org/schema/beans" name="environment">
<map xmlns="http://www.springframework.org/schema/beans">
<entry xmlns="http://www.springframework.org/schema/beans" key="jmx.remote.x.password.file"
value="${activemq.conf}/jmx.password"/>
<entry xmlns="http://www.springframework.org/schema/beans" key="jmx.remote.x.access.file"
value="${activemq.conf}/jmx.access"/>
</map>
</property>
</managementContext>
</managementContext>
Please try these steps and let me know in which one you fails to connect and provide error message from jconsole.
A couple troubleshooting steps:
Start jconsole or visualvm on the same system and connect using the "pid" attach method. Browse the MBeans and confirm org.apache.activemq beans are present
Run netstat -na and confirm ports 1099 (and 44444) are in LISTEN
Look at logs and confirm you do not have any "java.net.BindException: Address already in use.." messages that indicate a port conflict with an already running Java process.
Edit bin/env to configure JMX (this disables requiring SSL, sets the port to 1099 and disables requiring username and password.
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.port=1099 "
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.ssl=false "
ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote "
# ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.password.file=${ACTIVEMQ_CONF}/jmx.password"`
# ACTIVEMQ_SUNJMX_START="$ACTIVEMQ_SUNJMX_START -Dcom.sun.management.jmxremote.access.file=${ACTIVEMQ_CONF}/jmx.access"
My application is running in BlueMix and it has to make restful call to another application over SSL. I am wondering where and how to add these information
> trustStoreType, trustStore and trustStorePassword
So that application running in bluemix can use that ? When I am testing from my local I modified server class-path, can I do some thing similar in bluemix liberty server, where the client app is running ? Or is there any easier better way ?
You should be able to edit the server.xml in eclipse and setup something like
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>websocket-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>jndi-1.0</feature>
<feature>jsp-2.2</feature>
<feature>jdbc-4.0</feature>
<feature>ejbLite-3.1</feature>
<feature>ssl-1.0</feature>
<feature>jaxb-2.2</feature>
</featureManager>
<ssl clientAuthenticationSupported="true" id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore"/>
<keyStore id="defaultKeyStore"location="${server.config.dir}/resources/security/keystore.jks" password="passw0rd" type="JKS"/>
<keyStore id="defaultTrustStore" location="${server.config.dir}/resources/security/trustStore.jks" password="passw0rd" type="JKS"/>
<ssl clientAuthenticationSupported="true" id="defaultSSLConfig" keyStoreRef="serverKeyStore" trustStoreRef="serverTrustStore"/>
<keyStore id="serverKeyStore" location="${server.config.dir}/resources/security/serverKey.jks" password="passw0rd" type="JKS"/>
<keyStore id="serverTrustStore" location="${server.config.dir}/resources/security/serverTrust.jks"> password="passw0rd" type="JKS"/>
<!-- customize SSL configuration -->
<ssl id="customizeSSLConfig" keyStoreRef="clientKeyStore" trustStoreRef="clientTrustStore"/>
<keyStore id="clientKeyStore" location="${server.config.dir}/resources/security/clientKey.jks" password="passw0rd" type="JKS"/>
<keyStore id="clientTrustStore" location="${server.config.dir}/resources/security/clientTrust.jks" password="passw0rd" type="JKS"/>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint httpPort="8080" httpsPort="9443" id="defaultHttpEndpoint"/>
<applicationMonitor updateTrigger="mbean"/>
</server>
Easiest way is with the Bluemix plugin for eclipse and using Websphere Libery Profile Server
If you are depending on the Liberty server, you can customize it offline and push it to Bluemix.
.
https://www.ibm.com/developerworks/community/blogs/msardana/entry/developing_with_bluemix_customizing_the_liberty_build_pack_to_add_your_configurations?lang=en
Where is your webservice running ? If it is on-premise, then you have to use cloud-integration agent available in Bluemix to make a secure tunneling and to get a proxy IP to your onpremise web service. Details of the same is available in the following link:
https://www.ibm.com/developerworks/community/blogs/96960515-2ea1-4391-8170-b0515d08e4da/entry/cloud_to_on_premise_web_services_bluemix_cloud_integrators?lang=en
Though all those I believe are valid option, but I ended up doing little differently. This is what finally worked for me
public static HttpClient getCustomClient() throws GeneralSecurityException, IOException {
KeyStore trustStore = KeyStore.getInstance("jks");
// Load the truststore from the classpath using the password
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
InputStream resourceAsStream = classLoader.getResourceAsStream("/clienttruststore");
trustStore.load(resourceAsStream, "password".toCharArray());
SSLContext sslcontext = SSLContexts.custom().loadTrustMaterial(trustStore).build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext);
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
resourceAsStream.close();
return httpclient;
}
//get custom httpclient
Unirest.setHttpClient(getCustomClient());
//send request...
HttpResponse<String> response =
Unirest.get("https://xyz.abc.com/").asString();
Basically packaged custom trust store with war and let application use that. I will be trying other option too, but with the previous option my custom server was crashing not sure if that was because of resources.
I'm trying to use SSL with the JMX connector that Active MQ creates, but with no success. I'm able to get SSL working with the JVM platform JMX connector, but that requires storing keystore and truststore passwords plaintext, which is a no-go for our project.
Using the instructions here, I set up managementContext in activemq.xml as follows:
<managementContext>
<managementContext createConnector="true">
<property xmlns="http://www.springframework.org/schema/beans" name="environment">
<map xmlns="http://www.springframework.org/schema/beans">
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.keyStore"
value="${activemq.base}/conf/keystore.jks"/>
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.keyStorePassword"
value="${keystore.password}"/>
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.trustStore"
value="${activemq.base}/conf/truststore.jks"/>
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.trustStorePassword"
value="${truststore.password}"/>
</map>
</property>
</managementContext>
</managementContext>
This section seems to be completely ignored when the connector starts up. I can connect without credentials. I also tried using username and password authentication instead of ssl for JMX, as seen here, and that worked fine.
Has anyone seen this before? Any ideas? Thanks!
Have you enabled jmx ssl in the activemq launch scripts? On windows in the activemq-admin or activemq batch files, uncomment and modify the SUNJMX settings.
JMX authentiation is independent of whether ssl is used. It is controlled by the authenticate attribute. By default it will use the jmx access files in your jre, so re-point them with the system properties shown below. You may get an error message stating that the files themselves must be access controlled, so set them with chmod on unix or cacls on windows. I would suggest even turning off the ssl and getting the authentication to work first. You can test with jconsole with a remote connection to confirm that it wants credentials. Then follow-up with the ssl stuff.
set SUNJMX=-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1199 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.password.file=%ACTIVEMQ_BASE%/conf/access/jmx.password -Dcom.sun.management.jmxremote.access.file=%ACTIVEMQ_BASE%/conf/access/jmx.access
I had the same issue regarding the ActiveMQ SSL configuration (keystore & password) in the XML not working.
My requirement was to enable remote JMX monitoring of ActiveMQ with SSL and authentication through a firewall.
I resolved it using a custom JMX connector (via a Java Agent), rather than using the JMX connector that Active MQ creates.
see: JMX connectivity through a firewall for an example (JMXAgent.java)
The important entries for configuring SSL in the JMXAgent.java are:
Map<String, Object> env = new HashMap<String, Object>();
SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, csf);
env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, ssf);
You can also specify your authentication files in the env Map:
env.put("jmx.remote.x.password.file", System.getProperty("password.file","<default_path>"));
env.put("jmx.remote.x.access.file", System.getProperty("access.file","<default_path>"));
The Java Agent needs to be compiled and put into a jar with a valid manifest file as described here
Add the following to the activemq launch configuration (depending on activemq version/ environment and run ActiveMQ:
-javaagent:<full_path_to_agent_jar_file> \
-Dpassword.file=<full_path_to_jmx.password_file> \
-Daccess.file=<full_path_to_jmx.access_file> \
-Djavax.net.ssl.keyStore=<full_path_to_keystore_file> \
-Djavax.net.ssl.keyStorePassword=<password>
You should then be able to connect through jconsole (with correct security parameters)
The remote JMX connection URL will be something like:
service:jmx:rmi://<host>:<rmi_server_port>/jndi/rmi://<host>:<port>/jmxrmi
Note - ports can be configured in the Java Agent.