Friday, August 22, 2008

WebSphere : Accessing Remote EJBs

We have a distributed application, the web tier and business tier are on remote WAS 6.1 servers. While making JNDI lookups of the EJBs in the business tier from the web, we were getting a SSLHandshakeException.

A communication failure occurred while attempting to obtain an initial context with the provider URL: "iiop://10.10.19.234:2812". Make sure that any bootstrap address information in the URL is correct and that the target name server is running. A bootstrap address with no port specification defaults to port 2809. Possible causes other than an incorrect bootstrap address or unavailable name server include the network environment and workstation network configuration. [Root exception is org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible:

Forwarded IOR failed with: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: javax.net.ssl.SSLHandshakeException - The client and server could not negotiate the desired level of security. Reason: com.ibm.jsse2.util.h: No trusted certificate found

Initial IOR failed with: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: javax.net.ssl.SSLHandshakeException - The client and server could not negotiate the desired level of security. Reason: com.ibm.jsse2.util.h: No trusted certificate found vmcid: IBM minor code: E07 completed: No]

The following blog gave very useful information on rectifying this problem.
http://primalcortex.wordpress.com/2008/06/05/ibm-websphere-interserver-authentication-ltpa-and-ssl/#respond
The steps mentioned were

1) Logon into the WAS console.

2) Goto Security -> SSL and Key Management

3) Select the NodeDefaultTrustStore and then Signer Certificates

4) Define your parameters, where the main issue is that the host must be the server you which to connect and the port is 9043.

5) Just give an alias name and press the button “Retrieve Signer Certificate”

6) Press apply and OK, and you’re done.

In our case, the remote server's secure port was not 9043, so that was a change. Also, we had to restart both servers before we got the SSLHandshakeException resolved. However, we got a different exception now.

javax.naming.NoPermissionException: NO_PERMISSION exception caught. Root exception is org.omg.CORBA.NO_PERMISSION

We found the solution for this problem at the IBM site.
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=DB520&uid=swg21218843&loc=en_US&cs=UTF-8&lang=all

The steps were

Server A should be configured to not send credentials to Server B. To prevent Server A for sending credentials make the following changes., In the Administrator Console, go to Security -> Authentication -> Authentication Protocol -> CSIv2 Outbound -> Basic Authentication on Server A set to Supported (default). Change it to Never.

After restarting both servers, we were able to make the EJB calls to the remote server.





Posted by at 1 comment:

Wednesday, May 21, 2008

Rich web sessions at the Great Indian Developer Summit

Today was our first session at the Great Indian Developer's summit going on in Bangalore from May 19th. The past sessions were on .net, so it did not make sense for us as Java folks to attend those. The summit started off with an interesting keynote address by the Father of Ajax, Jesse James Garret. We had to choose between sessions, since they were running in parallel in different halls. It was difficult to make that choice sometimes, but it was good to know that we would get DVDs for the missed sessions. The speakers mostly exceeded expectations, especially the sessions on Ajax+JSF, Web plumbing and RIA Security. We are looking forward to many more enlightening sessions in the Java sessions tomorrow and the day after
Posted by at No comments:
Subscribe to: Posts (Atom)