JMX Admin client unable to connect to secured server

--------------------------------

Hi,
I am trying to create a custom admin client for a stand alone websphere server. Security is turned on for my server.

Websphere Version -> 6.1.0
Security -> Federal Repository


Admin console is secured and it prompts for password. it accepts the windows administrator password. i am trying to use SOAP connector port available at 8882.

I am able to get the admin client when security is turned off in my server. But when security is turned on i get an error.

My code and the error i get is:

------------------------------------------------------------
CODE
------------------------------------------------------------
java.util.Properties props = new java.util.Properties();
props.setProperty(AdminClient.CONNECTOR_TYPE, /"/"SOAP/"/");
props.setProperty(AdminClient.CONNECTOR_HOST, /"/"blrkec95828d/"/");
props.setProperty(AdminClient.CONNECTOR_PORT, /"/"8882/"/");
props.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED, /"/"true/"/");
props.setProperty(AdminClient.USERNAME, /"/"user1/"/");
props.setProperty(AdminClient.PASSWORD, /"/"user24test/"/");
props.setProperty(/"/"javax.net.ssl.trustStore/"/", /"/"C:/Program Files/IBM/WebSphere/AppServer2/profiles/AppSrv02/etc/DummyClientTrustFile.jks/"/");
props.setProperty(/"/"javax.net.ssl.keyStore/"/", /"/"C:/Program Files/IBM/WebSphere/AppServer2/profiles/AppSrv02/etc/DummyClientKeyFile.jks/"/");
props.setProperty(/"/"javax.net.ssl.trustStorePassword/"/", /"/"WebAS/"/");
props.setProperty(/"/"javax.net.ssl.keyStorePassword/"/", /"/"WebAS/"/");

try{
acl = AdminClientFactory.createAdminClient(props);
}
catch(Exception ex){
new AdminException(ex).printStackTrace();
}

--------------------------------------------------------------------
ERROR
--------------------------------------------------------------------
Feb 25, 2009 2:05:20 PM com.ibm.websphere.management.AdminClientFactory
WARNING: ADMC0046W
Feb 25, 2009 2:05:20 PM com.ibm.ws.management.connector.interop.JMXClassLoader
WARNING: Could not find tmx4jTransform.jar in null/etc/tmx4jTransform.jar - Interoperability to older versions of WebSphere is disabled
Feb 25, 2009 2:05:21 PM com.ibm.ws.ssl.config.SSLConfigManager
INFO: ssl.disable.url.hostname.verification.CWPKI0027I
Feb 25, 2009 2:05:21 PM com.ibm.ws.ssl.provider.AbstractJSSEProvider
SEVERE: CWPKI0029E: SSL context provider /"/"IBMJSSE2/"/" is not valid. This provider is specified in the SSL configuration alias /"/"DefaultSystemProperties/"/" loaded from SSL configuration file /"/"System Properties/"/". The extended error message is: /"/"no such provider: IBMJSSE2/"/".
com.ibm.websphere.management.exception.AdminException: com.ibm.websphere.management.exception.ConnectorException: ADMC0053E: The system cannot create a SOAP connector to connect to host blrkec95828

I'm having a similar problem with a JMX client using RMI-IIOP (using sample code from WebSphere v7 doc /"Developing a Java Management Extensions client program using Java Management Extensions Remote application programming interface/").

All works well when global security is disabled, but when its enabled in Websphere, I get /"Access Denied/" on the client and /"role-based authorization check failed for admin-authz operation/" on the server - I get this even when credentials are supplied on the client (as the code suggests).

Has anyone had any luck getting the sample code to work with global security enabled? I'll `test`.`post` updates if I eventually get it working...

Thanks

--------------------------------

Posted By: jventura at Mar 2 2009 4:15PM

Is the stand-alone client running with the WAS JDK or another? Check to make absolutely SURE it is running with the WAS JDK. Looks like your app is running with a JDK that does not have the IBMJSSE2 SSL crypto provider (maybe a non-IBM JDK in use?)

--------------------------------

Posted By: jpapejr at Mar 3 2009 1:33PM

This is a standalone client - I had no luck with the WAS JDK. I also tried variations using both IBM's AdminClient as well as JMXConnector. I can connect to the WebSphere server, but when my client invokes getAttribute() on the AdminClient or the MBeanServerConnection, I always get the following:

Name: state Error: javax.management.JMRuntimeException:
>> SERVER (id=4773e3aa, host=xxx.xxx.com) TRACE START:
>> javax.management.JMRuntimeException: ADMN0022E: Access is denied for the getJ2EEState operation on J2EEApplication MBean because of insufficient or empty credentials.
>> at java.lang.Throwable.(Throwable.java:67)
>> at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2311)
>> at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2153)
>> at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2053)
>> at com.ibm.ws.management.AdminServiceImpl.preInvoke(AdminServiceImpl.java:2026)
>> at com.ibm.ws.management.AdminServiceImpl.getAttribute(AdminServiceImpl.java:844)
>> at com.ibm.ws.management.connector.AdminServiceDelegator.getAttribute(AdminServiceDelegator.java:141)
>> at com.ibm.ws.management.connector.rmi.RMIConnectorService.getAttribute(RMIConnectorService.java:193)
>> at com.ibm.ws.management.connector.rmi._RMIConnectorService_Tie.getAttribute(_RMIConnectorService_Tie.java:225)
>> at com.ibm.ws.management.connector.rmi._RMIConnectorService_Tie._invoke(_RMIConnectorService_Tie.java:100)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(ServerDelegate.java:622)
>> at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:475)
>> at com.ibm.rmi.iiop.ORB.process(ORB.java:504)
>> at com.ibm.CORBA.iiop.ORB.process(ORB.java:1571)
>> at com.ibm.rmi.iiop.Connection.respondTo(Connection.java:2771)
>> at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2640)
>> at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:63)
>> at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:118)
>> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1527)

--------------------------------

Posted By: jventura at Mar 9 2009 2:16PM