WebSphere Application Server & Liberty

 View Only
  • 1.  Unable to bring up/sync the node agent

    Posted Thu June 30, 2022 08:59 AM
    Hi,
    We are using WebSphere server 8.5.5.8 and Java version is 1.7. Actually when we try to fix a device vuln in one of the server, we changed the protocol from SSL_TLS to TLSv1.2 (which is under SSL certificate and key management -> SSL configuration -> NodeDefaultSSLSettings -> QoP ). After we applied the changes Node Agent went down. Once we realized it, we reverted the changes. Even though, it is not up. 

    dmgr and node agent is running. But when we execute syncNode.sh, exception occurred (SSLHandShake). We have checked the following files,
    1. security.xml (both dmgr and node - have values as SSL_TLS in sslprotocol)
    2. ssl.client.props (having SSL_TLS only)

    Please advise


    Few logs:
    Caused by: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure; targetException=java.lang.IllegalArgumentException: Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure]
           at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:429)
           at com.ibm.ws.management.connector.soap.SOAPConnectorClient.<init>(SOAPConnectorClient.java:228)
           ... 39 more
    Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure; targetException=java.lang.IllegalArgumentException: Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure]
           at org.apache.soap.transport.http.SOAPHTTPConnection.send(SOAPHTTPConnection.java:475)
           at org.apache.soap.rpc.Call.WASinvoke(Call.java:510)
           at com.ibm.ws.management.connector.soap.SOAPConnectorClient$4.run(SOAPConnectorClient.java:387)
           at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
           at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:372)
           ... 40 more[6/23/22 5:46:08:077 CDT] 00000001 AdminTool    E  ADMU0111E: Program exiting with error: com.ibm.websphere.management.exception.ConnectorException: ADMC0016E: The system cannot create a SOAP connector to connect to host {server_name} at port 8878.
           at com.ibm.websphere.management.AdminClientFactory.createAdminClientPrivileged(AdminClientFactory.java:635)
           at com.ibm.websphere.management.AdminClientFactory.access$000(AdminClientFactory.java:127)
           at com.ibm.websphere.management.AdminClientFactory$1.run(AdminClientFactory.java:210)
           at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:63)
           at com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:206)
           at com.ibm.ws.management.tools.AbstractNodeConfigUtility.getAdminClient(AbstractNodeConfigUtility.java:204)
           at com.ibm.ws.management.tools.NodeSyncUtility.runTool(NodeSyncUtility.java:155)
           at com.ibm.ws.management.tools.AdminTool.executeUtility(AdminTool.java:271)
           at com.ibm.ws.management.tools.NodeSyncUtility.main(NodeSyncUtility.java:69)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
           at java.lang.reflect.Method.invoke(Method.java:620)
           at com.ibm.wsspi.bootstrap.WSLauncher.launchMain(WSLauncher.java:234)
           at com.ibm.wsspi.bootstrap.WSLauncher.main(WSLauncher.java:96)
           at com.ibm.wsspi.bootstrap.WSLauncher.run(WSLauncher.java:77)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
           at java.lang.reflect.Method.invoke(Method.java:620)
           at org.eclipse.equinox.internal.app.EclipseAppContainer.callMethodWithException(EclipseAppContainer.java:587)
           at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:198)
           at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:110)
      at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:79)
           at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:369)
           at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:179)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
           at java.lang.reflect.Method.invoke(Method.java:620)
           at org.eclipse.core.launcher.Main.invokeFramework(Main.java:340)
           at org.eclipse.core.launcher.Main.basicRun(Main.java:282)
           at org.eclipse.core.launcher.Main.run(Main.java:981)
           at com.ibm.wsspi.bootstrap.WSPreLauncher.launchEclipse(WSPreLauncher.java:401)
           at com.ibm.wsspi.bootstrap.WSPreLauncher.main(WSPreLauncher.java:164)
    Caused by: java.lang.reflect.InvocationTargetException
           at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
           at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:86)
           at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:58)
           at java.lang.reflect.Constructor.newInstance(Constructor.java:542)
           at com.ibm.websphere.management.AdminClientFactory.createAdminClientPrivileged(AdminClientFactory.java:457)
           ... 34 more
    Caused by: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure; targetException=java.lang.IllegalArgumentException: Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure]
           at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:429)
           at com.ibm.ws.management.connector.soap.SOAPConnectorClient.<init>(SOAPConnectorClient.java:228)
           ... 39 more
    Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure; targetException=java.lang.IllegalArgumentException: Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure]
           at org.apache.soap.transport.http.SOAPHTTPConnection.send(SOAPHTTPConnection.java:475)
    , resulting from: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure; targetException=java.lang.IllegalArgumentException: Error opening socket: java.io.IOException: Exception during sslSocket.startHandshake: Received fatal alert: handshake_failure]
    [6/23/22 5:46:08:082 CDT] 00000001 AdminTool    A  ADMU4123E: Ensure that the Deployment Manager is running on the specified host and port. Also ensure that the security configuration in ssl.client.props on the node is compatible with the Deployment Manager.
    [6/23/22 5:46:08:082 CDT] 00000001 AdminTool    A  ADMU1211I: To obtain a full trace of the failure, use the -trace option.
    [6/23/22 5:46:08:083 CDT] 00000001 AdminTool    A  ADMU0211I: Error details may be seen in the file:

    ------------------------------
    Dhinakaran Lakshmanadoss
    ------------------------------


  • 2.  RE: Unable to bring up/sync the node agent

    Posted Fri July 01, 2022 03:05 AM
    There are two steps you could try:
    First step is to stop the node agent, then try the syncNode.sh
    Second step: If syncNode doesn't work you can try and disable security, synchronize the node, enable security again and synchronize again.

    For step 2, disable security as described in the links below, then stop the Dmgr and start it again. Then try a syncNode from the Node.
    https://www.ibm.com/support/pages/how-disable-websphere-global-security-one-application-server-secure-cell
    https://www.ibm.com/support/pages/disabling-websphere-administrative-security-when-admin-console-not-accessible

    Hope that helps.
    Lars

    BTW: Please be aware that Java 7 is out of support. You should switch to Java 8 to get back to a supported level - Java 8 also closes some security vulnerabilities.


    ------------------------------
    Lars Besselmann
    Integration Technical Specialist, IBM Technology Sales, EMEA
    IBM
    Düsseldorf
    ------------------------------



  • 3.  RE: Unable to bring up/sync the node agent

    Posted Fri July 01, 2022 05:39 AM
    I agree with Lars, and also want to add that FP 8.5.5.8 is very old, you should update it.
    And also when you go to SSL certificate and key management -> SSL configuration be sure to change the protocol in all the SSL configurations that are listed , not only in the Node.
    and after the syncNode.sh (with nodeagent stopped) , be sure to update ssl.client.props from SSL_TLS to TLSv1.2 in both DMGR profile and node profile


    ------------------------------
    JOAO PEDRO ALEXANDRE
    ------------------------------



  • 4.  RE: Unable to bring up/sync the node agent

    IBM Champion
    Posted Fri July 01, 2022 03:27 AM
    Hi Dhinakaran,

      The best procedures @Lars Besselmann suggested.

      If you are not able to disable security please check if this certificates files are the same if not take from DMGR Node and copy to Node.

    To verify:

    ./keytool -list -v -keystore <PATH>/key.p12

    f.e
    ./keytool -list -v -keystore /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/DefaultCell01/nodes/DefaultNode01/key.p12

    Copy from "DMGR Node" key.p12 and trust.p12 of the "Node" if you are using default configuration will be at
    "${CONFIG_ROOT}/cells/DefaultCell01/nodes/DefaultNode01/key.p12"
    "${CONFIG_ROOT}/cells/DefaultCell01/nodes/DefaultNode01/trust.p12"

    * Backup files previusly
    To "Node"
    PROFILE/etc/

    f.e
    /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/etc

    Hope this helps. Tell us if you need more support

    Regards ​

    ------------------------------
    Gabriel Aberasturi
    Versia tecnologias emergentes
    ------------------------------