Skip to content

Multiple Users Forest SSO

09-May-13
In our lab we created 3 new forests with 3 domains, with 3 DNS servers to simulate complex  environment.
Forest DomainA.com
DomainA.com
Domain Controller: DCNL01.domainA.com
WorkStation: DSKNL01
Test user : userA pass:Pumpkin1
sso binding user: ssoA pass: Pumpkin1App
LDAP principal :  WLSAdminA@domaina.com pass:Pumpkin1
Forest DomainB.com
DomainB.com
DC: DCNL02.domainB.com
WorkStation: DSKNL02
Test user: userB pass:Pumpkin1
sso binding user: ssoB pass:Pumpkin1App
LDAP principal :WLSAdminB@domainb.com pass:Pumpkin1

Forest DomainApp.com
DomainApp.com
DC: DCNL03.domainApp.com
WorkStation: DSKNL03
Test user: userApp pass:Pumpkin1
sso binding user: ssoApp pass:Pumpkin1App
V11CON01.domainApp.com – Weblogic  server
LDAP: WLSAdminApp pass:Pumpkin1

Application (Weblogic)  server installed in DomainApp.com
Application  Users created in all 3 domains.
Service users for LDAP and SSO created in each domain.
Important:   KRB Principal should all have the same passwords, key version numbers, and encryption types.
sso user: ssoApp@domainapp.com pass:Pumpkin1App
sso user: ssoB@domainb.com pass:Pumpkin1App
sso user: ssoA@domaina.com pass: Pumpkin1App

DNS resolution need to be in place.

LDAP

Weblogic configured with 3 LDAP authentications. Order is important. If you put asserter before DomainB, domainB will do only LDAP.

SSO

SSO command run on each DC:
DCNL03.domainApp.com
Setspn:  setspn -A HTTP/v11con01.domainapp.com ssoApp
Ktpass run: ktpass   -out SSOKeyTabFile  -kvno 0 -princ HTTP/v11con01@DOMAINAPP.COM -mapuser ssoApp -pass Pumpkin1App  -crypto RC4-HMAC-NT
Ssokeytab collected (out SSOKeyTab) and we will use it for our Weblogic.
Full output of ktpass command :

DCNL01.domaina.com
Setspn:  setspn -A HTTP/v11con01.domainapp.com ssoa
Ktpass run: ktpass   -kvno 0 -princ HTTP/v11con01@DOMAINAPP.COM -mapuser domain\ssoa -pass Pumpkin1App  -crypto RC4-HMAC-NT

DCNL02.domainb.com
Setspn:  setspn -A HTTP/v11con01.domainapp.com ssob
Ktpass run: ktpass   -kvno 0 -princ HTTP/v11con01@DOMAINAPP.COM -mapuser domainb\ssob -pass Pumpkin1App  -crypto RC4-HMAC-NT

Files for SSO created on application server

Krb5.ini (Located in C:\Winnt)

krb5login.conf

 

SSOKeyTabFile (generated on the first DC)

After deploying our application we can test sso:

Tickets from workstation in domaina.com

 

Tickets from workstation in domainApp.com

 

Tickets from workstation in domainB

Natalya (natalya.luke@gmail.com)

Filed in Uncategorized | | Comments (0) »

Troubleshooting classloader issues with WebSphere

18-Dec-12

What is a Classloader:

ClassLoader is the central entity of Java Virtual Machine. It is responsible for loading the classes into the JVM.

The ClassLoader class uses a delegation model to search for classes and resources. Each instance of ClassLoader has an associated parent class loader. When requested to find a class or resource, a ClassLoader instance will delegate the search for the class or resource to its parent class loader before attempting to find the class or resource itself. The virtual machine’s built-in class loader, called the “bootstrap class loader”, does not itself have a parent but may serve as the parent of a ClassLoader instance.

There are few basic classloaders:

  1. Bootstrap classloader : It is JVM’s built in classloader that loads core classes like java.lang etc. The bootstrap class loader uses the boot class path (typically classes in jre/lib) to find and load classes.
  2. System classloader: Loads the classes in the java classpath
  3. A WebSphere extensions class loader : Loads the classes from ws.ext.dirs class path
  4. Application classloaders : Used by the enterprise applications to load classes from the application itself for ex. Jar files, ejb modules etc.
  5. Zero or more Web module class loaders : These loads the contents from  WEB-INF/classes and WEB-INF/lib directories.

Troubleshooting classloading issues in any environment is an invariably tedious process.

There could be exceptions like ClassNotFoundException Exceptions, NoClassDefFoundErrors in your application. You can use the approaches to troubleshoot these issues

1. Using the classloader viewer:

WebSphere has a very good built tool to view class loaders visible to a Web module (.war file) or enterprise bean (.ejb file) in an installed enterprise application. It helps you to determine which class loaders loaded files of a module and to diagnose problems with class loaders.

To access the same, you need to click on the <Server-Name>  –> Under the Additional properties tab –> Click on the ‘Class Loader Viewer Service’

 

 

Enable the checkbox  as below:

 

This would require restart of the server.

Then you can view the detailed report by navigating to  Troubleshooting tab from the left panel  –> Class Loader Viewer  –>  Select the application you would like to monitor.

 

2. You can enable the verbose classloading on the server:

It specifies whether to use verbose debug output for class loading. The default is not to enable verbose class loading.

Login into the WebSphere Admin console –> Click on the server on which you want to enable verbose classloader –> Click on Process Definition  under the Server Infrastructure management –> Click on Java Virtual Machine –> Enable the Verbose Class loading option.

 

 

 

 

3:  Another way you can debug classloader issues is to enable debug for “com.ibm.ws.classloader.*”.

 

Click on the Server –>Click on the Change Log Detail Levels and define the class on which you would like to enable the logging level.

 

 

Further reading:

http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?topic=/com.ibm.iea.was_v6/was/6.0/Runtime/WASv6_ClassLoader_PD/player.html

 

Cheers,

Team Wonders.

 

Filed in Uncategorized | Tagged | Comments (0) »

socket bind failed exception on websphere

09-Oct-12

We were getting the following exception in the Websphere logs when we tried to send messages to a queue on WAS.

/14/12 10:26:26:835 EDT] 00000013 TCPPort E TCPC0003E: TCP Channel SIB_TCP_JFAP initialization failed. The socket bind failed for host xxx.xxx.xxx.xxx and port 7276. The port may already be in use.
[9/14/12 10:26:26:875 EDT] 0000001c TCPPort E TCPC0003E: TCP Channel SIB_TCP_JFAP_SSL initialization failed. The socket bind failed for host xxx.xxx.xxx.xxx and port 7286. The port may already be in use.

[ERROR] Cannot create writer connection: Failed to create JMS connection: CWSIA0241E: An exception was received during the call to the method JmsManagedConnectionFactoryImpl.createConnection: com.ibm.websphere.sib.exception.SIResourceException: CWSIT0006E: It is not possible to connect to bus XXX_BUS because the following bootstrap servers could not be contacted [xxx.xxx.xxx.xxx:7286:SecureMessaging] and the following bootstrap servers returned an error condition []. See previous messages for the reason for each bootstrap server failure..Exception Stack: javax.jms.JMSException: CWSIA0241E: An exception was received during the call to the method JmsManagedConnectionFactoryImpl.createConnection: com.ibm.websphere.sib.exception.SIResourceException: CWSIT0006E: It is not possible to connect to bus BML_BUS because the following bootstrap servers could not be contacted [xxx.xxx.xxx.xxx:7286:SecureMessaging] and the following bootstrap servers returned an error condition []. See previous messages for the reason for each bootstrap server failure..
at com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.createConnection(JmsManagedConnectionFactoryImpl.java:240)
at com.ibm.ws.sib.api.jms.impl.JmsQueueConnectionFactoryImpl.createQueueConnection(JmsQueueConnectionFactoryImpl.java:152)
at com.ibm.ws.sib.api.jms.impl.JmsQueueConnectionFactoryImpl.createQueueConnection(JmsQueueConnectionFactoryImpl.java:116)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection$PlginJMSQueueConnection.createConnection(PlginJMSConnection.java:375)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection.(PlginJMSConnection.java:90)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection$PlginJMSQueueConnection.(PlginJMSConnection.java:352)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection.create(PlginJMSConnection.java:115)
at com.informatica.powerconnect.jms.server.writer.JMSWriterConn.init(JMSWriterConn.java:93)
Caused by: com.ibm.websphere.sib.exception.SIResourceException: CWSIT0006E: It is not possible to connect to bus XXX_BUS because the following bootstrap servers could not be contacted [xxx.xxx.xxx.xxx:7286:SecureMessaging] and the following bootstrap servers returned an error condition []. See previous messages for the reason for each bootstrap server failure.
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.bootstrapRequest(TrmSICoreConnectionFactoryImpl2.java:608)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.remoteBootstrap(TrmSICoreConnectionFactoryImpl2.java:405)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.createConnection(TrmSICoreConnectionFactoryImpl2.java:240)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.createConnection(TrmSICoreConnectionFactoryImpl2.java:145)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createCoreConnection(JmsJcaConnectionFactoryImpl.java:563)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createCoreConnection(JmsJcaConnectionFactoryImpl.java:499)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createConnection(JmsJcaConnectionFactoryImpl.java:312)
at com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.createConnection(JmsManagedConnectionFactoryImpl.java:206)
… 7 more
Linked Exception Stack: com.ibm.websphere.sib.exception.SIResourceException: CWSIT0006E: It is not possible to connect to bus XXX_BUS because the following bootstrap servers could not be contacted [xxx.xxx.xxx.xxx:7286:SecureMessaging] and the following bootstrap servers returned an error condition []. See previous messages for the reason for each bootstrap server failure.
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.bootstrapRequest(TrmSICoreConnectionFactoryImpl2.java:608)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.remoteBootstrap(TrmSICoreConnectionFactoryImpl2.java:405)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.createConnection(TrmSICoreConnectionFactoryImpl2.java:240)
at com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl2.createConnection(TrmSICoreConnectionFactoryImpl2.java:145)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createCoreConnection(JmsJcaConnectionFactoryImpl.java:563)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createCoreConnection(JmsJcaConnectionFactoryImpl.java:499)
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createConnection(JmsJcaConnectionFactoryImpl.java:312)
at com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.createConnection(JmsManagedConnectionFactoryImpl.java:206)
at com.ibm.ws.sib.api.jms.impl.JmsQueueConnectionFactoryImpl.createQueueConnection(JmsQueueConnectionFactoryImpl.java:152)
at com.ibm.ws.sib.api.jms.impl.JmsQueueConnectionFactoryImpl.createQueueConnection(JmsQueueConnectionFactoryImpl.java:116)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection$PlginJMSQueueConnection.createConnection(PlginJMSConnection.java:375)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection.(PlginJMSConnection.java:90)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection$PlginJMSQueueConnection.(PlginJMSConnection.java:352)
at com.informatica.powerconnect.jms.server.common.PlginJMSConnection.create(PlginJMSConnection.java:115)
at com.informatica.powerconnect.jms.server.writer.JMSWriterConn.init(JMSWriterConn.java:93)

 

This was identified to be an issue with the dns name. When we fixed that it resolved the issue.
Wonders Team!

 

 

 

 

 

 

Filed in Uncategorized | | Comments (0) »