Monthly Archive: November 2010

MBean Authorization and Creating JMX Policies

Other than the users with admin role, no other user can access and monitor weblogic resources. But sometimes it is important that even the users with the monitor, operator roles should be able to monitor the resources.

By default this feature is not available, but we can create JMX policies to grant access to monitors, operators and deployers of the resources.

For example : If a user with the role monitor logs into the console and tries to access the messages in the JMS queues, he will not be able to do it because of the permissions. Below error will be thrown on the admin console:

Error weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[divya, Operators, Monitors, Deployers], on ResourceType: JMSDestinationRuntime Action: execute, Target: getMessages

This means the user divya with the roles Operator, Monitor and Deployer does not have privileges to access JMSDentinationRuntime MBean, cannot view the messages in the JMS queue. We need to give privileges to the user divya by creating JMX policies as below:

–    Log into the admin console with the admin credentials.
–    Go to Security Realms
–    Select the name of the realm that you want to control access to MBeans (for example, myrealm)
–    Go to configurations -> General tab.
–    Check the box for Use Authorization Providers to Protect JMX Access. (Enable it)

–    Now go to the tab Roles and Policies -> Realm Policies
–    Click on the link JMX Policy Editor

– The next screen will give you an option of selecting policy.
– If you want a policy that applies to all instances of a WebLogic Server MBean, select the radio button next to Global Scope. Then click the Next button.

– If you want a policy that applies only to the MBean instance that is used to manage a specific deployment or system resource:
1)  In the Scope column, expand the category name that describes the type of deployment or resource you want to secure.
2)  Select the radio button next to the deployment or resource you want to secure. Then click the Next button.

–    Select global scope so that the policy applies to all instances

Click on next.
– If you want a policy that applies to all instances of all MBeans in the scope that you selected on the previous page, select the radio button next to All MBean Types. Then click the Next button.

– If you want a policy that applies only to a specific MBean instance, in the MBean Type column, expand the categories of MBeans until you find the MBean. We can expand weblogic.management.runtime and select JMSDestinationRuntimeMBean for having the privileges to access the JMS queue, or select All MBean Types.

Click next.

–    To control read access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Read category and select the attribute and select it.
–    To control write access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Write category and select the attribute and select it.
–    To control write or read access for encrypted attributes, expand the Encrypted Attributes: Permission to Read or Encrypted Attributes: Permission to Write category and select the attribute and select it.
–    To control access to a specific operation (applicable only if you selected a specific MBean to secure), expand the Operations: Permission to Invoke category and select the operation.
–    To control access to lookup operations (which enable clients to find this MBean’s child MBeans) select the Lookup Operations: Permission to Invoke category or a specific lookup operation in the category.

For all MBean Typees, select Operations: Permission to Invoke

–    Click on Create Policy.
–    Click on “Add Condition” Button under Policy Conditions.
–    Click on Next, leave the Role in Predicate List field.
–    Add the “Admin” & “Monitor” Roles in “Role Argument Name” field.

–    Click on Finish and then on Save.

Now log out of the console and login with the credentials of the user for which you have created the policy. Try to check the messages in the JMS queues, they will now be accessible.

If you face any issues in configuring the policies, or have any doubts or issues, do let us know.

Best Regards.

Deployment Issues On Weblogic Server

When we deploy web applications on the weblogic server, there are some common errors seen on the admin console while activating changes. These errors are usually not resolved even after restart of the server. Few of the issues are as below:

1) <Error> <Console> <BEA-240003> <Console encountered the following error weblogic.management.DeploymentException: [Deployer:149189]Attempt to operate ‘distribute’ on null BasicDeploymentMBean for deployment portalTramitsServeisEAR. Operation can not be performed until server is restarted.

– This may be resolved by running statd() and lockd() processes on every NFS client that accesses a remote NFS volume.

– If different servers (sharing the same domain root) are started with different user Ids of same group, set the correct “umask” for the server process so that the file created by one server can be opened for read/write by the other server without security exceptions. Eg: “umask 002”.

Workaround for this issue:
1.  Click on Lock and Edit.
2.  Go to deployments.
3.  Click to install the web-app.
4.  After installing (any staging mode), click on Activate changes. At this time, you will see the error as mentioned above.
5.  Now click on Activate Changes again.
6.  Click on Lock and Edit.
7.  Click on Undo All Changes.
8.  Click on Lock and Edit and install the app again.
9.  This time it succeeds.

2)  javax.xml.transform.TransformerFactoryConfigurationError: Provider org.apache.xalan.processor.TransformerFactoryImpl not found
at javax.xml.transform.TransformerFactory.newInstance(TransformerFactory.java:108)
at weblogic.management.provider.internal.ConfigReader.convert(ConfigReader.java:100)
at weblogic.management.provider.internal.ConfigReader.<init>(ConfigReader.java:71)
at weblogic.management.provider.internal.ConfigReader.<init>(ConfigReader.java:65)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.handleConfigTreeLoad(RuntimeAccessDeploymentReceiverService.java:961)
at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.updateDeploymentContext(RuntimeAccessDeploymentReceiverService.java:581)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doUpdateDeploymentContextCallback(DeploymentReceiverCallbackDeliverer.java:133)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.updateDeploymentContext(DeploymentReceiverCallbackDeliverer.java:27)

– When the application is already deployed on the server, any change made through the console throws this error. Suppose the application is deployed on the managed servers, when the servers are running and the application is active, the changes cannot be activated. The workaround for this is to shutdown the managed servers and make any changes. But this is not acceptable in the production environment.

Solution :
1- Undeploy the application. Shutdown the servers.

2- Add xercesImpl.jar, xalan.jar, serializer.jar, xml-apis.jar and xsltc.jar libraries in classpath.

3- In the application, place the file xalan.jar, xercesImpl.jar and xml-apis.jar in the war file i.e web-inf/lib directory, then set prefer-web-inf-classes to true in weblogic.xml as:
<container-descriptor>
<prefer-web-inf-classes>true</prefer-web-inf-classes>
</container-descriptor>

4- Set the following start-up flags in the JAVA_OPTIONS:
-Djavax.xml.parsers.SAXParserFactory=weblogic.xml.jaxp.RegistrySAXParserFactory
-Djavax.xml.parsers.DocumentBuilderFactory=weblogic.xml.jaxp.RegistryDocumentBuilderFactory
-Djavax.xml.transform.TransformerFactory=weblogic.xml.jaxp.RegistrySAXTransformerFactory
– Restart the servers, deploy the application again, and check if the issue still persists.

 

<BEA-290071> <Deployment service servlet failed on parsing the request or uploading the file>

Use the following java option

-Dweblogic.deploy.UploadLargeFile=true

Unable to access the selected application.
Exception in AppMerge flows’ progression
Exception in AppMerge flows’ progression
VALIDATION PROBLEMS WERE FOUND problem: cvc-complex-type.2.4a:

You need to update your web.xml namespace declaration.

http://docs.oracle.com/cd/E21764_01/web.1111/e13712/web_xml.htm#i1039990

You get the following exception when jsp size is huge.

too large for try statement

Use the following JVM Option

-Dweblogic.jsp.noOptimization

Getting following error at the time of deployment.

Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Logger

Apply Patch 16038283 and excluding classes which are not used as beans by editing the beans.xml file.
If the issue is still not resolve please get in touch with Oracle Support.

Add the following JVM option on the server on which you are doing the deployment and restart.

-Xverify:none

Stack overflow error while invoking jspx page WLS 10.3.6

java.lang.StackOverflowError exception occurs .
The related Java Stack is :
java.lang.StackOverflowError
at weblogic.servlet.internal.ServletResponseImpl.addHeader(ServletResponseImpl.java:556)
at javax.servlet.http.HttpServletResponseWrapper.addHeader(HttpServletResponseWrapper.java:168)

You need to modify the web.xml as below.

javax.faces.FACELETS_VIEW_MAPPINGS *.jspx


Exception in thread “AWT-EventQueue-0” sun.awt.X11.XException: Cannot write XdndAware property
at sun.awt.X11.XDnDDropTargetProtocol.registerDropTarget(XDnDDropTargetProtocol.java:79)

This is due to a JDK bug, add the following jvm option in config.sh

-DsuppressSwingDropSupport=true

java.lang.NullPointerException at com.bea.console.actions.jms.message.JMSMessageDetailAction.execute(JMSMessageD etailAction.java:143)

This issue has been addressed in defect 9889164.

weblogic.servlet.jsp.CompilationException: Failed to compile JSP /index.jsp
The type new Comparator(){} must implement the inherited abstract method Comparator.thenComparing(Function, Comparator)

Issue is present on WLS 12.1.3 and JDK 8.
You will need to download the patch for bug Bug 18729264.

WebLogic JMS (Point to Point) feature using a Queue

The following article shows a simple usage of WebLogic JMS  Point to Point feature using a Queue.

JMS supports two messaging models: point-to-point (PTP) and publish/subscribe (pub/sub). The messaging models are very similar, except for the following differences:

  • PTP messaging model enables the delivery of a message to exactly one recipient.
  • Pub/sub messaging model enables the delivery of a message to multiple recipients.

The point-to-point (PTP) messaging model enables one application to send a message to another. PTP messaging applications send and receive messages using named Queues. A queue sender (producer) sends a message to a specific queue. A queue receiver (consumer) receives messages from a specific queue.

The following figure illustrates PTP messaging.

Steps to configure JMS Point to Point Feature (JMS  Queue)

1.  Configure JMS Server

a.  Login into the WebLogic Admin Console, navigate to Services –> Messaging –> JMS Servers.

JMS Server acts as a management containers for the queues and topics.

b. Create a JMS Server as below.

c. Target the JMS Server to any one of the WebLogic Servers.

2. Create JMS System Module to hold the Queues / Topics.

a. Navigate to Services  –> Messaging –> JMS Modules from the left panel.

b.  Target the JMS System Module to the server on which the JMS Server is targeted.

3. Create a Sub Deployment.

a. Click on the newly created JMS SystemModule and navigate to the SubDeployments tab

b. Target the Sub Deployment to the created JMS Server.

4.  Create JMS Connection Factory.

a. Under the configuration tab of the JMS SystemModule, click New to add resources like Connection Factories, Queues,Topics.

b. Create a JMS Connection Factory, specify a JNDI name.

c. Target the Connection Factory to the Sub Deployment.

5. Create a JMS Queue (Point to Point Messaging Model)

a. Create a Queue from the configuration tab of the JMS SystemModule.

b. Target the  Queue  to the Sub Deployment.

c . Navigate to the JMS Resources page and you would see the Connection Factory and the JMS Queue created.

6. Testing the setup

a. Open  command prompt, and set the class path.

Note: You can run the setDomainEnv script present under the  <Domain>/bin folder

b. Compile and execute the below, QueueSend.java program to send a message to the queue.

********************************************************

 

import java.io.BufferedReader;

import java.io.IOException;

import java.io.InputStreamReader;

import java.util.Hashtable;

import javax.jms.*;

import javax.naming.Context;

import javax.naming.InitialContext;

import javax.naming.NamingException;

public class QueueSend

{

public final static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory";

public final static String JMS_FACTORY="CF1";

public final static String QUEUE="Queue1";

private QueueConnectionFactory qconFactory;

private QueueConnection qcon;

private QueueSession qsession;

private QueueSender qsender;

private Queue queue;

private TextMessage msg;

public void init(Context ctx, String queueName)

throws NamingException, JMSException

{

qconFactory = (QueueConnectionFactory) ctx.lookup(JMS_FACTORY);

qcon = qconFactory.createQueueConnection();

qsession = qcon.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);

queue = (Queue) ctx.lookup(queueName);

qsender = qsession.createSender(queue);

msg = qsession.createTextMessage();

qcon.start();

}

public void send(String message) throws JMSException {

msg.setText(message);

qsender.send(msg);

}

public void close() throws JMSException {

qsender.close();

qsession.close();

qcon.close();

}

public static void main(String[] args) throws Exception {

if (args.length != 1) {

System.out.println("Usage: java examples.jms.queue.QueueSend WebLogicURL");

return;

}

InitialContext ic = getInitialContext(args[0]);

QueueSend qs = new QueueSend();

qs.init(ic, QUEUE);

readAndSend(qs);

qs.close();

}

private static void readAndSend(QueueSend qs)     throws IOException, JMSException

{

BufferedReader msgStream = new BufferedReader(new InputStreamReader(System.in));

String line=null;

boolean quitNow = false;

do {

System.out.print("Enter message (\"quit\" to quit): \n");

line = msgStream.readLine();

if (line != null && line.trim().length() != 0) {

qs.send(line);

System.out.println("JMS Message Sent: "+line+"\n");

quitNow = line.equalsIgnoreCase("quit");

}

} while (! quitNow);

}

private static InitialContext getInitialContext(String url)

throws NamingException

{

Hashtable<String,String> env = new Hashtable<String,String>();

env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);

env.put(Context.PROVIDER_URL, url);

return new InitialContext(env);

}

}

 

********************************************************

java QueueSend t3://localhost:7001

c.  Compile and execute the below QueueReceive.java program to retrieve the message from the queue.

***********************************************************

 

import java.util.Hashtable;

import javax.jms.*;

import javax.naming.Context;

import javax.naming.InitialContext;

import javax.naming.NamingException;

public class QueueReceive implements MessageListener

{

public final static String JNDI_FACTORY="weblogic.jndi.WLInitialContextFactory";

public final static String JMS_FACTORY="CF1";

public final static String QUEUE="Queue1";

private QueueConnectionFactory qconFactory;

private QueueConnection qcon;

private QueueSession qsession;

private QueueReceiver qreceiver;

private Queue queue;

private boolean quit = false;

public void onMessage(Message msg)

{

try {

String msgText;

if (msg instanceof TextMessage) {

msgText = ((TextMessage)msg).getText();

} else {

msgText = msg.toString();

}

System.out.println("Message Received: "+ msgText );

if (msgText.equalsIgnoreCase("quit")) {

synchronized(this) {

quit = true;

this.notifyAll(); // Notify main thread to quit

}

}

} catch (JMSException jmse) {

System.err.println("An exception occurred: "+jmse.getMessage());

}

}

public void init(Context ctx, String queueName)

throws NamingException, JMSException

{

qconFactory = (QueueConnectionFactory) ctx.lookup(JMS_FACTORY);

qcon = qconFactory.createQueueConnection();

qsession = qcon.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);

queue = (Queue) ctx.lookup(queueName);

qreceiver = qsession.createReceiver(queue);

qreceiver.setMessageListener(this);

qcon.start();

}

public void close()throws JMSException

{

qreceiver.close();

qsession.close();

qcon.close();

}

public static void main(String[] args) throws Exception {

if (args.length != 1) {

System.out.println("Usage: java examples.jms.queue.QueueReceive WebLogicURL");

return;

}

InitialContext ic = getInitialContext(args[0]);

QueueReceive qr = new QueueReceive();

qr.init(ic, QUEUE);

System.out.println("JMS Ready To Receive Messages (To quit, send a \"quit\" message).");

synchronized(qr) {

while (! qr.quit) {

try {

qr.wait();

} catch (InterruptedException ie) {}

}

}

qr.close();

}

private static InitialContext getInitialContext(String url)

throws NamingException

{

Hashtable<String,String> env = new Hashtable<String,String>();

env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);

env.put(Context.PROVIDER_URL, url);

return new InitialContext(env);

}}

 

***********************************************************

java QueueReceive t3://localhost:7001

Further Reading :

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/jms/fund.html#wp1071729

Cheers,

Wonders Team. 🙂

Windows 7: DES encryption support for kerberos authentication

By default Windows 7 doesn’t support DES encryption, so this can prevent kerberos authentication from working.

So to enable DES encryption support we need to do following configuration at Windows 7 client machine.

Go to Local Security Policies(By typing “Local Security Policies” in run dialog)->Local Policies->Security Options->Network security: Configure encryption types allowed for Kerberos:
Here select checkboxes against DES_CBC_CRC, DES_CBC_MD5 and RC4_HMAC_MD5.

Refer below snap:

After doing this configuration you should be able to successfully run kerberos authentication at your Windows 7 client.

Import/ Export users and groups from Security Realm

Exporting users and groups from WebLogic Security Realm.

Login into the WebLogic Administration console ,navigate to Security Realm -> MyRealm

Navigate to Migration tab ->Export  Specify the location where the data needs to be exported.

Verify whether the users and groups are exported by checking the location, you would find set of files listed below.

  1. DefaultAuthenticator.dat
  2. DefaultCredentialMapper.dat
  3. exportIndex.dat
  4. XACMLAuthorizer.dat
  5. XACMLRoleMapper.dat

The users and groups from the realm are successfully exported now.

For importing the Users and Groups into an existing realm, follow the below steps.

  1. Login into the WebLogic Administration console ,navigate to Security Realm -> MyRealm

  1. Navigate to Migration tab Import Specify the location from where the data needs to be imported.

Note: This data that needs to be imported should have previously been exported from a security realm. The directory (Realm-Export) should contain the below files.

  1. DefaultAuthenticator.dat
  2. DefaultCredentialMapper.dat
  3. exportIndex.dat
  4. XACMLAuthorizer.dat
  5. XACMLRoleMapper.dat Check the Users and Groups tab under Security Realms → MyRealms, you will see the users are imported. It would not import the duplicate entries.

3. Check the Users and Groups tab under Security Realms → MyRealms, you will see the users are imported. It would not import the duplicate entries.

Large Message Processing Issues In JMS Transactions

When there is a distributed transaction involved in message processing, it is very important that all the resources involved in the transaction are reachable without any latency. When this is not the case and there is an issue with the communication between the resources, there can be issues of message processing which might result in transaction timeouts, rollbacks and other runtime errors.

Take a scenario of the below architecture:
A SLSB client/Application sends a message of 2MB size to weblogic Queue, that message is received by the MDB deployed on the weblogic server. That message is then processed, retrieves some information from databases. After the processing is complete, the messages is then displayed by the MDB.

First of all we need to identify where is the message size causing an issue. Is it from the queue end, message bridge end (if used), or is it the MDB that is not able to consume the messages. Enable the debug flags as required.

When these messages are large in size and out of the size limit of the queue or the protocol by which the message is being transferred, below errors can occur:

1) weblogic.socket.MaxMessageSizeExceededException: Incoming message of size: ‘10000080’ bytes exceeds the configured maximum of: ‘10000000’ bytes for protocol : ‘t3’.
Solution : Try to increase the message size from the admin console for the protocol by:
– Queue-> Configuration-> Threshholds and Quotas-> Maximum Message Size
– MAX message size in Server-> Admin/managed server-> Protocals-> General
– Setting the system property -Dweblogic.MaxMessageSize=20000000

Note : The message size would vary as per the application requirement.

2) <BEA-489003> <Caught Exception: com.bea.wli.variables.XmlObjectRuntimeException: Error Creating the XmlObject
com.bea.wli.variables.XmlObjectRuntimeException: Error Creating the XmlObject
at com.bea.wli.variables.ProcessXML.underlyingXmlObject(ProcessXML.java:759)
at com.bea.xml.FilterXmlObject.xmlText(FilterXmlObject.java:164)
at com.bea.wli.broker.Message.toString(Message.java:264)

– This is seen when the message processing includes retrieving some data from the database using SQL Queries but the messages size exceeds the maximum size of a document stored in the SQL Document Store.
Solution: – Increase the values of weblogic.wli.DocumentMaxInlineSize and weblogic.wli.DocumentMaxInMemorySize in wli-config.properties.
– Increase the WLI transaction timeout in the wlw-config.xml.
– Set the parameters XASetTransactionTimeout=”true” and XATransactionTimeout=”xxx” as perferred.

3)java.io.IOException: Could not connect to SQL Document Store
at com.bea.wli.variables.ProcessXML.getLoaderStream(ProcessXML.java:302)
at com.bea.wli.variables.ProcessXML.getTokenStreamData(ProcessXML.java:338)
at com.bea.wli.variables.XmlObjectVariableFactory.getXmlObject(XmlObjectVariableFactory.java:359)
Caused by: com.bea.wli.store.DocumentStoreException: Could not connect to SQL Document Store
at com.bea.wli.store.impl.SQLStore$SQLStoreConnection.<init>(SQLStore.java:3162)

– Check if there is a network issue and the SQL store is available. Take 5-6 thread dumps at the interval of 10 seconds each to check if there are any stuck threads while connecting to the SQL store.

4) java.sql.SQLException: Unexpected exception while enlisting XAConnection java.sql.SQLException: Transaction rolled
back: Transaction timed out after 600 seconds

– Now if the message size of 2mb is being processed successfully and if you are facing issue with a larger message say 3mb, you might see the above transaction timeout error in the log files. This means issue is with the message processing taking a long time.

– If the whole sending and receiving of messages from application is one single transaction, check where is the latency. Is the communication between all the resources happening properly or is there a network issue. Check if all the information is being retrieved from the database on time or is it taking long.

If you find any other issue or reason for the JMS transaction rollbacks or delay in message processing, feel free to comment and let us know about it, we will take a look and try to resolve the issue.

Best Regards.