Problems with WebSphere Application Server V5.0 System
Management JMX administrative client
If you already contacted support, continue to the component-specific
MustGather information. Otherwise, click MustGather: Read First
for all Application Server Products.
MustGather information needed for most JMX Client problems
- Where are you running the JMX Client?
WAS_HOME/bin of the target Server
WAS_HOME/bin of different Application Server install than the
target Server
WAS_CLIENT_HOME/bin of Application Server Application Client
install
- Type of connectivity used, SOAP or RMI?
- Is security enabled on the target server? What type of security is
used on the server?
- Is the target Server using DummyServerKeyFile.jks and
DummyServerTrustFile.jks?
If not, what type of Java Key Stores is used? If the server is not using
dummy Java Key Stores provided with Application Server installation, the
client cannot use the DummyClientKeyFile.jks and DummyClientTrustFile.jks
Java Key Stores.
- Provide the output from the command prompt where the javac compiler
command ran.
- Provide client and server trace. See details in this document about
client and server traces.
- Provide the JMX java client code along with instructions to compile
and run it.
- Provide client and server side SOAP and RMI properties files.
- Provide WAS_HOME\logs and WAS_HOME\config directories of
the target server.
Problem 1
Exception while compiling JMX java client code
Example
java.lang.NoClassDefFoundError:com/ibm/ws/security/util/InvalidPasswordDecodingException
Document needed:
Provide the output from the command prompt where javac compiler command
ran.
Solution
Search for the missing class (InvalidPasswordDecodingException in this
example) in the classpath of the javac executable.
If running within Application Server, WebSphere Network Deployment or
Application Server Client environment, search inside WAS_HOME\lib,
JAVA_HOME\jre\lib or JAVA_HOME\jre\lib\ext directory. After
you find the jar file that contains the missing class, add it into the
classpath statement of the javac executable.
In this example, WAS_HOME\lib\iwsorb.jar contains the
InvalidPasswordDecodingException class file.
# Start of Sample batch file to compile AdminClientTester.java
code
@setlocal
@echo off
call "C:/WebSphere/DeploymentManager/bin/setupCmdLine.bat"
SET CONSOLE_ENCODING=-Dws.output.encoding=console
"%JAVA_HOME%\bin\javac" -classpath
.;%WAS_HOME%/lib/ras.jar;%WAS_HOME%/lib/naming.jar;%WAS_HOME%/lib/admin.jar;%WAS_HOME%/lib/wsexception.jar;%WAS_HOME%/lib/jmxc.jar
AdminClientTester.java
@endlocal
#End of Sample batch file to compile AdminClientTester.java code
Problem 2
Exception while running JMX java client
#Start of Sample batch file to execute AdminClientTester.java code
@setlocal
@echo off
call "C:/WebSphere/DeploymentManager/bin/setupCmdLine.bat"
set NAMING_FACTORY=com.ibm.websphere.naming.WsnInitialContextFactory
set LOGIN_SOURCE=-Dcom.ibm.CORBA.loginSource=stdin
"%JAVA_HOME%\bin\java" %CLIENTSAS% %LOGIN_SOURCE% \
-Dwas.install.root=%WAS_HOME% \
-Djava.naming.factory.initial=%NAMING_FACTORY% \
-Dwas.repository.root=%CONFIG_ROOT% \
-Dcom.ibm.CORBA.BootstrapHost=%COMPUTERNAME% \
-classpath
.;%WAS_CLASSPATH%;%WAS_HOME%\lib\admin.jar;%WAS_HOME%\lib\wasjmx.jar;%WAS_HOME%\lib\namingclient.jar
AdminClientTester %*
#End of Sample batch file to execute AdminClientTester.java code
Example
If you use the wrong SOAP port number for connection, the following
exception occurs because the port number given for the target host is not
listening on that port; the Operating System refuses the connection.
Failed in getting admin connection:
com.ibm.websphere.management.exception.ConnectorException: ADMC0016E:
Could not create SOAP Connector to connect to host wastest at port 8877
ADMC0016E: Could not create SOAP Connector to connect to host wastest at
port 8877
.....
Caused by:
com.ibm.websphere.management.exception.ConnectorNotAvailableException
.....
Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening
socket: java.net.ConnectException: Connection refused: connect;
targetException=java.lang.IllegalArgumentException: Error opening socket:
java.net.ConnectException: Connection refused: connect]
Document needed:
Provide the output from the command prompt where the javac compiler
command ran.
Solution
Verify that the correct hostname and port number is specified for the
given SOAP or RMI protocols.
Problem 3
Security Exception while running JMX java client
Example 1
com.ibm.websphere.management.exception.ConnectorException: ADMC0017E:
Could not create RMI Connector to connect to host wastest.raleigh.ibm.com
at port 32539
at
com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:394)
at JMX_WAS_Test.main(JMX_WAS_Test.java:54)
---- Begin backtrace for nested exception
java.lang.reflect.InvocationTargetException:
java.lang.IllegalStateException: Error getting SecurityCurrent from the
ORB
at
com.ibm.ws.security.util.LoginHelper.getSecurityCurrent(LoginHelper.java:183)
at com.ibm.ws.security.util.LoginHelper.<init>(LoginHelper.java:65)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.setupSecurityCredentials(RMIConnectorClient.java:126)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.<init>(RMIConnectorClient.java:105)
at java.lang.reflect.Constructor.newInstance(Native Method)
at
com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:340)
at JMX_WAS_Test.main(JMX_WAS_Test.java:54)
Example 2
com.ibm.websphere.management.exception.ConnectorException: ADMC0017E:
Could not create RMI Connector to connect to host wastest.raleigh.ibm.com
at port 32539
at
com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:394)
at JMX_WAS_Test.main(JMX_WAS_Test.java:54)
---- Begin backtrace for nested exception
java.lang.reflect.InvocationTargetException:
com.ibm.websphere.management.exception.ConnectorAuthenticationException:
RMI Connector login failed
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.setupSecurityCredentials(RMIConnectorClient.java:157)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.<init>(RMIConnectorClient.java:105)
at java.lang.reflect.Constructor.newInstance(Native Method)
at
com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:340)
at JMX_WAS_Test.main(JMX_WAS_Test.java:54)
---- Begin backtrace for nested exception
org.omg.SecurityLevel2.LoginFailed:
IDL:omg.org/SecurityLevel2/LoginFailed:1.0
at
com.ibm.ISecurityLocalObjectBaseL13Impl.LoginHelperImpl.request_login_controlled(LoginHelperImpl.java:1212)
at
com.ibm.ISecurityLocalObjectBaseL13Impl.LoginHelperImpl.request_login_controlled(LoginHelperImpl.java:821)
at
com.ibm.ISecurityLocalObjectBaseL13Impl.LoginHelperImpl.request_login_controlled(LoginHelperImpl.java:771)
at
com.ibm.ISecurityLocalObjectBaseL13Impl.LoginHelperImpl.request_login_controlled(LoginHelperImpl.java:750)
at
com.ibm.ISecurityLocalObjectBaseL13Impl.LoginHelperImpl.request_login(LoginHelperImpl.java:730)
at com.ibm.ws.security.util.LoginHelper.login(LoginHelper.java:95)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.setupSecurityCredentials(RMIConnectorClient.java:146)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.<init>(RMIConnectorClient.java:105)
at java.lang.reflect.Constructor.newInstance(Native Method)
at
com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:340)
at JMX_WAS_Test.main(JMX_WAS_Test.java:54)
Example 3
CONNECTOR_TYPE = RMI
SASloginSource = properties
SASloginUserid= null
SAS client config file=file:/home/incdev/JMX/IBM/sas.client.props
Connecting to wastest:32539 using RMI security Credential not Provided on
command prompt, may use properties file.
Unable to read required resource: implfactory.properties
java.lang.NullPointerException
at java.io.Reader.<init>(Reader.java:59)
at java.io.InputStreamReader.<init>(InputStreamReader.java:84)
at java.io.InputStreamReader.<init>(InputStreamReader.java:73)
at java.util.Properties.load(Properties.java:184)
at com.ibm.ws.util.ImplFactory$1.run(ImplFactory.java:38)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.ws.util.ImplFactory.<clinit>(ImplFactory.java:33)
at
com.ibm.ejs.jts.jts.CurrentFactory.<clinit>(CurrentFactory.java:56)
at
com.ibm.ws.naming.jndicos.CNContextImpl.suspendTransaction(CNContextImpl.java:3851)
at
com.ibm.ws.naming.jndicos.CNContextImpl.cosResolve(CNContextImpl.java:3308)
at
com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1497)
at
com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1458)
at
com.ibm.ws.naming.jndicos.CNContextImpl.lookup(CNContextImpl.java:1168)
at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:132)
at javax.naming.InitialContext.lookup(InitialContext.java:345)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.reconnect(RMIConnectorClient.java:207)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.<init>(RMIConnectorClient.java:108)
at java.lang.reflect.Constructor.newInstance(Native Method)
at
com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:340)
at AdminClientTester.main(AdminClientTester.java:111)
Failed in getting admin connection:
com.ibm.websphere.management.exception.ConnectorException: ADMC0017E:
Could not create RMI Connector to connect to host wastest at port 32539
ADMC0017E: Could not create RMI Connector to connect to host wastest at
port 32539
com.ibm.websphere.management.exception.ConnectorException: ADMC0017E:
Could not create RMI Connector to connect to host wastest at port 32539
at
com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:394)
at AdminClientTester.main(AdminClientTester.java:111)
---- Begin backtrace for nested exception
java.lang.reflect.InvocationTargetException:
com.ibm.websphere.management.exception.ConnectorNotAvailableException
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.reconnect(RMIConnectorClient.java:215)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.<init>(RMIConnectorClient.java:108)
at java.lang.reflect.Constructor.newInstance(Native Method)
at
com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:340)
at AdminClientTester.main(AdminClientTester.java:111)
---- Begin backtrace for nested exception
javax.naming.NamingException: The JNDI operation "lookup"on the context
"" with the name "RMIConnector" failed. Please get the root cause
Throwable contained in this NamingException for more information. Root
exception is java.lang.NoClassDefFoundError: Invalid Implementation Key,
com.ibm.ws.transaction.TXCurrent
at com.ibm.ws.util.ImplFactory.loadClassFromKey(ImplFactory.java:104)
at
com.ibm.ejs.jts.jts.CurrentFactory.<clinit>(CurrentFactory.java:56)
at
com.ibm.ws.naming.jndicos.CNContextImpl.suspendTransaction(CNContextImpl.java:3851)
at
com.ibm.ws.naming.jndicos.CNContextImpl.cosResolve(CNContextImpl.java:3308)
at
com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1497)
at
com.ibm.ws.naming.jndicos.CNContextImpl.doLookup(CNContextImpl.java:1458)
at
com.ibm.ws.naming.jndicos.CNContextImpl.lookup(CNContextImpl.java:1168)
at com.ibm.ws.naming.util.WsnInitCtx.lookup(WsnInitCtx.java:132)
at javax.naming.InitialContext.lookup(InitialContext.java:345)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.reconnect(RMIConnectorClient.java:207)
at
com.ibm.ws.management.connector.rmi.RMIConnectorClient.<init>(RMIConnectorClient.java:108)
at java.lang.reflect.Constructor.newInstance(Native Method)
at
com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:340)
at AdminClientTester.main(AdminClientTester.java:111)
Reason for security failure:
Typically, this is caused by incorrect credentials passed to the admin
client using the sas.client.props or soap.client.props file.
Example of soap.client.props
#------------------------------------------------------------------------------
# SOAP Client Security Enablement
#
# - security enabled status ( false[default], true )
#------------------------------------------------------------------------------
com.ibm.SOAP.securityEnabled=true
# JMX SOAP connector identity
com.ibm.SOAP.loginUserid=wasadmin
com.ibm.SOAP.loginPassword=waspassword
#------------------------------------------------------------------------------
# SOAP Request Timeout
#
# - timeout (specified in seconds [default 180], 0 implies no timeout)
#
#------------------------------------------------------------------------------
com.ibm.SOAP.requestTimeout=180
#------------------------------------------------------------------------------
# SSL Configuration
#
# - keyStore and trustStore (fully qualified path to file)
# - keyStorePassword and trustStorePassword (string specifying password -
encoded or not)
#------------------------------------------------------------------------------
#com.ibm.ssl.keyStore=C\:/WebSphere/DeploymentManager/etc/DummyClientKeyFile.jks
com.ibm.ssl.keyStore=C\:/WebSphere/DeploymentManager/etc/WASV5ClientKeyFile.jks
#com.ibm.ssl.keyStorePassword={xor}CDo9Hgw\=
com.ibm.ssl.keyStorePassword=waspassword
#com.ibm.ssl.trustStore=C\:/WebSphere/DeploymentManager/etc/DummyClientTrustFile.jks
com.ibm.ssl.trustStore=C\:/WebSphere/DeploymentManager/etc/WASV5ClientTrustFile.jks
#com.ibm.ssl.trustStorePassword={xor}CDo9Hgw\=
com.ibm.ssl.trustStorePassword=waspassword
#--------------------------------------------------------------------------------
# URL protocol handler
#
# - stream protocol handler (implementaion of URL handler for "https" URL
protocol type)
#
# Note: For IBM JDK, it must be com.ibm.net.ssl.internal.www.protocol.
#--------------------------------------------------------------------------------
java.protocol.handler.pkgs=com.ibm.net.ssl.internal.www.protocol
Example of sas.client.props
============================
traceSettingsFile=file:/C:/WebSphere/DeploymentManager/properties/TraceSettings.properties
#------------------------------------------------------------------------------
# Client Security Enablement
#
# - security enabled status ( false, true [default] )
#------------------------------------------------------------------------------
com.ibm.CORBA.securityEnabled=true
#------------------------------------------------------------------------------
# RMI/IIOP Authentication Protocol (sas, csiv2, both [default])
#
# Specify "both" when communicating with 5.0x and previous release
servers.
# Specify "csiv2" when communicating with only 5.0x servers.
# Specify "sas" when communicating with only previous release servers.
#------------------------------------------------------------------------------
com.ibm.CSI.protocol=both
#------------------------------------------------------------------------------
# Authentication Configuration
#
# - authenticationTarget (BasicAuth [default], this is the only supported
selection
# on a pure client for this release. This is for message
# layer authentication only, SSL client certificate authentication
# is configured below under CSIv2 configuration.)
# - authenticationRetryEnabled (enables authentication retries if login
fails when
# loginSource=prompt or stdin)
# - authenticationRetryCount (the number of times to retry)
# - source (prompt [default], properties, keyfile, stdin, none)
# - timeout (prompt timeout, specified in seconds, 0 min to 600 max
[default 300])
# - validateBasicAuth (determines if immediate authentication after
uid/pw login,
# or wait for method request to send uid/pw to server,
# setting this to false gives the previous release behavior.)
# - securityServerHost (when validateBasicAuth=true, this property might
need to be set
# in order for security code to lookup SecurityServer. Needs to be set to
# any running WebSphere server host in the cell you are authenticating
to.
# - securityServerPort (when validateBasicAuth=true, this property might
need to be set
# in order for security code to lookup SecurityServer. Needs to be set to
# the bootstrap port of the host chosen above.
# - loginUserid (must be set if login source is "properties" )
# - loginPassword (must be set if login source is "properties" )
# - principalName (format: "realm/userid", only needed in cases where
realm
# is required. Typically the realm is already provided by the
# server via the IOR and this property is not necessary).
#
#------------------------------------------------------------------------------
com.ibm.CORBA.authenticationTarget=BasicAuth
com.ibm.CORBA.authenticationRetryEnabled=true
com.ibm.CORBA.authenticationRetryCount=3
com.ibm.CORBA.validateBasicAuth=true
com.ibm.CORBA.securityServerHost=wastest
com.ibm.CORBA.securityServerPort=9917
com.ibm.CORBA.loginTimeout=300
#com.ibm.CORBA.loginSource=prompt
com.ibm.CORBA.loginSource=properties
#com.ibm.CORBA.loginSource=stdin
#com.ibm.CORBA.loginSource=key file
#com.ibm.CORBA.loginSource=none
# RMI/IIOP user identity
com.ibm.CORBA.loginUserid=wasadmin
com.ibm.CORBA.loginPassword=waspassword
com.ibm.CORBA.principalName=
#------------------------------------------------------------------------------
# CSIv2 Configuration (see InfoCenter for more information on these
properties).
#
# This is where you enable SSL client certificate authentication. Must
also
# specify a valid SSL keyStore below with a personal certificate in it.
#------------------------------------------------------------------------------
# Does this client support stateful sessions?
com.ibm.CSI.performStateful=true
# Does this client support/require BasicAuth (userid/password) client
authentication?
com.ibm.CSI.performClientAuthenticationRequired=false
com.ibm.CSI.performClientAuthenticationSupported=true
# Does this client support/require SSL client authentication?
com.ibm.CSI.performTLClientAuthenticationRequired=false
com.ibm.CSI.performTLClientAuthenticationSupported=false
# Note: You can perform BasicAuth (uid/pw) and SSL client authentication
(certificate)
# simultaneously, however, the BasicAuth identity will always take
precedence at the server.
# Does this client support/require SSL connections?
com.ibm.CSI.performTransportAssocSSLTLSRequired=false
com.ibm.CSI.performTransportAssocSSLTLSSupported=true
# Does this client support/require 40-bit cipher suites when using SSL?
com.ibm.CSI.performMessageIntegrityRequired=true
com.ibm.CSI.performMessageIntegritySupported=true
# Note: This property is only valid when SSL connections are supported or
required.
# Does this client support/require 128-bit cipher suites when using SSL?
com.ibm.CSI.performMessageConfidentialityRequired=false
com.ibm.CSI.performMessageConfidentialitySupported=true
# Note: This property is only valid when SSL connections are supported or
required.
#------------------------------------------------------------------------------
# SSL Configuration
#
# - protocol (SSL [default], SSLv2, SSLv3, TLS, TLSv1)
# - keyStoreType (JKS [default], JCEK, PKCS12)
# - trustStoreType (JKS [default], JCEK, PKCS12)
# - keyStore and trustStore (fully qualified path to file)
# - keyStoreClientAlias (string specifying ssl certificate alias to use
from keyStore)
# - keyStorePassword and trustStorePassword (string specifying password -
encoded or not)
# - cipher suites (refer to InfoCenter for valid ciphers)
#
# com.ibm.ssl.enabledCipherSuites=enabled_cipher_suites
#
# Note: The com.ibm.ssl.enabledCipherSuites property defines the cipher
# suites used for the SSL session. If this property is defined, it
# overrides the default cipher suites defined for the specified QOP.
#
#------------------------------------------------------------------------------
com.ibm.ssl.protocol=SSL
com.ibm.ssl.keyStoreType=JKS
#com.ibm.ssl.keyStore=C\:/WebSphere/DeploymentManager/etc/DummyClientKeyFile.jks
com.ibm.ssl.keyStore=C\:/WebSphere/DeploymentManager/etc/WASV5ClientKeyFile.jks
#com.ibm.ssl.keyStorePassword={xor}CDo9Hgw\=
com.ibm.ssl.keyStorePassword=waspassword
com.ibm.ssl.trustStoreType=JKS
#com.ibm.ssl.trustStore=C\:/WebSphere/DeploymentManager/etc/DummyClientTrustFile.jks
com.ibm.ssl.trustStore=C\:/WebSphere/DeploymentManager/etc/WASV5ClientKeyFile.jks
#com.ibm.ssl.trustStorePassword={xor}CDo9Hgw\=
com.ibm.ssl.trustStorePassword=waspassword
#------------------------------------------------------------------------------
# Quality of Protection for the IBM protocol
#
# - perform ( high [default], medium, low )
#------------------------------------------------------------------------------
com.ibm.CORBA.standardPerformQOPModels=high
#------------------------------------------------------------------------------
# CORBA Request Timeout (used when getting NO_RESPONSE exceptions,
typically
# during high-stress loads. Specify on all processes
# involved in the communications.)
#
# - timeout (specified in seconds [default 180], 0 implies no timeout)
#
# com.ibm.CORBA.requestTimeout=180
#------------------------------------------------------------------------------
com.ibm.CORBA.requestTimeout=180
SSL Certificates:
If the server is not using the DummyServerKeyFile.jks and
DummyServerTrustFile.jks, the certificates must be extracted from those
jks files and added to DummyClientKeyFile.jks and DummyClientTrustFile.jks
for SSL negotiation to work.
Tracing the server side:
Use the following trace specification on the server side:
management=all=enabled:Admin=all=enabled:SSL=all=enabled
Tracing the Client side:
For RMI protocols, use the following property
traceSettingsFile=TraceSettings.properties
Example of TraceSettings.properties file
# A property to specify where the output messages and trace (if enabled)
# should be routed. Valid values include stdout or a fully qualified
# file name. If a file is specified but cannot be opened, stdout is used.
#
# Sample invocations
# To specify stdout - traceFileName=stdout
# To specify a file on NT - traceFileName=c:\\MyTraceFile.log or
# traceFileName=c:/MyTraceFile.log
# To specify a file on Unix - traceFileName=/usr/MyTraceFile.log
############
#traceFileName=C:\\WebSphere\\DeploymentManager\\logs\\SASTraceFile.log
traceFileName=SASTraceFile.log
#traceFileName=stdout
############
# Specify trace strings here. Trace strings take the form of:
# logger={level}={type} where:
# level = entryexit || debug || event || all
# type = enabled || disabled
# examples:
# com.ibm.ejs.ras.SharedLogBase=all=enabled enables all tracing for the
# single logger created in class com.ibm.ejs.ras.SharedLogBase.
# com.ibm.ejs.*=debug=enabled enables debug tracing for all loggers with
# names starting with com.ibm.ejs.
#
# Multiple trace strings can be specified, one per line.
############
*=all=enabled
10. Follow instructions to send
diagnostic information to IBM support.
For a listing of all technotes, downloads, and educational materials
specific to the component, search the WebSphere
Application Server support site.
|