Friday, June 15, 2012

WAS 8 has SSL turned on for RMI by default

As it appears WAS 8 comes with SSL turned on for RMI/IIOP connections. That subtle configuration difference can give you a lot of headache. Especially if you, as one of our clients, are trying to connect as JMS thin client. Client side exception you may encounter will be similar to this one
javax.naming.ServiceUnavailableException: A communication failure occurred while attempting to obtain an initial context with the provider URL: "iiop://localhost:2812".  Make sure that any bootstrap address information in the URL is correct and that the target name server is running.  A bootstrap address with no port specification defaults to port 2809.  Possible causes other than an incorrect bootstrap address or unavailable name server include the network environment and workstation network configuration. [Root exception is org.omg.CORBA.TRANSIENT: initial and forwarded IOR inaccessible:
Forwarded IOR failed with: java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine:host=mresetar-t510,port=0
.
.
.
Caused by: java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine
 at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:391)
 at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:252)
As stack trace has nothing to point you in right direction you may wander around and try to change version of JMS client and who-knows-what. If you want to change JMS client (you're on Java 6) and really want to use SSL then you could follow notes found here to enable security and here to setup JMS client.
You can test this by sending JMS message to server by putting com.ibm.ws.ejb.thinclient_8.0.0.jar & com.ibm.ws.sib.client.thin.jms_8.0.0.jar in classpath and running class with following VM arguments:
-Dcom.ibm.CORBA.Debug=true 
-Dcom.ibm.CORBA.CommTrace=true
-Dcom.ibm.CORBA.Debug.Output=client.log
-Dcom.ibm.SSL.ConfigURL=file:/d:/IBM/WebSphere/Was8Nd/profiles/AppSrv01/properties/ssl.client.props
-Dcom.ibm.CORBA.ConfigURL=file:/d:/IBM/WebSphere/Was8Nd/profiles/AppSrv01/properties/sas.client.props 
-Dcom.ibm.CORBA.loginUserid=admin 
-Dcom.ibm.CORBA.loginPassword=admin 
-Dcom.ibm.CORBA.loginSource=properties
Java class to test JNDI connection and to send JMS message is available here.
On other side if you just want to behave WAS as it did in version 6.1 or 7.0 you can disable RMI SSL. This can be done via admin console by exercising "CSIv2 inbound&outbound communications" options found in Global security menu. Change Transport property from "SSL-required" to "SSL-supported" after restart you should be good to go and send JMS messages without SSL.