I'm working on a SpringBoot application running on z/OS natively (not in a zCX container).
The idea is to maintain a session to a PROTECTED RACF service id using ssh key private/public key pair.
I've set the user, the USS directory and the keys are in the right places.
Here is the interesting bit - I've written the application for easy of testing that runs locally on my corporate laptop. I've targeted in it the inbound address of the z/OS and the same exact private key as when running on z/OS natively(therefore I'm sure the key format is correct). Everything works as expected and I'm able to connect using this key.
However when I package the application to a jar file and run it on z/OS I get
java.lang.RuntimeException: com.jcraft.jsch.JSchException: invalid privatekey
The service ID that is running the SpringBoot application on z/OS has access to the private key used when using jSch.addIdentity() - I know this because I changed the owner of the key and tested it out. Got a ICH408I message stating the user doesn't have access to the private key(reverted back after testing).
After few days of scratching my head and testing out lots of access setups I've decided to test out if I'm even able to establish a SSH session to this ID from within z/OS - no problems here.
I've also set a password to service ID that is used to run the SpringBoot application. Logged to it and ran ssh XXXXXX#localhost -i private_key without any problems. Therefore I'm pretty sure that this is somehow related to a JSch library problem.
Anyone ever came a cross something like that ?
Related
So i have my site on hosting company, and this company support let encrypt certificate, so i generated it and now the site is running with https protocol.My server side(spring boot application web service oriented started on VPS) for this site is on another company. My questions are:
How can i use this generated certificate on my server side part,
is it possible, what should i do?
What i need to provide to the server, and all things that are needed the server to work?
When i was without the certificate everything worked perfect, but right now on the server side i get
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
and in the browser i get
net::ERR_SSL_PROTOCOL_ERROR,
when I`m trying the get resources from server.
From the hosting company i can get everything connected to the certificate
It seems that you are passing HTTPs traffic to web server which "talks" in plain HTTP.
Normally SSL termination is done on software like Apache HTTPD or Nginx.
Then you configure it to act as reverse proxy to your actual Spring boot application running in JVM.
You can also configure your JVM webserver (Jetty,Tomcat .. whatever you have) to use your Let's encrypt certificate, but I have doubt that certbot will be able to easily renew them.
I have created an (AWS) Amazon web service server to run some Application created in Java, this app takes some port for example 8888 and runs locally in localhost:8888/index.html.
I can check that localhost:8888/index.html is working perfectly with the command:
curl localhost:8888/index.html
The thing is I don't know how to access to this app from my domain name, I know there is a way to do this using nginx, but unfortunately, all tutorials are about Node.js.
Following this article I managed to run a Node.JS app (simple app that prints hello world) running on localhost:8080, and when I access my domain name I could get the Hello world message printed!, my question is, can I do the same with a Java Application?
One best bet is to get the host ip and use it; instead of using localhost which sometimes mapped to 127.0.0.1, in such situation you can connect to the app within the host but not from outside.
Can you share the VM details?
I have a liberty app that connects Bluemix Message Hub. It works fine locally, however it never works when I run the liberty app from Bluemix Liberty. I'm following the example in https://github.com/ibm-messaging/message-hub-samples/tree/master/kafka-java-liberty-sample where you change username/pw in server.xml during runtime.
After some trial and error I realized that when I hardcode my kafka username/pw in server.xml, then BluemixLiberty connects to MsgHub fine. When I "hotswap" the kafka username/pw like in the example, it doesn't work and never connects to kafka (even when I restart the service it doesn't reconnect). I've checked by logging into my service using CF and the sever.xml does have the username/pw correctly swapped.
Is this feature supported in Bluemix Liberty? If not, how am I supposed to properly use vcap-services so I don't hardcode my production user/pw?
I have just redeployed MessageHub's kafka-java-liberty-sample to Bluemix and checked it works ok.
One reason your own application may not work could be if it reads server.xml's before the credentials replacement takes place. In the sample, the textual replacement occurs before any JAAS configuration is set.
However, you may follow another, better, approach.
Using Kafka's 0.10.2 client, you do not have to use a global JAAS configuration (a jaas.conf file in a plain Java app, or a <jaasLoginContextEntry> in Liberty's server.xml).
You can instead remove both <jaasLoginContextEntry> and </jaasLoginModule> sections from server.xml and avoid doing any replacement there.
Add to your consumer and producer's Properties a sasl.jaas.config property that contains the username and password obtained from VCAP_SERVICES.
see http://kafka.apache.org/documentation/#security_sasl_plain_clientconfig
e.g. a property like the following with real USERNAME and PASSWORD.
Note that " and ; are expected to be there verbatim.
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="USERNAME" password="PASSWORD";
see https://github.com/ibm-messaging/message-hub-samples/pull/17
(we will merge this PR shortly, for now the branch is
https://github.com/edoardocomar/message-hub-samples/tree/liberty-fixed-serverxml)
Has anyone experienced an issue where WAS does not use the Windows username when connecting to a Websphere MQ resource? None of our developer boxes have ever experienced this problem in the past, they've been able to send the username through for MQ to do authorization. But we have a new developer machine that does not appear to be sending the username, and thus the connection to MQ can't be made.
We tried specifying a J2C authentication alias to the QCF with a DefaultPrincipalMapping, but that didn't work.
SOLUTION: Found out that the problem was that the server was installed and running as a Windows service. When we created a new server profile which was run by the user and not as a service, it used the Windows username when connecting to MQ.
I suspect the problem might actually be the opposite of what you are describing. In older versions of WAS if the User ID field of the Connection Factory panel was left blank, WAS would send a blank ID. WebSphere MQ would have no value to pass along to the Object Authority Manager and so the channel would run under authority of the Message Channel Agent's process - which is always administrative. Thus, older versions of WAS commonly ran with administrative rights, although this was not widely recognized as such. You can verify this by looking at the status of the running channel and see if the MCAUSER field is blank.
Newer versions of WAS now try a bit harder to find an ID to send to WMQ if the configuration panel is blank. Because of this new installations and upgrades of existing installations often fail to authorize to WMQ using the same channel that previously worked.
The interesting part of all this is that the only way this is an issue is if the QMgr has a blank value on the MCAUSER channel attribute. If the QMgr has a blank MCAUSER and no exit is setting MCAUSER at CONNECT time, then the channel allows administrative access. If the channel does not have SSL with SSLPEER set or an exit to authenticate the connection then that administrative access is available to anonymous users. Why is this an issue? Because WebSphere MQ comes with the ability to initiate OS commands based on arrival of a message. This means that any user with WMQ admin rights can remotely execute arbitrary OS commands as a feature of the software. It follows that this capability MUST be locked down, even from legitimate applications if there is to be any accountability of the messages flowing through the network.
The fact that your app is able to present an ID that succeeds and another ID that fails would seem to indicate that the QMgr is allowing administrative access and, I would wager, doing so for anonymous connections. D'oh! MUCH better to fix the QMgr's security than to fix the connection problem by setting the "right" ID in WAS. For more on this, see the Hardening WebSphere MQ presentation from the IMPACT conference.
I am getting the error: "The Network Adapter could not establish the connection" from a web application deployed in Oracle Application Server 10g. The database is local, so there shouldn't be any connection issues.
First test: I can connect to the DB no problem from SQL plus, run queries, etc.
Second test: I can connect to the database no problem from a locally installed JDeveloper on the server, and run queries, etc. no problem. This works with the short JDBC scring, and the long one (shown below).
jdbc:oracle:thin:#(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=abcd)(SERVER=DEDICATED)))
Yet when I run the web app, it gives the above error. It seems too generic for me to do anything about.
Any suggestions on how to solve this? I assume that Oracle logs failed connection attempts somewhere, but I couldn't find anything relevant in the databases alert.log file.
It is possible that the problem is that the application is using an old jsdk, but I would assume that then some version mismatch error would be given instead of a "network connection" message.
Edit: I don't know whether this is an OAS problem or a problem with the specific Web Application, I would like to figure this out first, as it seems it should be easy. In WebSphere, there is a "test connection" button to dest data-sources you have added, but it seems there is no such functionality in OAS10? Somehow I think there must be, and I am just missing it because I am not an OAS expert.
Edit 2: I installed JDevelop on a remote machine and connected to the database with no problems, so I know for sure it isn't an issue with the database connectivity itself - it seems like it must be a problem within OAS?
I faced similar problem(able to connect through client but not web application) with Oracle XE when running with default configuration. Increasing number of sessions and processes solved my problem. Check this http://www.markcallen.com/oracle/oracle-xe-tuning.
I assume that Oracle logs failed connection attempts somewhere
It would show up in listener.log, but with the error you get, it seems doubtful that JDBC could even contact the listener.
jdbc:oracle:thin:#(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=abcd)(SERVER=DEDICATED)))
Is that the same string you use for the web app?
I've had issues with localhost and 127.0.0.1 which go away when using a more definitive host name or address [IE a name that other machines would know the host as.]. I think it was to do with how the name was resolved (eg locally or off to a name server or similar).
Not a java person, but is there any way to simply ping localhost/127.0.0.1 from the java and see whether there's a response.
One of the ways to fix the issueis to update Hosts file at WAS Server with entries for DB servers as shown below:
111.222.333.444 serverab.abc.com serverab