Since it can sometimes be tricky, I thought I would write about how to establish an EJB connection to a P8 platform. I try a lot of things to actually see it was quite easy.
First, forget about a non SSL connection with WebSphere 8. I tried a lot of things, including modifying the RMI/IIOP configuration in the WebSphere console to allow non SSL connection but nothing worked. But using SSL for EJB does’t mean you have to have your CE exposed via https, this is something different and doesn’t require any settings so why not use this.
Contents
First the connection code
To make it work to have to change a little bit the code you are using to establish the connection, It may be other solutions to make it work of course, but this one worked for me.
Warning: You have to use the fully qualified name of the server, using the IP address in the URI and the configuration file didn’t work for me. Here the hostname is basil.
Connection conn = Factory.Connection.getConnection("iiop://basil:2809/FileNet/Engine"); Subject subject = UserContext.createSubject(conn, "P8Admin", "*********", "FileNetP8"); UserContext.get().pushSubject(subject); Domain domain = Factory.Domain.getInstance(conn, null); ObjectStore os = Factory.ObjectStore.fetchInstance(domain, "TARGETOS", null); System.out.println("Object store name: " + os.get_Name());
Of course if you do only this, it won’t work since we did’t give any information about Corba and the CE server. You will get the following exception:
JSAS1480I: Security is not enabled because the ConfigURL property file is not set. Exception in thread "P=48700:O=0:CT" com.filenet.api.exception.EngineRuntimeException: FNRCS0001E: SECURITY_ANONYMOUS_DISALLOWED: Access to Content Engine was not allowed because the request was made anonymously instead of by an authenticated user.
Edit the build path
Using EJB is server dependent, also you will have to add the jar of your application server, in our case WebSphere. The jar is called com.ibm.ws.ejb.thinclient_8.5.0.jar and is located in the folder WAS_HOME/runtimes, which, if you keep every default value, should be /opt/IBM/WebSphere/AppServer/runtimes. Copy this file somewhere on your developer workstation and add it to your project build path:
You might also have to use the IBM implementation of orb. I didn’t have to do that, which is strange since I am using a Sun JRE, but you can find the jar com.ibm.ws.orb_8.5.0.jar in the same directory that the thinclient jar. And the either add it to your path like the thinclient, or put in alone in a folder and add the following option to your JVM:
-Djava.endorsed.dirs=file:C:\Applis\libs\endorsed
But again, for me it worked without this jar so maybe you won’t need it.
The Corba configuration
You need to get two files from the WebSphere server in order to make it work. They are:
- sas.client.props
- ssl.client.props
You can find them in the folder WAS_HOME/profiles/profile_name/properties, if you did a CPIT installation or used default value, it should be:
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties
Copy this file into your project, then open sas.client.props, and modify the following lines
com.ibm.CORBA.securityServerHost=basil com.ibm.CORBA.securityServerPort=2809 com.ibm.CORBA.loginSource=none
For me it’s working without changing loginUserId and loginPassowrd line.
# RMI/IIOP user identity com.ibm.CORBA.loginUserid= com.ibm.CORBA.loginPassword=
Then open the ssl.client.props file and edit the 2 following lines:
com.ibm.ssl.keyStore=./key.p12 com.ibm.ssl.trustStore=./trust.p12
At this moment you have two options, you can get this 2 files from your WebSphere server, in the folder etc of your profile, or let our application create the keystore and trusstore. If you let it create them for you it will just pop a window asking if you trust the certificate. If you want to be user interaction free, copy the 2 files fron the server to your project folder.
Add the JVM option
You also need to tell Corba that your want to use these 2 files as configuration, for this add this 2 options when launching the application:
-Dcom.ibm.CORBA.ConfigURL=file:C:\workspace\testEJB\sas.client.props -Dcom.ibm.SSL.ConfigURL=file:C:\workspace\testEJB\ssl.client.props
You can also use relative path like this:
-Dcom.ibm.CORBA.ConfigURL=file:sas.client.props -Dcom.ibm.SSL.ConfigURL=file:ssl.client.props
But the file: is really important!
Also if you want to be more agile to several platform, you can set these properties into your code before the connection it works the same:
System.setProperty("com.ibm.CORBA.ConfigURL", "file:sas.client.props"); System.setProperty("com.ibm.SSL.ConfigURL", "file:ssl.client.props");
You can read sometimes that you also have to define the property java.naming.factory.initial
to com.ibm.websphere.naming.WsnInitialContextFactory
, but this is not necessary with the WAS8 EJB thin client jar because it contains a jndi.properties file defining this property for you.
Modify the WebSphere configuration
In order to make the EJB connection work, WebSphere needs to know properly its own name. The hostname for the BOOTSTRAP_ADDRESS and ORB_LISTENER_ADDRESS must be updated to use the real hostname (fully qualified) and not localhost.
- Open the WebSphere administration console (https://host:9043/ibm/console).
- Go to Servers > Server Types > WebSphere application servers > server_name > Communication > Ports
- Edit BOOTSTRAP_ADDRESS and ORB_LISTENER_ADDRESS to use your hostname and not localhost.
- Don’t forget to save and restart the server.
Open the EJB Ports
Of course, don’t forget to modify your firewall configuration and if you have, the port redirection to your server. To make an SSL EJB connection to a WebSphere server, you will have to open the following ports (check the value of ports in the Port configuration in the WebSphere administration console):
- BOOTSTRAP_ADDRESS: default is 2809
- CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS: default is 9403
- ORB_LISTENER_ADDRESS: default is 9100
This gives with iptables:
iptables -I INPUT 4 -i eth0 -p tcp --dport 2809 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 4 -i eth0 -p tcp --dport 9100 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 4 -i eth0 -p tcp --dport 9403 -m state --state NEW,ESTABLISHED -j ACCEPT
If you don’t you will get the following error in the console
SECJ0395E: Could not locate the SecurityServer at host/port: notonlyanecmplace.com/2809 to validate the userid and password entered. You might need to specify valid securityServerHost/Port in WAS_INSTALL_ROOT/profiles/profile_name/properties/sas.client.props file.
With a orbtrc file saying:
com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl createSSLSocket P=555290:O=0:CT ORBRas[default] JSSL0130E: java.io.IOException: Signals that an I/O exception of some sort has occurred. Reason: connect timed out com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl createSSLSocket P=555290:O=0:CT ORBRas[default] CONNECT_FAILURE_ON_SSL_CLIENT_SOCKET - JSSL0130E: java.io.IOException: Signals that an I/O exception of some sort has occurred. Reason: connect timed out com.ibm.CORBA.transport.TransportConnectionBase connect:386 P=555290:O=0:CT ORBRas[default] org.omg.CORBA.COMM_FAILURE: CONNECT_FAILURE_ON_SSL_CLIENT_SOCKET - JSSL0130E: java.io.IOException: Signals that an I/O exception of some sort has occurred. Reason: connect timed out vmcid: 0x49421000 minor code: 80 completed: No
Launch the application
Finally you can launch your application and hopefully everything will work as expeced, you should see an output like this:
log4j:WARN No appenders could be found for logger (filenet_error.api.com.filenet.apiimpl.util.ConfigValueLookup). log4j:WARN Please initialize the log4j system properly. Object store name: TARGETOS
And if you didn’t copy the keystore and truststore, you should get this window first:
Very Good Post. Thanks for all the details given in here.