How to connect via EJB to P8 5.2 and WebSphere V8.5

Since it can sometimes be tricky, I thought I would write about how to establish an EJB connection to a P8 platform. I try a lot of things to actually see it was quite easy.

First, forget about a non SSL connection with WebSphere 8. I tried a lot of things, including modifying the RMI/IIOP configuration in the WebSphere console to allow non SSL connection but nothing worked. But using SSL for EJB does’t mean you have to have your CE exposed via https, this is something different and doesn’t require any settings so why not use this.

First the connection code

To make it work to have to change a little bit the code you are using to establish the connection, It may be other solutions to make it work of course, but this one worked for me.

Warning: You have to use the fully qualified name of the server, using the IP address in the URI and the configuration file didn’t work for me. Here the hostname is basil.

Connection conn = Factory.Connection.getConnection("iiop://basil:2809/FileNet/Engine");
Subject subject = UserContext.createSubject(conn, "P8Admin", "*********", "FileNetP8");
UserContext.get().pushSubject(subject);

Domain domain = Factory.Domain.getInstance(conn, null);
ObjectStore os = Factory.ObjectStore.fetchInstance(domain, "TARGETOS", null);
System.out.println("Object store name: " + os.get_Name());

Of course if you do only this, it won’t work since we did’t give any information about Corba and the CE server. You will get the following exception:

JSAS1480I: Security is not enabled because the ConfigURL property file is not set.
Exception in thread "P=48700:O=0:CT" com.filenet.api.exception.EngineRuntimeException: FNRCS0001E: SECURITY_ANONYMOUS_DISALLOWED: Access to Content Engine was not allowed because the request was made anonymously instead of by an authenticated user.

Edit the build path

Using EJB is server dependent, also you will have to add the jar of your application server, in our case WebSphere. The jar is called com.ibm.ws.ejb.thinclient_8.5.0.jar and is located in the folder WAS_HOME/runtimes, which, if you keep every default value, should be /opt/IBM/WebSphere/AppServer/runtimes. Copy this file somewhere on your developer workstation and add it to your project build path:

Eclipse_EJB_buildpath

You might also have to use the IBM implementation of orb. I didn’t have to do that, which is strange since I am using a Sun JRE, but you can find the jar com.ibm.ws.orb_8.5.0.jar in the same directory that the thinclient jar. And the either add it to your path like the thinclient, or put in alone in a folder and add the following option to your JVM:

-Djava.endorsed.dirs=file:C:\Applis\libs\endorsed

But again, for me it worked without this jar so maybe you won’t need it.

The Corba configuration

You need to get two files from the WebSphere server in order to make it work. They are:

  • sas.client.props
  • ssl.client.props

You can find them in the folder WAS_HOME/profiles/profile_name/properties, if you did a CPIT installation or used default value, it should be:

/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties

Copy this file into your project, then open sas.client.props, and modify the following lines

com.ibm.CORBA.securityServerHost=basil
com.ibm.CORBA.securityServerPort=2809
com.ibm.CORBA.loginSource=none

For me it’s working without changing loginUserId and loginPassowrd line.

# RMI/IIOP user identity
com.ibm.CORBA.loginUserid=
com.ibm.CORBA.loginPassword=

Then open the ssl.client.props file and edit the 2 following lines:

com.ibm.ssl.keyStore=./key.p12
com.ibm.ssl.trustStore=./trust.p12

At this moment you have two options, you can get this 2 files from your WebSphere server, in the folder etc of your profile, or let our application create the keystore and trusstore. If you let it create them for you it will just pop a window asking if you trust the certificate. If you want to be user interaction free, copy the 2 files fron the server to your project folder.

Add the JVM option

You also need to tell Corba that your want to use these 2 files as configuration, for this add this 2 options when launching the application:

-Dcom.ibm.CORBA.ConfigURL=file:C:\workspace\testEJB\sas.client.props
-Dcom.ibm.SSL.ConfigURL=file:C:\workspace\testEJB\ssl.client.props

You can also use relative path like this:

-Dcom.ibm.CORBA.ConfigURL=file:sas.client.props
-Dcom.ibm.SSL.ConfigURL=file:ssl.client.props

But the file: is really important!

Eclipse_EJB_JVM_options

Also if you want to be more agile to several platform, you can set these properties into your code before the connection it works the same:

System.setProperty("com.ibm.CORBA.ConfigURL", "file:sas.client.props");
System.setProperty("com.ibm.SSL.ConfigURL", "file:ssl.client.props");

 

You can read sometimes that you also have to define the property java.naming.factory.initial to com.ibm.websphere.naming.WsnInitialContextFactory, but this is not necessary with the WAS8 EJB thin client jar because it contains a jndi.properties file defining this property for you.

Modify the WebSphere configuration

In order to make the EJB connection work, WebSphere needs to know properly its own name. The hostname for the BOOTSTRAP_ADDRESS and ORB_LISTENER_ADDRESS must be updated to use the real hostname (fully qualified) and not localhost.

  • Open the WebSphere administration console (https://host:9043/ibm/console).
  • Go to Servers > Server Types > WebSphere application servers > server_name > Communication > Ports
  • Edit BOOTSTRAP_ADDRESS and ORB_LISTENER_ADDRESS to use your hostname and not localhost.
  • Don’t forget to save and restart the server.

EJB_WAS

 

EJB_WAS2

 

EJB_WAS3

Open the EJB Ports

Of course, don’t forget to modify your firewall configuration and if you have, the port redirection to your server. To make an SSL EJB connection to a WebSphere server, you will have to open the following ports (check the value of ports in the Port configuration in the WebSphere administration console):

  • BOOTSTRAP_ADDRESS: default is 2809
  • CSIV2_SSL_SERVERAUTH_LISTENER_ADDRESS: default is 9403
  • ORB_LISTENER_ADDRESS: default is 9100

This gives with iptables:

iptables -I INPUT 4 -i eth0 -p tcp --dport 2809 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 4 -i eth0 -p tcp --dport 9100 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 4 -i eth0 -p tcp --dport 9403 -m state --state NEW,ESTABLISHED -j ACCEPT

If you don’t you will get the following error in the console

SECJ0395E: Could not locate the SecurityServer at host/port: notonlyanecmplace.com/2809 to validate the userid and password entered. You might need to specify valid securityServerHost/Port in WAS_INSTALL_ROOT/profiles/profile_name/properties/sas.client.props file.

With a orbtrc file saying:

com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl createSSLSocket P=555290:O=0:CT ORBRas[default] JSSL0130E: java.io.IOException: Signals that an I/O exception of some sort has occurred. Reason: connect timed out
com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl createSSLSocket P=555290:O=0:CT ORBRas[default] CONNECT_FAILURE_ON_SSL_CLIENT_SOCKET - JSSL0130E: java.io.IOException: Signals that an I/O exception of some sort has occurred. Reason: connect timed out
com.ibm.CORBA.transport.TransportConnectionBase connect:386 P=555290:O=0:CT ORBRas[default] org.omg.CORBA.COMM_FAILURE: CONNECT_FAILURE_ON_SSL_CLIENT_SOCKET - JSSL0130E: java.io.IOException: Signals that an I/O exception of some sort has occurred. Reason: connect timed out vmcid: 0x49421000 minor code: 80 completed: No

Launch the application

Finally you can launch your application and hopefully everything will work as expeced, you should see an output like this:

log4j:WARN No appenders could be found for logger (filenet_error.api.com.filenet.apiimpl.util.ConfigValueLookup).
log4j:WARN Please initialize the log4j system properly.
Object store name: TARGETOS

And if you didn’t copy the keystore and truststore, you should get this window first:

EJB_TrustStoreWindow

1 thought on “How to connect via EJB to P8 5.2 and WebSphere V8.5

Leave a Reply