What a sizzling day - sun is drenching my office and I yearn for a cold beer. Dream on doctor, the next customer brings me back to the reality.
The patient is complaining about problems when trying to login to Process Designer. To be more specific his pain lies at the connection between Process Designer and Process Center. After some time waiting at authentication he can see an error message as popup and in the logs:
!MESSAGE [com.ibm.bpm.ejbproxy.rest.EJBProxyRestHelper callEJB] Unrecognized SSL message, plaintext connection?
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Before that I can see many retries on the requests:
!MESSAGE [org.apache.commons.httpclient.HttpMethodDirector executeWithRetry] Retrying request
Ok, let's take a cup of coffee instead of a beer and try to analyze that problem.
Hmm, such an exception usually occurs when a HTTPS endpoint is entered via a HTTP connection or the other way around.
However, the patient mentioned that he downloaded Process Designer from his working Process Center Console (login is possible) and argued that certificates were included in the etc folder of Process Designer (which contains the certificates for the connection). So, we should collect some further information like logs, traces and specific config files, Dr. Debug thinks.
In specific Process Designer traces I find the following hint:
!MESSAGE [com.ibm.bpm.ejbproxy.rest.EJBProxyDelegateFactory useHttpTunneling][FINEST]
This entry shows that a EJBProxy is used and is trying to establish a connection from a full qualified name to a short name. That is a good hint and we should check how this happened.
At first, I check the Process Designer side and in the eclipse.ini I can see the following:
On the other side I also check the Process Center server config:
Looking into the serverindex.xml or into the WAS Admin Console I can see that the patient has configured the SHORTNAME for his Process Center server.
After that findings, the patient tried to use the short name in the eclipse.ini and set the URL into the etc/hosts file (Windows). However, that did not help.
Then, I suggested to use Fiddler for further analysis. This led to a strange behavior. Having the shortname set in the etc/hosts file plus having Fiddler enabled, the scenario worked!
The login was successful and the connection to Process Center was established. That is strange.. Fiddler should be used to diagnose a HTTP communication problem and not to solve the problem. That is like using a fever thermometer to heal the fever.
So, what is happening here?
My idea is to check how Fiddler is working, first.
I figured out that Fiddler is using a proxy which registers Fiddler as the system proxy for WinInet, used by Internet Explorer (for more information see: http://docs.telerik.com/fiddler/KnowledgeBase/Proxy ). Hmm, Fiddler is registering itself as system proxy... Aha! Maybe the patient is using custom system proxy settings.
Furthermore, I got the information that Fiddler captures HTTPS traffic by generating a temporary certificate and applying the MITM technique when HTTPS decryption is enabled (see: http://stackoverflow.com/questions/15245718/why-make-use-of-https-when-fiddler-can-decrypt-it ).
That's it! Fiddler bypasses the custom system proxy settings and the SSL connection problem is resolved because Fiddler is generating its own temporary certificates based on the established connection (the patient has HTTPS decryption enabled).
Ok, after that diagnose let's try to heal patient's disease.
I know, the default embedded browser in Process Designer uses Internet Explorer. Therefore, any proxy settings made in Internet Explorer (WinInet) will be used by Process Designer and hence, may affect the connection to Process Center.
Let's see if the patient has any custom proxy settings using IE under
Tools menu -> Internet Options -> Connections tab (Fiddler should not run).
Bingo! There are custom settings.
According to that, I suggest two approaches which should heal the disease:
- Disable the system proxy settings in IE
- Try to apply the guidance from the following resources on how to work with custom system proxy settings:
The patient decided to apply the mentioned guidance (2.) so that he is ignoring the system proxy settings according to:
To be more specific, the following steps were applied:
1) go to ProcessDesignerRoot/configuration
2) create .settings directory there
3) create file org.eclipse.core.net.prefs in this folder (../configuration/.settings/org.eclipse.core.net.prefs)
4) add following 4 lines to the created file:
After applying that the connection problem was resolved and the patient was happy.
After this stiff piece of work lets have a cold beer now.
And if this does not help, take two of these and call me in the morning.
Your Dr. Debug