Topic
8 replies Latest Post - ‏2011-04-09T03:10:39Z by SystemAdmin
tzhao
tzhao
15 Posts
ACCEPTED ANSWER

Pinned topic What is the cuase of the following error message?

‏2011-04-04T15:49:34Z |
Durint startup of the application server, the systemout.log has following error message:
JSAS1477W: SECURITY CLIENT/SERVER CONFIG MISMATCH: The client security configuration (sas.client.props or outbound settings in GUI) does not support the server security configuration for the following reasons:
ERROR 1: JSAS0809E: The current OID is RSA but this is not an Admin request.
ERROR 2: JSAS0603E: The server does not support SSL/TLS, but the client is configured to require it.

I don't understand the first error message.

For second error message, he SSL for IIOP is disabled since the security.xml has following:
<serverAuthentication xmi:id="IIOPTransport_1" sslConfig=""/>
But where is client configuration? Since it is during WebSphere startup, there is no client application running, so the "client" here should be from WebSphere, if so, what is it and where is the configuraton?

Thanks!
Updated on 2011-04-09T03:10:39Z at 2011-04-09T03:10:39Z by SystemAdmin
  • tzhao
    tzhao
    15 Posts
    ACCEPTED ANSWER

    Re: What is the cuase of the following error message?

    ‏2011-04-04T15:50:43Z  in response to tzhao
    I should mention that the same configuration and code works fine in WebSphere 7.
    • kark
      kark
      18 Posts
      ACCEPTED ANSWER

      Re: What is the cuase of the following error message?

      ‏2011-04-05T00:37:18Z  in response to tzhao
      Are you seeing these messages in an unmanaged server startup and no other processes are trying to communicate with this server? We tried it on our local builds and could not reproduce these messages. What version of Beta are you using?

      Both these messages indicate that there is some remote process trying to communicate with this server.

      The first message indicates that the RSA auth mechanism type is used for non-admin operations. By default only the admin operations (MBean for eg) use RSA (as indicated by the adminPreferredAuthMech in security.xml)and non-admin use LTPA. The error message indicates that an non-admin call has RSA auth mech type in the IOR.

      --Ajay
      • tzhao
        tzhao
        15 Posts
        ACCEPTED ANSWER

        Re: What is the cuase of the following error message?

        ‏2011-04-05T01:17:01Z  in response to kark
        Hi Ajay,

        It is a managed server, which is the only server in the cluster.

        The WebSphere build is
        Build Number: hh1108.14
        Build Date: 2/25/11

        Do you have suggestion how to investigate it?

        Thanks,
  • SystemAdmin
    SystemAdmin
    462 Posts
    ACCEPTED ANSWER

    Re: What is the cuase of the following error message?

    ‏2011-04-05T01:35:39Z  in response to tzhao
    Hi,

    This looks like its related to the new security hardening setting in version 8 for RMI. By default on both the server side and the client side sas.client.props file RMI has SSL "required". The old default was SSL "supported". I am confused by your statement that you see this during server startup. That kind of error happens when a client attempts to talk to the server, most likely an admin client. Are you sure this error does not occur when doing an admin operation like maybe starting wsadmin or running stopserver?

    The error suggests that you disabled RMI SSL setting on the server, or set the transport layer of CSIv2 to TCPIP. Is your CSIv2 transport layser set to use TCPIP your environment? If you send your security.xml file I can confirm.

    I can actually recreate the same error when starting wsadmin if my server has CSIv2 set to TCPIP and my sas.client.props file is set to SSL required.

    Please try setting your sas.client.props file to SSL supported by setting the following properties to see if the error goes a way.

    1. Does this client support/require SSL connections?
    com.ibm.CSI.performTransportAssocSSLTLSRequired=false
    com.ibm.CSI.performTransportAssocSSLTLSSupported=true
    Alaine DeMyers
    • tzhao
      tzhao
      15 Posts
      ACCEPTED ANSWER

      Re: What is the cuase of the following error message?

      ‏2011-04-05T23:47:49Z  in response to SystemAdmin
      Hi Alaine,

      Thanks for looking at it. I think you are correct.

      Looks like the error message was caused by either nodeagent or the "startserver" command.

      We intended to set CSIv2 inbound communications Transport to be TCP/IP, and it doesn't cause problem in WebSphere 7 since the sas.client.props from default WebSphere v7 profile has
      com.ibm.CSI.performTransportAssocSSLTLSRequired=false
      com.ibm.CSI.performTransportAssocSSLTLSSupported=true

      But the sas.client.props from default WebSphere v8 profile has
      com.ibm.CSI.performTransportAssocSSLTLSRequired=true
      com.ibm.CSI.performTransportAssocSSLTLSSupported=false

      Looks like either nodeagent or startserver command needs connect to appliation server through CSIv2. Since it loads sas.client.props with SSL required in WAS v8, but server CSIv2 inbound configuration is TCP/IP, it causes the error message:
      ERROR 1: JSAS0809E: The current OID is RSA but this is not an Admin request.

      Since we have to set CSIv2 inbound communications Transport to be TCP/IP, is there a way to fix the problem?
      Is this error message only informational or does it cause the system mal-function?

      Thanks for your help!
      • SystemAdmin
        SystemAdmin
        462 Posts
        ACCEPTED ANSWER

        Re: What is the cuase of the following error message?

        ‏2011-04-08T02:40:37Z  in response to tzhao
        Hi,

        Sorry for taking so long to get back to you. I now see clearer what you are doing. You must be in a ND environment. You changed the inbound CSIv2 was changed to TCPIP. When the server starts it attempts to talk to the nodeagent and the nodeagent's inbound connection is TCPIP and the server outbound connection is SSL required. Like I said before the default setting for CSIv2 for both inbound and outbound are SSL required by default. If you change the CSIv2 setting for outbound from SSL required to SSL supported the errors should go away. The supported setting will accept both TCPIP and SSL connections.

        To change the setting on the server go to:

        Security > Global security > CSIv2 outbound communications

        In the box labeled Transport select SSL-supported.

        Hope this helps.

        Alaine DeMyers
        • tzhao
          tzhao
          15 Posts
          ACCEPTED ANSWER

          Re: What is the cuase of the following error message?

          ‏2011-04-08T17:48:50Z  in response to SystemAdmin
          Hi Alaine,

          Thanks for your help! Please help me to understand the issue better.

          When application server connect to nodeagent, does it read configuration based on global security or sas.client.props file under its profile directory? In other words, we set global security as CSIv2 inbound to be TCP/IP and outbound to be SSL required, we also set sas.client.props file with
          com.ibm.CSI.performTransportAssocSSLTLSRequired=true
          com.ibm.CSI.performTransportAssocSSLTLSSupported=false
          would application server connect to nodeagent with TCP/IP or SSL?

          Could you explain more about the SSL setting from sas.client.props file and CSIv2 setting in global security regards to this issue? What causes the confliction?

          Thanks!
          • SystemAdmin
            SystemAdmin
            462 Posts
            ACCEPTED ANSWER

            Re: What is the cuase of the following error message?

            ‏2011-04-09T03:10:39Z  in response to tzhao
            Hi,

            When the app server is using setting from security.xml. The sas.client.props file is used for the client programs for example wsadmin or stopserver.

            The message says "sas.client.props or outbound settings in GUI". I was focusing on the sas.client.prop part of that statement initially. Your problem did not have to do with the sas.client.props file, sorry for the confusion.

            The new security hardening settings changed the defaults to SSL required on both security.xml and sas.client.props files.

            Because you set inbound to TCPIP your connections between the servers will be over TCPIP. I suggested you change your outbound setting to SSL support ,the old default. It will handle either an SSL connection or a TCPIP connections. The connection will end up being TCPIP because inbound is only accepting TCPIP.

            If you were to make an RMI connection to the server from an admin client like wsadmin then your sas.client.props file will need to be updated to either SSL supported or TCPIP for the connection to work.

            Alaine DeMyers