Topic
  • 8 replies
  • Latest Post - ‏2011-04-09T03:10:39Z by SystemAdmin
tzhao
tzhao
15 Posts

Pinned topic What is the cuase of the following error message?

‏2011-04-04T15:49:34Z |
Durint startup of the application server, the systemout.log has following error message:
JSAS1477W: SECURITY CLIENT/SERVER CONFIG MISMATCH: The client security configuration (sas.client.props or outbound settings in GUI) does not support the server security configuration for the following reasons:
ERROR 1: JSAS0809E: The current OID is RSA but this is not an Admin request.
ERROR 2: JSAS0603E: The server does not support SSL/TLS, but the client is configured to require it.

I don't understand the first error message.

For second error message, he SSL for IIOP is disabled since the security.xml has following:
<serverAuthentication xmi:id="IIOPTransport_1" sslConfig=""/>
But where is client configuration? Since it is during WebSphere startup, there is no client application running, so the "client" here should be from WebSphere, if so, what is it and where is the configuraton?

Thanks!
Updated on 2011-04-09T03:10:39Z at 2011-04-09T03:10:39Z by SystemAdmin
  • tzhao
    tzhao
    15 Posts

    Re: What is the cuase of the following error message?

    ‏2011-04-04T15:50:43Z  
    I should mention that the same configuration and code works fine in WebSphere 7.
  • kark
    kark
    18 Posts

    Re: What is the cuase of the following error message?

    ‏2011-04-05T00:37:18Z  
    • tzhao
    • ‏2011-04-04T15:50:43Z
    I should mention that the same configuration and code works fine in WebSphere 7.
    Are you seeing these messages in an unmanaged server startup and no other processes are trying to communicate with this server? We tried it on our local builds and could not reproduce these messages. What version of Beta are you using?

    Both these messages indicate that there is some remote process trying to communicate with this server.

    The first message indicates that the RSA auth mechanism type is used for non-admin operations. By default only the admin operations (MBean for eg) use RSA (as indicated by the adminPreferredAuthMech in security.xml)and non-admin use LTPA. The error message indicates that an non-admin call has RSA auth mech type in the IOR.

    --Ajay
  • tzhao
    tzhao
    15 Posts

    Re: What is the cuase of the following error message?

    ‏2011-04-05T01:17:01Z  
    • kark
    • ‏2011-04-05T00:37:18Z
    Are you seeing these messages in an unmanaged server startup and no other processes are trying to communicate with this server? We tried it on our local builds and could not reproduce these messages. What version of Beta are you using?

    Both these messages indicate that there is some remote process trying to communicate with this server.

    The first message indicates that the RSA auth mechanism type is used for non-admin operations. By default only the admin operations (MBean for eg) use RSA (as indicated by the adminPreferredAuthMech in security.xml)and non-admin use LTPA. The error message indicates that an non-admin call has RSA auth mech type in the IOR.

    --Ajay
    Hi Ajay,

    It is a managed server, which is the only server in the cluster.

    The WebSphere build is
    Build Number: hh1108.14
    Build Date: 2/25/11

    Do you have suggestion how to investigate it?

    Thanks,
  • SystemAdmin
    SystemAdmin
    462 Posts

    Re: What is the cuase of the following error message?

    ‏2011-04-05T01:35:39Z  
    Hi,

    This looks like its related to the new security hardening setting in version 8 for RMI. By default on both the server side and the client side sas.client.props file RMI has SSL "required". The old default was SSL "supported". I am confused by your statement that you see this during server startup. That kind of error happens when a client attempts to talk to the server, most likely an admin client. Are you sure this error does not occur when doing an admin operation like maybe starting wsadmin or running stopserver?

    The error suggests that you disabled RMI SSL setting on the server, or set the transport layer of CSIv2 to TCPIP. Is your CSIv2 transport layser set to use TCPIP your environment? If you send your security.xml file I can confirm.

    I can actually recreate the same error when starting wsadmin if my server has CSIv2 set to TCPIP and my sas.client.props file is set to SSL required.

    Please try setting your sas.client.props file to SSL supported by setting the following properties to see if the error goes a way.

    1. Does this client support/require SSL connections?
    com.ibm.CSI.performTransportAssocSSLTLSRequired=false
    com.ibm.CSI.performTransportAssocSSLTLSSupported=true
    Alaine DeMyers
  • tzhao
    tzhao
    15 Posts

    Re: What is the cuase of the following error message?

    ‏2011-04-05T23:47:49Z  
    Hi,

    This looks like its related to the new security hardening setting in version 8 for RMI. By default on both the server side and the client side sas.client.props file RMI has SSL "required". The old default was SSL "supported". I am confused by your statement that you see this during server startup. That kind of error happens when a client attempts to talk to the server, most likely an admin client. Are you sure this error does not occur when doing an admin operation like maybe starting wsadmin or running stopserver?

    The error suggests that you disabled RMI SSL setting on the server, or set the transport layer of CSIv2 to TCPIP. Is your CSIv2 transport layser set to use TCPIP your environment? If you send your security.xml file I can confirm.

    I can actually recreate the same error when starting wsadmin if my server has CSIv2 set to TCPIP and my sas.client.props file is set to SSL required.

    Please try setting your sas.client.props file to SSL supported by setting the following properties to see if the error goes a way.

    1. Does this client support/require SSL connections?
    com.ibm.CSI.performTransportAssocSSLTLSRequired=false
    com.ibm.CSI.performTransportAssocSSLTLSSupported=true
    Alaine DeMyers
    Hi Alaine,

    Thanks for looking at it. I think you are correct.

    Looks like the error message was caused by either nodeagent or the "startserver" command.

    We intended to set CSIv2 inbound communications Transport to be TCP/IP, and it doesn't cause problem in WebSphere 7 since the sas.client.props from default WebSphere v7 profile has
    com.ibm.CSI.performTransportAssocSSLTLSRequired=false
    com.ibm.CSI.performTransportAssocSSLTLSSupported=true

    But the sas.client.props from default WebSphere v8 profile has
    com.ibm.CSI.performTransportAssocSSLTLSRequired=true
    com.ibm.CSI.performTransportAssocSSLTLSSupported=false

    Looks like either nodeagent or startserver command needs connect to appliation server through CSIv2. Since it loads sas.client.props with SSL required in WAS v8, but server CSIv2 inbound configuration is TCP/IP, it causes the error message:
    ERROR 1: JSAS0809E: The current OID is RSA but this is not an Admin request.

    Since we have to set CSIv2 inbound communications Transport to be TCP/IP, is there a way to fix the problem?
    Is this error message only informational or does it cause the system mal-function?

    Thanks for your help!
  • SystemAdmin
    SystemAdmin
    462 Posts

    Re: What is the cuase of the following error message?

    ‏2011-04-08T02:40:37Z  
    • tzhao
    • ‏2011-04-05T23:47:49Z
    Hi Alaine,

    Thanks for looking at it. I think you are correct.

    Looks like the error message was caused by either nodeagent or the "startserver" command.

    We intended to set CSIv2 inbound communications Transport to be TCP/IP, and it doesn't cause problem in WebSphere 7 since the sas.client.props from default WebSphere v7 profile has
    com.ibm.CSI.performTransportAssocSSLTLSRequired=false
    com.ibm.CSI.performTransportAssocSSLTLSSupported=true

    But the sas.client.props from default WebSphere v8 profile has
    com.ibm.CSI.performTransportAssocSSLTLSRequired=true
    com.ibm.CSI.performTransportAssocSSLTLSSupported=false

    Looks like either nodeagent or startserver command needs connect to appliation server through CSIv2. Since it loads sas.client.props with SSL required in WAS v8, but server CSIv2 inbound configuration is TCP/IP, it causes the error message:
    ERROR 1: JSAS0809E: The current OID is RSA but this is not an Admin request.

    Since we have to set CSIv2 inbound communications Transport to be TCP/IP, is there a way to fix the problem?
    Is this error message only informational or does it cause the system mal-function?

    Thanks for your help!
    Hi,

    Sorry for taking so long to get back to you. I now see clearer what you are doing. You must be in a ND environment. You changed the inbound CSIv2 was changed to TCPIP. When the server starts it attempts to talk to the nodeagent and the nodeagent's inbound connection is TCPIP and the server outbound connection is SSL required. Like I said before the default setting for CSIv2 for both inbound and outbound are SSL required by default. If you change the CSIv2 setting for outbound from SSL required to SSL supported the errors should go away. The supported setting will accept both TCPIP and SSL connections.

    To change the setting on the server go to:

    Security > Global security > CSIv2 outbound communications

    In the box labeled Transport select SSL-supported.

    Hope this helps.

    Alaine DeMyers
  • tzhao
    tzhao
    15 Posts

    Re: What is the cuase of the following error message?

    ‏2011-04-08T17:48:50Z  
    Hi,

    Sorry for taking so long to get back to you. I now see clearer what you are doing. You must be in a ND environment. You changed the inbound CSIv2 was changed to TCPIP. When the server starts it attempts to talk to the nodeagent and the nodeagent's inbound connection is TCPIP and the server outbound connection is SSL required. Like I said before the default setting for CSIv2 for both inbound and outbound are SSL required by default. If you change the CSIv2 setting for outbound from SSL required to SSL supported the errors should go away. The supported setting will accept both TCPIP and SSL connections.

    To change the setting on the server go to:

    Security > Global security > CSIv2 outbound communications

    In the box labeled Transport select SSL-supported.

    Hope this helps.

    Alaine DeMyers
    Hi Alaine,

    Thanks for your help! Please help me to understand the issue better.

    When application server connect to nodeagent, does it read configuration based on global security or sas.client.props file under its profile directory? In other words, we set global security as CSIv2 inbound to be TCP/IP and outbound to be SSL required, we also set sas.client.props file with
    com.ibm.CSI.performTransportAssocSSLTLSRequired=true
    com.ibm.CSI.performTransportAssocSSLTLSSupported=false
    would application server connect to nodeagent with TCP/IP or SSL?

    Could you explain more about the SSL setting from sas.client.props file and CSIv2 setting in global security regards to this issue? What causes the confliction?

    Thanks!
  • SystemAdmin
    SystemAdmin
    462 Posts

    Re: What is the cuase of the following error message?

    ‏2011-04-09T03:10:39Z  
    • tzhao
    • ‏2011-04-08T17:48:50Z
    Hi Alaine,

    Thanks for your help! Please help me to understand the issue better.

    When application server connect to nodeagent, does it read configuration based on global security or sas.client.props file under its profile directory? In other words, we set global security as CSIv2 inbound to be TCP/IP and outbound to be SSL required, we also set sas.client.props file with
    com.ibm.CSI.performTransportAssocSSLTLSRequired=true
    com.ibm.CSI.performTransportAssocSSLTLSSupported=false
    would application server connect to nodeagent with TCP/IP or SSL?

    Could you explain more about the SSL setting from sas.client.props file and CSIv2 setting in global security regards to this issue? What causes the confliction?

    Thanks!
    Hi,

    When the app server is using setting from security.xml. The sas.client.props file is used for the client programs for example wsadmin or stopserver.

    The message says "sas.client.props or outbound settings in GUI". I was focusing on the sas.client.prop part of that statement initially. Your problem did not have to do with the sas.client.props file, sorry for the confusion.

    The new security hardening settings changed the defaults to SSL required on both security.xml and sas.client.props files.

    Because you set inbound to TCPIP your connections between the servers will be over TCPIP. I suggested you change your outbound setting to SSL support ,the old default. It will handle either an SSL connection or a TCPIP connections. The connection will end up being TCPIP because inbound is only accepting TCPIP.

    If you were to make an RMI connection to the server from an admin client like wsadmin then your sas.client.props file will need to be updated to either SSL supported or TCPIP for the connection to work.

    Alaine DeMyers