Topic
  • 4 replies
  • Latest Post - ‏2012-09-14T19:14:35Z by SystemAdmin
northernredneck!
northernredneck!
11 Posts

Pinned topic Remote Cat Server connection issue

‏2012-09-11T10:49:00Z |
Hi all.

Im having some issues in one of our test environment where we're trying to use a remote WXS grid. Essentially the WXS grid is located on one WAS instance (WAS7 Base Edition), the connecting application code is actually deployed on a separate instance of WAS7 Base ie a different Cell.

The WXS grid (single CAT server & a single grid JVM) are up and running fine. When i attempted to set up a remote CAT server on the application coded Cell the test connection failed due to certificate errors. This was resolved by importing the Cell signer certs in to each opposite Cell.

However, when our application starts up and attempts to connect to the remote grid i get the following error.

Does anyone have any ideas how i can solver this please?

FYI, WXS V7.1.1 FP 1 is the client & server version we're using.

Thanks

07/09/12 15:01:53:935 BST FFDC Exception:org.omg.CORBA.NO_PERMISSION SourceId:com.ibm.ws.objectgrid.catalog.wrapper.LocationServiceWrapper.getReadOnlyCatalogServiceStub ProbeId:997 Reporter:com.ibm.ws.objectgrid.catalog.wrapper.Loc
ationServiceWrapper@2b07e0af
org.omg.CORBA.NO_PERMISSION:
SERVER (id=4773e3aa, host=tdukwxstestz01) TRACE START:
org.omg.CORBA.NO_PERMISSION: Validation of LTPA token failed due to invalid keys or token type. vmcid: 0x49424000 minor code: 300 completed: No
at com.ibm.ISecurityLocalObjectBaseL13Impl.PrincipalAuthFailReason.map_auth_fail_to_minor_code(PrincipalAuthFailReason.java:88)
at com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRIBase.authenticateSecurityTokens(CSIServerRIBase.java:4544)
at com.ibm.ISecurityLocalObjectBaseL13Impl.CSIServerRI.receive_request(CSIServerRI.java:584)
at com.ibm.rmi.pi.InterceptorManager.invokeInterceptor(InterceptorManager.java:624)
at com.ibm.rmi.pi.InterceptorManager.iterateServerInterceptors(InterceptorManager.java:528)
at com.ibm.rmi.pi.InterceptorManager.iterateReceiveRequest(InterceptorManager.java:770)
at com.ibm.CORBA.poa.POAServerDelegate.dispatchToServant(POAServerDelegate.java:398)
at com.ibm.CORBA.poa.POAServerDelegate.internalDispatch(POAServerDelegate.java:334)
at com.ibm.CORBA.poa.POAServerDelegate.dispatch(POAServerDelegate.java:256)
at com.ibm.rmi.iiop.ORB.process(ORB.java:513)
at com.ibm.CORBA.iiop.ORB.process(ORB.java:1574)
at com.ibm.rmi.iiop.Connection.respondTo(Connection.java:2845)
at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2718)
at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:63)
at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:118)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1604)
SERVER (id=4773e3aa, host=tdukwxstestz01) TRACE END.
vmcid: 0x49424000 minor code: 300 completed: No
Updated on 2012-09-14T19:14:35Z at 2012-09-14T19:14:35Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    1485 Posts

    Re: Remote Cat Server connection issue

    ‏2012-09-13T13:54:05Z  
    Hello,

    From the exception, we can see the issue is cross-cell communication using LTPA.

    When your client and server are part of two different cells, each cell has its own set of LTPA keys and its own set of keystores and truststores. When the client is sending an LTPA token to the server, the server must be able to decrypt the token in order to authenticate it. If the server does not have the same set of LTPA keys that the client does, the decryption fails. The LTPA keys have to be shared between the two cells in order for the server to authenticate an LTPA token sent from the client.

    To fix the org.omg.CORBA.NO_PERMISSION problem please export the LTPA keys from Server and import them into Client.

    1. Exporting Lightweight Third Party Authentication keys

    2. Importing Lightweight Third Party Authentication keys

    I believe that will take care of your problem. If it doesn't work or you have more questions, please reply.

    As a side note, if this worked for a period of time and then the exception appeared, then check if something triggered auto-generation or manual re-generation of LTPA keys in either of the environments.
    Eric
  • northernredneck!
    northernredneck!
    11 Posts

    Re: Remote Cat Server connection issue

    ‏2012-09-13T15:25:39Z  
    Hello,

    From the exception, we can see the issue is cross-cell communication using LTPA.

    When your client and server are part of two different cells, each cell has its own set of LTPA keys and its own set of keystores and truststores. When the client is sending an LTPA token to the server, the server must be able to decrypt the token in order to authenticate it. If the server does not have the same set of LTPA keys that the client does, the decryption fails. The LTPA keys have to be shared between the two cells in order for the server to authenticate an LTPA token sent from the client.

    To fix the org.omg.CORBA.NO_PERMISSION problem please export the LTPA keys from Server and import them into Client.

    1. Exporting Lightweight Third Party Authentication keys

    2. Importing Lightweight Third Party Authentication keys

    I believe that will take care of your problem. If it doesn't work or you have more questions, please reply.

    As a side note, if this worked for a period of time and then the exception appeared, then check if something triggered auto-generation or manual re-generation of LTPA keys in either of the environments.
    Eric
    Thanks for the reply, i'll give it a go and post the results.

    Are there any down sides to applying? just wondering as i've not used the LTPA stuff for talking cross cell before.

    Thanks
  • northernredneck!
    northernredneck!
    11 Posts

    Re: Remote Cat Server connection issue

    ‏2012-09-13T19:50:27Z  
    Awesome fix eric, works fine now thanks.

    I guess I have a couple of queestions still though.

    Firstly, on the link you sent for exporting, it makes the point around the following. There was no mention of Internal Server ID when i exported the keys from my server, it simply exported them.

    7. Specify the Internal server ID that is used for interprocess communication between servers. The server ID is protected with an LTPA token when sent remotely. You can edit the internal server ID to make it identical to server IDs across multiple application server administrative domains (cells). By default this ID is the cell name.

    Also there's the other question i asked in my last post too ie are there any downsides/knock on effects to enabling in my client application Cell, im guessing not.

    Thanks
  • SystemAdmin
    SystemAdmin
    1485 Posts

    Re: Remote Cat Server connection issue

    ‏2012-09-14T19:14:35Z  
    Awesome fix eric, works fine now thanks.

    I guess I have a couple of queestions still though.

    Firstly, on the link you sent for exporting, it makes the point around the following. There was no mention of Internal Server ID when i exported the keys from my server, it simply exported them.

    7. Specify the Internal server ID that is used for interprocess communication between servers. The server ID is protected with an LTPA token when sent remotely. You can edit the internal server ID to make it identical to server IDs across multiple application server administrative domains (cells). By default this ID is the cell name.

    Also there's the other question i asked in my last post too ie are there any downsides/knock on effects to enabling in my client application Cell, im guessing not.

    Thanks
    Hello,

    Downsides of using authentication: running into issues when things are not set up correctly. Sometimes it is hard to find the specific answer for a problem in this space, but we are working to improve that.

    The link I specified was for the base WAS InfoCenter. I need to ask someone on the base WAS security team about step 7.

    Eric