IBM Support

PM32220: BCI PREVENTING JBOSS ADMIN CONSOLE ACCESS DUE TO SIGNED JAR FILES.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Problem Abstract:

BCI preventing JBoss admin console access due to signed Jar
files.


---------------------------------
Users Affected:

Users trying to configure DC to JBoss using signed certificates


---------------------------------
Problem Description:

Env:
ITCAMfJ2EE v6.2 FP05
JBoss
RHEL v5

---------------------------------
Problem:

DC installed and configured sucessfully, but after DC
configuration, JBoss Admin Console application is not
accessible.
After disabling the DC (edit run.sh and comment out DC java
opts) the Admin console runs without problems.
Inside JBoss's server.log the following exceptions can be seen:

"2010-11-25 14:49:51,281 WARN
[org.jboss.detailed.classloader.ClassLoaderManager] (main)
Unexpected error during load
of:javax.servlet.http.HttpServletRequest
java.lang.SecurityException: class
"javax.servlet.http.HttpServletRequest"'s signer information
does not match signer information of other classes in the same
package

Local fix

  • The solution to this problem is to remove signatures from jars
delivered with JBoss EAP:

To fire Admin Console it will be enough to remove signatures
from:
servlet-api.jar and jboss-javaee.jar located in
{JBOSS_HOME}/jboss-as/common/lib/

-------------------------------------------
To remove signature from jar:
- go to META-INF directory inside jar
- remove *.RSA and *.SF files
- optionally remove all
 Name:
 SHA1-Digest:
entries in MANIFEST.MF file.
-------------------------------------------
Similar JBoss issue:
https://access.redhat.com/jbossnetwork/restricted/softwareDetail
.html?product=appplatform&downloadType=patches&softwareId=1012&v
ersion=5.0.
--------------------------------------------

If you find in logs similar exceptions to:
Caused by: java.lang.SecurityException: class
"javax.jms.ConnectionMetaData"'s signer information does not
match signer information of other classes in the same package
You should remove signature from jar containing class listed in
this exception

Problem summary

  • ****************************************************************
* USERS AFFECTED: All user of ITCAM v6.1 for J2EE using
* JBoss EAP on all platforms.
****************************************************************
* PROBLEM DESCRIPTION:
* DC installed and configured sucessfully, but after DC
* configuration, JBoss Admin Console application is not
* accessible. Inside JBoss's server.log a number of similar
* exceptions:
* Caused by: java.lang.SecurityException: class
"javax.jms.ConnectionMetaData"'s signer information does not
match signer information of other classes in the same package
*       at
java.lang.ClassLoader.checkCerts(ClassLoader.java:807)
*       at
java.lang.ClassLoader.preDefineClass(ClassLoader.java:488)
*       at
java.lang.ClassLoader.defineClassCond(ClassLoader.java:626)
*
* After disabling DC (edit run.sh and comment out DC java opts)
* Admin console runs without problems.
*
****************************************************************
* RECOMMENDATION: Upgrade to 6.1.0-TIV-ITCAMfJ2EE_MP-FP0006
****************************************************************

Problem conclusion

  • In Data Collector we get resource as a stream and we open it
to check if the resource exist. Then we close that stream
immediately without reading from the stream. That could cause
problems, because in the java.util.jar.JarVerifier.processEntry
is set information about certificates, and this method is
not invoked. When we close the stream, JBOSS caches informations
about jar entries in internal structure and empty certificates
are kept in it. In this way JBoss class loaders always put to
CodeSource empty array of certificates. During loading other
class from that same package checkCerts() method throws
exception because of wrong cached certificates..

The fix for this APAR is a part of maintenance package:
fix pack 6.1.0-TIV-ITCAMfJ2EE_MP-FP0006

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PM32220
    • 

  • Reported component name
    ITCAM J2EE JBOS
    • 

  • Reported component ID
    5724N95JB
    • 

  • Reported release
    610
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2011-02-09
    • 

  • Closed date
    2011-05-24
    • 

  • Last modified date
    2011-05-24
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    ITCAM J2EE JBOS
    • 

  • Fixed component ID
    5724N95JB
    • 



Applicable component levels


    

  • R610  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSCH4B","label":"Tivoli Composite Application Manager for J2EE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"610","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            27 July 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback