Download
Abstract
SSL proxy connect tunneling does not use correct target host and port.
Download Description
PK59474 resolves the following problem:
ERROR DESCRIPTION:
A Web Service calls an external service to logon. The login service returns a session ID and URL. This always works. These two parameters along with a Query are used to make a second Web Service call to the external service to get an account ID. This call works the first time and fails subsequent times at the customer location with the following exception:
----------------------------------------------------------------
[1/14/08 15:46:27:875 EST] 00000054 ExceptionUtil E CNTR0020E:
EJB threw an unexpected (non-declared) exception during
invocation of method
"transactionNotSupportedActivitySessionNotSupported" on bean
"BeanId(AccountMediationApp#AccountMediationEJB.jar#Module,
null)". Exception data:
com.ibm.websphere.sca.ServiceRuntimeException: <soapenv:Body
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Fault><faultcode
xmlns:p354="urn:fault.enterprise.soap.sforce.com">p354:UNKNOWN_E
XCEPTION</faultcode><faultstring>UNKNOWN_EXCEPTION: Destination
URL not reset. The URL returned from login must be set in the
SforceService</faultstring><detail encodingStyle=""><sf:fault
xsi:type="sf:UnexpectedErrorFault"
xmlns:sf="urn:fault.enterprise.soap.sforce.com">
<sf:exceptionCode>UNKNOWN_EXCEPTION</sf:exceptionCode>
<sf:exceptionMessage>Destination URL not reset. The URL
returned from login must be set in the
SforceService</sf:exceptionMessage>
</sf:fault></detail></soapenv:Fault>
</soapenv:Body>
at
com.ibm.wsspi.sca.webservice.jaxrpc.ServiceImportHandler.handleF
ault(ServiceImportHandler.java:313)
at
com.ibm.ws.webservices.engine.handlers.jaxrpc.HandlerProxy.handl
eFault(HandlerProxy.java:159)
at
com.ibm.ws.webservices.engine.handlers.jaxrpc.JAXRPCHandlerChain
.oneHandleFault(JAXRPCHandlerChain.java:869)
at
com.ibm.ws.webservices.engine.handlers.jaxrpc.JAXRPCHandlerChain
.handleFault(JAXRPCHandlerChain.java:846)
...
...
----------------------------------------------------------------
LOCAL FIX:
One way to make it work:
----------------------------------------------------------------
The customer is successfully running their application using the JVM™ property "com.ibm.websphere.webservices.http.connectionKeepAlive" set to false.
---------------------------------------------------------------
PROBLEM SUMMARY
USERS AFFECTED:
IBM® WebSphere® Application Server version 6.1 users of web services.
PROBLEM DESCRIPTION:
SSL proxy connect tunneling does not use correct target host and port.
RECOMMENDATION:
None
A Web Service calls an external service to logon. The login service returns a session ID and URL. This always works. These two parameters along with a Query are used to make a second Web Service call to the external service to get an account ID. This call works the first time and fails subsequent times at the customer location with the following exception:
----------------------------------------------------------------
[1/14/08 15:46:27:875 EST] 00000054 ExceptionUtil E CNTR0020E:
EJB threw an unexpected (non-declared) exception during
invocation of method
"transactionNotSupportedActivitySessionNotSupported" on bean
"BeanId(AccountMediationApp#AccountMediationEJB.jar#Module,
null)". Exception data:
com.ibm.websphere.sca.ServiceRuntimeException: <soapenv:Body
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Fault><faultcode
xmlns:p354="urn:fault.enterprise.soap.sforce.com">p354:UNKNOWN_E
XCEPTION</faultcode><faultstring>UNKNOWN_EXCEPTION: Destination
URL not reset. The URL returned from login must be set in the
SforceService</faultstring><detail encodingStyle=""><sf:fault
xsi:type="sf:UnexpectedErrorFault"
xmlns:sf="urn:fault.enterprise.soap.sforce.com">
<sf:exceptionCode>UNKNOWN_EXCEPTION</sf:exceptionCode>
<sf:exceptionMessage>Destination URL not reset. The URL
returned from login must be set in the
SforceService</sf:exceptionMessage>
</sf:fault></detail></soapenv:Fault>
</soapenv:Body>
at
com.ibm.wsspi.sca.webservice.jaxrpc.ServiceImportHandler.handleF
ault(ServiceImportHandler.java:313)
at
com.ibm.ws.webservices.engine.handlers.jaxrpc.HandlerProxy.handl
eFault(HandlerProxy.java:159)
at
com.ibm.ws.webservices.engine.handlers.jaxrpc.JAXRPCHandlerChain
.oneHandleFault(JAXRPCHandlerChain.java:869)
at
com.ibm.ws.webservices.engine.handlers.jaxrpc.JAXRPCHandlerChain
.handleFault(JAXRPCHandlerChain.java:846)
PROBLEM CONCLUSION:
The key here is how the application communicates a forward proxy versus a reverse proxy.
The reverse Proxy is the actual target of the client request, and then the proxy opens it's own socket independently to the back end server. Thus, SSL to a reverse proxy has one session between web services client and the proxy, and a separate session from proxy to backend server. The Proxy knows about each individual HTTP request from the client and routes it appropriately. The request looks like "POST /uri, Host: backend:port".
On the other hand, a forward proxy is not the target of the client request. That bounces through the Proxy and out to the target server, with the request formatted as "POST ttp://backend:port/uri, Host: proxy".
The key for us is that you cannot do regular SSL to a forward proxy. You must use a CONNECT request to do SSL tunneling through the proxy. The CONNECT tells the Proxy what back end server to contact (which is who the SSL handshake is made against) and the Proxy has no knowledge of the individual requests made. It simply tunnels data back and forth between the client and the back end server.
Now, for web services client, if it knows the target is a proxy, it will send the forward proxy style request if HTTP, but will always use the CONNECT tunneling code if SSL. The critical point is that the SSL tunnel always goes to the first target and every HTTP request over the tunnel goes to that same target. The web services engine code has been fixed to include the target endpoint host and port when using an SSL proxy CONNECT.
The fix for this APAR is currently targeted for inclusion in Fix Pack 6.1.0.17.
Please refer to the recommended updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
Please download the UpdateInstaller below to install this fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Download Package
| Download package |
| What is Fix Central (FC)? |
| What is DD? |
| Download | RELEASE DATE | LANGUAGE | SIZE(Bytes) | Download Options | ||
|---|---|---|---|---|---|---|
| 6.1.0.13-WS-WAS-IFPK59474 | 2/13/2008 | US English | 19677 | FC | FTP | DD |
| 6.1.0.15-WS-WAS-IFPK59474 | 3/18/2008 | US English | 19677 | FC | FTP | DD |
Technical Support
Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24018303