JMS and loadbalanced Radius servers
I have a problem with sending JMS messages to a queue where they get picked up and implemented upon by executing cisco cmds via ssh, i seem to get varied JMS commnds sent to two different VPNs.
there are two cisco swithes and two jboss appserevers, each having a radius serever to authenticate the remote ip address and then assign some firewall rules to the cisco kits via the JMS service , which are just cisco cmd via ssh or some type of secure telnet - put problem is that instaed of the same rule-set being applied to both the cisco swithes i get varaition in the firewall rules being sent to the swithes - sometime i get half sent to one swith and rest to the other , what should i be looking at to isolate the problem the logs dont show much , i have radius server logs and server logs and firewall logs - but cant see what the problem is where could someone suggest i look to start figuring out what the problem is - is it something to do with the load balancing , the JMS stuff - if so what should i look at or the ssh type telnet session from Java - is there known unreliabilty type issues with regards to transactions when executing cmd line stuff via a secure telnet session from a java object. Or does any one know of any other firewall manager type utility that can be integrated with a radius server and java application inoder to dynamically set up a firewall congiguration of cisco kit
The service is via a topic as a destination .....
the basic idea of the functionality is as follows ...i'm hoping some one can clearly spot what the issue would be such as known issues with excuting IOS cmds via ...CiscoController object which knows how to use SSH-2 protocol to send IOS commands.
the basic idea of functionality is as follows:-
The network elements themselves are protected against intrusion by using standard Cisco firewall technologies. A PIX 515e redundant pair is employed to protect each of the Access Points and the Control and Monitoring platform.
The Dynamic Firewall works in conjunction with the RADIUS server to dynamically apply access list entries to the interface of the VPN routers in the Access Point.
Address Assignment
The RADIUS Server is responsible for assigning an IP address to a terminal, once it has requested access to the network. Session notifications, which include the assigned ip address and firewall rules, are communicated via a JMS Topic called �xxxxxSessionTopic� The firewall manager listens for these notifications and uses them to dynamically add access list entries to the vpn router. When a session is closed, i.e. when a terminal detaches from the network, another notification is broadcast as such. This is used to remove the access list entries from the router.
It is important to ensure that the correct access list entries are added and removed when updating the router. Newer versions of Cisco IOS allow serial numbers to be employed when applying access list entries, thus negating the necessity to remove and re-apply all entries to ensure that they retain the same order. The firewall manager there makes use of the value of the id field for the Address object allocated to the terminal as a basis for generating the unique serial number. This is multiplied by 20 and the rule priority number in the FirewallRule object is added to make the serial number unique, as the ip address is a unique entity on the platform. This makes management of the access list entries relatively simple.
Connectivity
In order to ensure access to the VPN routers remains secure, SSH-2 is used by the Dynamic Firewall software to connect to the VPN routers and deliver the necessary IOS commands to insert new rules into the access list. The necessary access details are started in the SAR files that package the code and are located in the JBoss hot deploy directory on the application servers.
Software Objects
The Dynamic firewall components are packaged in a file named xxxxFirewallManager.sar. This is a JBoss service archive and is started on deployment of the SAR file to the jboss hot deploy directory, or on start up of the JBoss application server. The archive contains the java objects listed below, which are responsible for the implementation of the Dynamic Firewall, along with necessary configuration files.
FirewallManagerMBean
This is a JBoss JMX Service object that is registered onto the JBoss JMX bus. Two of these objects will be configured for each Router firewall that is to be managed by the application server. The object has a number of properties that must be initialised through the jboss-service.xml file that is stored in the SAR file. These properties are listed in the following table. See the example jboss-service.xml file in the configuration section.
FirewallManager
Each MBean creates a FirewallManager. The FirewallManager is responsible for receiving session creation and deletion notification messages over the JMS Topic �xxxxxSessionTopic�. It then un-marshals a FirewallRuleSet object containing the rules (up to 20) that must be applied to the access list. A FirewallController is then used to deliver these rules to the router
FirewallController
This specialises a CiscoController object which knows how to use SSH-2 protocol to send IOS commands.
Configuration
Configuration is located in the root directory of the SAR. One jboss-service.xml file must exist and a separate properties file will exist for each of the router access lists that are managed (normally 2 per router)
the problem is that even with this sound architecure it seems that the firewall rules are not correctly and equally applied to both the routers.
it may be a transactional issue where the messages have to be set inside a transaction - but can somebody please shed some light on this issue so that i'm not blindly going down different paths. does any one know of any way to easliy set up a dynamic firewall list and apply that to cisco kit? via a java app
Similar Messages
-
Dot1x with port security and redundant radius servers
I have a strange issue with my dot1x port authentication. I have two radius servers configured in my switch for redundancy, and on my switchport I have a Cisco IP phone and a PC. Testing redundnacy with the radius servers, when I have both servers active and running, the port authentication works fine for both phone and pc. When I fail the radius servers in the configuration, by disconnecting the NIC on it, the switch goes to the surviving radius server and authenticates, (I can see it in the running log) both the phone and PC get an access-accept, but only the phone works on the network and the port light stays amber showing it's blocking for the pc. Strange, since it showed an accept on the radius server.
This only seems to happen when the first one on the list is failed. When the second one is failed, it obviously won't need to try it, so there's not an issue. Any ideas?
Here's the setup and configs:
freeradius 2.1.12-4
cisco 3560
Switch Ports Model SW Version SW Image
* 1 52 WS-C3560G-48PS 12.2(53)SE2 C3560-IPBASEK9-M
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
interface GigabitEthernet0/1
switchport access vlan 100
switchport mode access
switchport voice vlan 110
authentication event no-response action authorize vlan 901
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 1
no mdix auto
spanning-tree portfast
radius-server host 10.90.1.88 auth-port 1645 acct-port 1646 key 7 xxx
radius-server host 10.90.1.85 auth-port 1645 acct-port 1646 key 7 xxx
Here's an authentication string from the radius server:
(there are two mac address. The first one 00.13 is the PC and the second 30.37 is the phone)
rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=204, length=160
User-Name = "001372b639a6"
User-Password = "001372b639a6"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-23-D9-01"
Calling-Station-Id = "00-13-72-B6-39-A6"
Message-Authenticator = 0xfeef777a8033c24934306b3cce78c8f1
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "GigabitEthernet0/1"
NAS-IP-Address = 10.90.100.7
Wed Sep 18 10:48:06 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group authorize {...}
Wed Sep 18 10:48:06 2013 : Info: ++[preprocess] returns ok
Wed Sep 18 10:48:06 2013 : Info: ++[chap] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[mschap] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[digest] returns noop
Wed Sep 18 10:48:06 2013 : Info: [suffix] No '@' in User-Name = "001372b639a6", looking up realm NULL
Wed Sep 18 10:48:06 2013 : Info: [suffix] No such realm "NULL"
Wed Sep 18 10:48:06 2013 : Info: ++[suffix] returns noop
Wed Sep 18 10:48:06 2013 : Info: [eap] No EAP-Message, not doing EAP
Wed Sep 18 10:48:06 2013 : Info: ++[eap] returns noop
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: %{User-Name} -> 001372b639a6
Wed Sep 18 10:48:06 2013 : Info: [sql] sql_set_user escaped user --> '001372b639a6'
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 3
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Info: [sql] User found in radcheck table
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '001372b639a6' ORDER BY id
Wed Sep 18 10:48:06 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '001372b639a6' ORDER BY priority
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '001372b639a6' ORDER BY priority
Wed Sep 18 10:48:06 2013 : Debug: rlm_sql (sql): Released sql socket id: 3
Wed Sep 18 10:48:06 2013 : Info: ++[sql] returns ok
Wed Sep 18 10:48:06 2013 : Info: ++[expiration] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[logintime] returns noop
Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns updated
Wed Sep 18 10:48:06 2013 : Info: Found Auth-Type = PAP
Wed Sep 18 10:48:06 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group PAP {...}
Wed Sep 18 10:48:06 2013 : Info: [pap] login attempt with password "001372b639a6"
Wed Sep 18 10:48:06 2013 : Info: [pap] Using clear text password "001372b639a6"
Wed Sep 18 10:48:06 2013 : Info: [pap] User authenticated successfully
Wed Sep 18 10:48:06 2013 : Info: ++[pap] returns ok
Wed Sep 18 10:48:06 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:06 2013 : Info: +- entering group post-auth {...}
Wed Sep 18 10:48:06 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 204 to 10.90.100.7 port 1645
Wed Sep 18 10:48:06 2013 : Info: Finished request 0.
Wed Sep 18 10:48:06 2013 : Debug: Going to the next request
Wed Sep 18 10:48:06 2013 : Debug: Waking up in 4.9 seconds.
Wed Sep 18 10:48:11 2013 : Info: Cleaning up request 0 ID 204 with timestamp +77
Wed Sep 18 10:48:11 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 10.90.100.7 port 1645, id=205, length=160
User-Name = "3037a616cd49"
User-Password = "3037a616cd49"
Service-Type = Call-Check
Framed-MTU = 1500
Called-Station-Id = "9C-AF-CA-23-D9-01"
Calling-Station-Id = "30-37-A6-16-CD-49"
Message-Authenticator = 0xc9173e759dd759b9d414d192783e8a8e
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "GigabitEthernet0/1"
NAS-IP-Address = 10.90.100.7
Wed Sep 18 10:48:13 2013 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group authorize {...}
Wed Sep 18 10:48:13 2013 : Info: ++[preprocess] returns ok
Wed Sep 18 10:48:13 2013 : Info: ++[chap] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[mschap] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[digest] returns noop
Wed Sep 18 10:48:13 2013 : Info: [suffix] No '@' in User-Name = "3037a616cd49", looking up realm NULL
Wed Sep 18 10:48:13 2013 : Info: [suffix] No such realm "NULL"
Wed Sep 18 10:48:13 2013 : Info: ++[suffix] returns noop
Wed Sep 18 10:48:13 2013 : Info: [eap] No EAP-Message, not doing EAP
Wed Sep 18 10:48:13 2013 : Info: ++[eap] returns noop
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: %{User-Name} -> 3037a616cd49
Wed Sep 18 10:48:13 2013 : Info: [sql] sql_set_user escaped user --> '3037a616cd49'
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Reserving sql socket id: 2
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Info: [sql] User found in radcheck table
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '3037a616cd49' ORDER BY id
Wed Sep 18 10:48:13 2013 : Info: [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '3037a616cd49' ORDER BY priority
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = '3037a616cd49' ORDER BY priority
Wed Sep 18 10:48:13 2013 : Debug: rlm_sql (sql): Released sql socket id: 2
Wed Sep 18 10:48:13 2013 : Info: ++[sql] returns ok
Wed Sep 18 10:48:13 2013 : Info: ++[expiration] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[logintime] returns noop
Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns updated
Wed Sep 18 10:48:13 2013 : Info: Found Auth-Type = PAP
Wed Sep 18 10:48:13 2013 : Info: # Executing group from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group PAP {...}
Wed Sep 18 10:48:13 2013 : Info: [pap] login attempt with password "3037a616cd49"
Wed Sep 18 10:48:13 2013 : Info: [pap] Using clear text password "3037a616cd49"
Wed Sep 18 10:48:13 2013 : Info: [pap] User authenticated successfully
Wed Sep 18 10:48:13 2013 : Info: ++[pap] returns ok
Wed Sep 18 10:48:13 2013 : Info: # Executing section post-auth from file /etc/raddb/sites-enabled/default
Wed Sep 18 10:48:13 2013 : Info: +- entering group post-auth {...}
Wed Sep 18 10:48:13 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 205 to 10.90.100.7 port 1645
Cisco-AVPair = "device-traffic-class=voice"
Wed Sep 18 10:48:13 2013 : Info: Finished request 1.
Wed Sep 18 10:48:13 2013 : Debug: Going to the next request
Wed Sep 18 10:48:13 2013 : Debug: Waking up in 4.9 seconds.
Wed Sep 18 10:48:18 2013 : Info: Cleaning up request 1 ID 205 with timestamp +84
Wed Sep 18 10:48:18 2013 : Info: Ready to process requests.
Thanks!802.1X support requires an authentication server that is configured for Remote Authentication Dial-In User Service (RADIUS). 802.1X authentication does not work unless the network access switch can route packets to the configured RADIUS server.
Please check the below links which can be helpful in configurations:
Link-1
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html -
Configuring JMS and loadbalancer with SSL termination? Has Anyone done it?
Hi all,
I'm having a problem getting JMS or even any JNDI lookup to work with a hardware load balancer and SSL termination. Has anyone used such a configuration? The load balancer in question is a Cisco CSS 11500 Series which has an SSL module. A client communicates with the CSS over SSL, the SSL module decrypts the packets and sends it for content switching and on to WebLogic as cleartext.
Without SSL termination everthing works fine. With SSL termination active, Web service and web content all work fine, but I can't get SSL tGetting Initial context from ms01
<29-Sep-2006 16:07:22 o'clock IST> <Debug> <TLS> <000000> <SSL/Domestic license found>
<29-Sep-2006 16:07:22 o'clock IST> <Debug> <TLS> <000000> <Not in server, Certicom SSL license found>
<29-Sep-2006 16:07:23 o'clock IST> <Debug> <TLS> <000000> <SSL Session TTL :90000>
<29-Sep-2006 16:07:23 o'clock IST> <Debug> <TLS> <000000> <Trusted CA keystore: D:/eclipse/workspace/LoadBalancerTest/ssl/keystores/cssKeyS
ore.keystore>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 886220>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <write SSL_20_RECORD>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Certificate>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <validationCallback: validateErr = 0>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> < cert[0] = [
Version: V3
Subject: EMAILADDRESS="[email protected] ", CN=10.51.0.200, OU=Web Administration, O=Revenue Commissioners, L=Dublin, ST=Dublin,
=IE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
a8f60248 b87c5860 229b9044 a666a9ae 27eb488c 424d9e67 e7b9d6d0 c292f081
cfa76c04 f3d89b28 1bf544f9 5de2b66d 576ebeca 5dc5ca8a fceead9a 52e2ce6c
2b91afef e4da5071 49b8784c 12d7f5f3 99f76482 79efe1d8 0a24f664 4c8d6e9e
b0bc63be 1faf8319 eeb23e8a 019b65b2 59dd086d 1b714d4c 01618804 66f416bb
Validity: [From: Fri Sep 08 11:44:28 BST 2006,
To: Mon Sep 05 11:44:28 BST 2016]
Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
SerialNumber: [ 0131]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 0E 6E 72 2E B1 3B B6 A3 59 79 5A C5 41 26 B7 B6 .nr..;..YyZ.A&..
0010: A2 39 4C 73 .9Ls
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
SerialNumber: [ 00]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [MD5withRSA]
Signature:
0000: 2C A0 0C 34 4E 0D CA 24 A5 C3 03 3A 71 A1 2D D3 ,..4N..$...:q.-.
0010: 65 A2 FA EF C1 5D D4 4A 28 8C 1A 70 5F 92 73 5E e....].J(..p_.s^
0020: 7B 13 D4 AE 36 A8 86 EA 60 7F A5 E3 86 6E 84 1F ....6...`....n..
0030: 5E 5F 30 06 B4 AA 2E 5C A7 65 74 32 09 0A 91 14 ^_0....\.et2....
]>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> < cert[1] = [
Version: V3
Subject: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
bc61b29f a830c97a 7a76883e 1665a241 a68b891f 8e4167eb 62e578ac 9e342c3e
53c9de8b e756634b e364010f 4d36c1c5 21a65b37 b64b4861 6f4dda29 b932191f
Validity: [From: Mon May 31 15:22:15 BST 2004,
To: Thu May 29 15:22:15 BST 2014]
Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
SerialNumber: [ 00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
SerialNumber: [ 00]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [MD5withRSA]
Signature:
0000: 3C 64 7C 9E 0B 90 48 9D 70 74 06 80 7F 2C AF 73 <d....H.pt...,.s
0010: 92 1C C3 39 DD C3 45 B6 A4 8E 11 27 8E 21 18 4B ...9..E....'.!.K
0020: FD AA 31 5E 35 FC DF 9E 70 42 F4 65 5C DF 56 9A ..1^5...pB.e\.V.
0030: DD 8C 6B B7 3B BE E5 A7 D5 4A 16 23 C1 91 07 CA ..k.;....J.#....
]>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <SSLTrustValidator returns: 0>
<29-Sep-2006 16:07:24 o'clock IST> <Debug> <TLS> <000000> <Trust status (0): NONE>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <Performing hostname validation checks: 10.51.0.200>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHelloDone>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 134>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 received CHANGE_CIPHER_SPEC>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3941240 received HANDSHAKE>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 272>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <3445873 read(offset=0, length=2048)>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3941240 received APPLICATION_DATA: databufferLen 0, contentLength 372>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3445873 read databufferLen 372>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3445873 read A returns 372>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 339>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3445873 read(offset=372, length=1676)>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 6771926>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 93>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received HANDSHAKE>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received CHANGE_CIPHER_SPEC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received HANDSHAKE>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 402>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 1707>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <23328673 read(offset=0, length=2048)>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 SSL3/TLS MAC>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <3840954 received APPLICATION_DATA: databufferLen 0, contentLength 174>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <23328673 read databufferLen 174>
<29-Sep-2006 16:07:29 o'clock IST> <Debug> <TLS> <000000> <23328673 read A returns 174>
<29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <NEW ALERT with Severity: WARNING, Type: 0
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
at weblogic.net.http.HttpClient.closeServer(HttpClient.java:466)
at weblogic.net.http.KeepAliveCache$1.run(KeepAliveCache.java:120)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
>
<29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <avalable(): 23328673 : 0 + 0 = 0>
<29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <write ALERT, offset = 0, length = 2>
<29-Sep-2006 16:07:44 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 6771926>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3941240 SSL3/TLS MAC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3941240 received APPLICATION_DATA: databufferLen 0, contentLength 98>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3445873 read databufferLen 98>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <3445873 read A returns 98>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 8406772>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 93>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 SSL3/TLS MAC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 received HANDSHAKE>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 SSL3/TLS MAC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 received CHANGE_CIPHER_SPEC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 SSL3/TLS MAC>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <21830977 received HANDSHAKE>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 339>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <5618579 read(offset=0, length=2048)>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:08:13 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
Exception in thread "main" javax.naming.CommunicationException [Root exception is java.net.ConnectException: https://10.51.0.200:8143: Boot
trap to: 10.51.0.200/10.51.0.200:8143' over: 'https' got an error or timed out]
at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:47)
at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:636)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:306)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:239)
at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:135)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at TestAllManagedServers.main(TestAllManagedServers.java:54)
Caused by: java.net.ConnectException: https://10.51.0.200:8143: Bootstrap to: 10.51.0.200/10.51.0.200:8143' over: 'https' got an error or t
med out
at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:200)
at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:125)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:296)
... 7 more
o work for a simple JNDI lookup. With SSL debugging turned on, the following output is given:
When I compare the Server HTTP logs I see that an initial context lookup involves 3 HTTP requests, e.g.
25.2.1.210 - - [29/Sep/2006:16:29:12 +0100] "GET /bea_wls_internal/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+8.1.5+dummy+%0A&r
and=3018901804201457976&AS=255&HL=19 HTTP/1.1" 200 17
25.2.1.210 - - [29/Sep/2006:16:29:12 +0100] "GET /bea_wls_internal/HTTPClntRecv/a.tun?connectionID=0&rand=7332722597180897050 HTTP/1
.1" 200 2341
25.2.1.210 - - [29/Sep/2006:16:29:12 +0100] "POST /bea_wls_internal/HTTPClntSend/a.tun?connectionID=0&rand=3415396992694182025 HTTP/
1.1" 200 17
When my request goes through the load balancer I see the following in the HTTP logs:
10.51.0.200 - - [29/Sep/2006:16:31:33 +0100] "GET /bea_wls_internal/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+8.1.5+dummy+%0A&
rand=8279752507152372405&AS=255&HL=19 HTTP/1.1" 200 17
10.51.0.200 - - [29/Sep/2006:16:31:33 +0100] "POST /bea_wls_internal/HTTPClntSend/a.tun?connectionID=0&rand=1051450669479197885 HTTP
/1.1" 200 17
10.51.0.200 - - [29/Sep/2006:16:32:28 +0100] "GET /bea_wls_internal/HTTPClntRecv/a.tun?connectionID=0&rand=6035654607615870287 HTTP/
1.1" 200 5
10.51.0.200 - - [29/Sep/2006:16:33:13 +0100] "GET /bea_wls_internal/HTTPClntRecv/a.tun?connectionID=0&rand=8245112057388607005 HTTP/
1.1" 200 5
Notice the time delay in some of the messages.
The following error appears in the WebLogic server log, however I've verified that all IP addresses referenced by the load balancer configuration match those in the WebLogic configuration:
<29-Sep-2006 16:31:43 o'clock IST> <Error> <RJVM> <BEA-000572> <The server rejected a connection attempt JVMMessage from: '266014296
868812899C:25.2.1.210R:2462711729186814398S:10.51.0.2:[8113,8113,8114,8114,8113,8114,-1,0,0]:10.51.0.1:8103,10.51.0.1:8105,10.51.0.1
:8107,10.51.0.2:8109,10.51.0.2:8111,10.51.0.2:8113:risIntCluster01:ms06' to: '0S:10.51.0.200:[-1,-1,-1,8143,-1,-1,-1,-1,-1]' cmd: 'C
MD_IDENTIFY_REQUEST', QOS: '102', responseId: '0', invokableId: '0', flags: 'JVMIDs Sent, TX Context Not Sent', abbrev offset: '228'
probably due to an incorrect firewall configuration or admin command.>
When a JNDI lookup is made directly to a WebLogic server on the https port, the client gives the following output:
Getting Initial context from ms01
<29-Sep-2006 16:29:22 o'clock IST> <Debug> <TLS> <000000> <SSL/Domestic license found>
<29-Sep-2006 16:29:22 o'clock IST> <Debug> <TLS> <000000> <Not in server, Certicom SSL license found>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <SSL Session TTL :90000>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <Trusted CA keystore: D:/eclipse/workspace/LoadBalancerTest/ssl/keystores/cssKeySt
ore.keystore>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 7860099>
<29-Sep-2006 16:29:23 o'clock IST> <Debug> <TLS> <000000> <SSLSocket will NOT be Muxing>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <write SSL_20_RECORD>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHello>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Certificate>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <validationCallback: validateErr = 0>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> < cert[0] = [
Version: V3
Subject: CN=10.52.0.3, OU=Revenue Integration Server, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
ac47cae5 45e55fe4 8ec06362 84aab923 af35d7f1 8b7e8aaa 32772d8a d8185106
0ba91363 07162207 6eaa33b4 db8a3fbb 1e228e93 841ff322 e319242a 04ae7447
Validity: [From: Mon May 31 16:45:21 BST 2004,
To: Thu May 29 16:45:21 BST 2014]
Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
SerialNumber: [ 05]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 ....OpenSSL Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D7 B3 92 7B C7 4E 2F 5D F3 97 CB 3B F9 FB 0A 1E .....N/]...;....
0010: 97 C5 DD F1 ....
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
SerialNumber: [ 00]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [MD5withRSA]
Signature:
0000: 57 B6 54 4E 1A 54 91 66 5C A8 FE AF B6 50 AB 23 W.TN.T.f\....P.#
0010: 6A 32 42 77 06 44 D5 7D 40 81 E4 DD 84 E3 7B 55 [email protected]
0020: 96 A6 BC E9 E9 51 96 B9 E4 01 56 F9 41 B7 0C C3 .....Q....V.A...
0030: 0A 92 C0 17 6E 6B 9D D6 9A 87 6D 6E 15 5A 86 F4 ....nk....mn.Z..
]>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> < cert[1] = [
Version: V3
Subject: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
bc61b29f a830c97a 7a76883e 1665a241 a68b891f 8e4167eb 62e578ac 9e342c3e
53c9de8b e756634b e364010f 4d36c1c5 21a65b37 b64b4861 6f4dda29 b932191f
Validity: [From: Mon May 31 15:22:15 BST 2004,
To: Thu May 29 15:22:15 BST 2014]
Issuer: CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE
SerialNumber: [ 00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: D2 66 DD FC 06 C2 BC 7E 18 D5 64 38 AD 6E D0 0A .f........d8.n..
0010: AA 97 05 0D ....
[CN=Revenue CA, OU=Revenue Certificate Authority, O=Office Of The Revenue Commissioners, L=Dublin, ST=Dublin, C=IE]
SerialNumber: [ 00]
[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [MD5withRSA]
Signature:
0000: 3C 64 7C 9E 0B 90 48 9D 70 74 06 80 7F 2C AF 73 <d....H.pt...,.s
0010: 92 1C C3 39 DD C3 45 B6 A4 8E 11 27 8E 21 18 4B ...9..E....'.!.K
0020: FD AA 31 5E 35 FC DF 9E 70 42 F4 65 5C DF 56 9A ..1^5...pB.e\.V.
0030: DD 8C 6B B7 3B BE E5 A7 D5 4A 16 23 C1 91 07 CA ..k.;....J.#....
]>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <SSLTrustValidator returns: 0>
<29-Sep-2006 16:29:24 o'clock IST> <Debug> <TLS> <000000> <Trust status (0): NONE>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <Performing hostname validation checks: 10.51.0.1>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ServerHelloDone>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 70>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write HANDSHAKE, offset = 0, length = 16>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 received CHANGE_CIPHER_SPEC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 received HANDSHAKE>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 0>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <write APPLICATION_DATA, offset = 0, length = 270>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <30340343 read(offset=0, length=2048)>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLS> <000000> <32915800 SSL3/TLS MAC>
<29-Sep-2006 16:29:28 o'clock IST> <Debug> <TLYou will need an AAM set with the internal (http) address.
http://blogs.msdn.com/b/ajithas/archive/2009/09/11/alternate-access-mapping-in-reverse-proxy-configuration.aspx
Dimitri Ayrapetov (MCSE: SharePoint) -
Hi,
I have questions about "Accounting-Start" and "Accounting-Stop".
1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it an issue for RADIUS application ?
Cheers,
1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it an issue for RADIUS application ?
Cheers,vignesh and BalusC,
following is the code in front controller's doFilter method. is this not thread safe?
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
HttpSession session = req.getSession();
somepackage.User user;
if(session.getAttribute("user") == null){
user = new somepackage.User();
session.setAttribute("user", user);
}else{
user = (somepackage.User) session.getAttribute("user");
}user object maintains all information about a user. if it is in session scope, everything should work fine.
another observation is after some time of usage, both people in different systems are getting same session.getId()
in my logout page i am using
session.invalidate();
thanks,
moses -
WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.Yes, that is correct. You can set acs to use both radius and tacacs.
For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
You need to set up tacacs commands on WLC along with radius commands.
Regards,
~JG
Please rate helpful posts -
MDB clustering and loadbalancing
Hello Everything,
I need your advise for clustering my MDB's. Below is the scenario.
I deployed 4 MDB's on four weblogic servers and listening to the same JMS queue
and created a cluster for those 4 weblogic servers for loadbalancing and failover.
I set round-robin as the loadbalancing algorithm, but weblogic is not distributing
the load based on that algorithm. First bean is receiving 4 messages before 2nd
bean receives a message.
I need to send 1st message to 1st server , 2nd message to 2nd server in that way.
Can any advise better way of creating a cluster and loadbalancing the messages
across the servers.
Any help will be appreciated.
Lucky
"Lucky" <[email protected]> wrote:
>
>Hello Everything,
>
>I need your advise for clustering my MDB's. Below is the scenario.
>
>I deployed 4 MDB's on four weblogic servers and listening to the same
>JMS queue
>and created a cluster for those 4 weblogic servers for loadbalancing
>and failover.
>
>I set round-robin as the loadbalancing algorithm, but weblogic is not
>distributing
>the load based on that algorithm. First bean is receiving 4 messages
>before 2nd
>bean receives a message.
>
>I need to send 1st message to 1st server , 2nd message to 2nd server
>in that way.
>Can any advise better way of creating a cluster and loadbalancing the
>messages
>across the servers.
>
>Any help will be appreciated.
>
>Lucky
>
>
I think your jms queue should be jms distrubited queue and the connection factory
which you use to create connection to the distributed queue should disable server
affinity and enable load balance. also your MDB should be deployed to the cluster.
-
How to set two radius servers one is window NPS another is cisco radius server
how to set two radius servers one is window NPS another is cisco radius server
when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
i can not use both at the same time
radius-server host 192.168.1.3 is window NPS
radius-server host 192.168.1.1 is cisco radius
http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
conf t
no aaa authentication login default line
no aaa authentication login local group radius
no aaa authorization exec default group radius if-authenticated
no aaa authorization network default group radius
no aaa accounting connection default start-stop group radius
aaa new-model
aaa group server radius IAS
server 192.168.1.1 auth-port 1812 acct-port 1813
server 192.168.1.3 auth-port 1812 acct-port 1813
aaa authentication login userAuthentication local group IAS
aaa authorization exec userAuthorization local group IAS if-authenticated
aaa authorization network userAuthorization local group IAS
aaa accounting exec default start-stop group IAS
aaa accounting system default start-stop group IAS
aaa session-id common
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
privilege exec level 1 show config
ip radius source-interface Gi0/1
line vty 0 4
authorization exec userAuthorization
login authentication userAuthentication
transport input telnet
line vty 5 15
authorization exec userAuthorization
login authentication userAuthentication
transport input telnet
end
conf t
aaa group server radius IAS
server 192.168.1.3 auth-port 1812 acct-port 1813
server 192.168.1.1 auth-port 1812 acct-port 1813
endThe first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on.
If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs.
I hope this helps!
Thank you for rating helpful posts! -
Cisco ISE with both internal and External RADIUS Server
Hi
I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
I will like to know if it is possible to configure it and how I can do it ?
Thanks in advance for your help
Regards
BlaiseCisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same. -
Pros and Cons of using REST over JMS (and other technologies)
Hey all,
I am working on a project where we were using JMS initially to send messages between servers. Our front end servers have a RESTful API and use JEE6, with EJB 3.1 entity beans connected to a mysql database and so forth. The back end servers are more like "agents" so to speak.. we send some work for them to do, they do it. They are deployed in GlassFish 3.1 as well, but initially I was using JMS to listen to messages. I learned that JMS onMessage() is not threaded, so in order to facilitate handling of potentially hundreds of messages at once, I had to implement my own threading framework. Basically I used the Executor class. I could have used MDBs, but they are a lot more heavyweight than I needed, as the code within the onMessage was not using any of the container services.
We ran into other issues, such as deploying our app in a distributed architecture in the cloud like EC2 was painful at best. Currently the cloud services we found don't support multi-cast so the nice "discover" feature for clustering JMS and other applications wasn't going to work. For some odd reason there seems to be little info on building out a scalable JEE application in the cloud. Even the EC2 techs, and RackSpace and two others had nobody that understood how to do it.
So in light of this, plus the data we were sending via JMS was a number of different types that had to all be together in a group to be processed.. I started looking at using REST. Java/Jersey (JAX-RS) is so easy to implement and has thus far had wide industry adoption. The fact that our API is already using it on the front end meant I could re-use some of the representations on the back end servers, while a few had to be modified as our public API was not quite needed in full on the back end. Replacing JMS took about a day or so to put the "onmessage" handler into a REST form on the back end servers. Being able to submit an object (via JAXB) from the front servers to the back servers was much nicer to work with than building up a MapMessage object full of Map objects to contain the variety of data elements we needed to send as a group to our back end servers. Since it goes as XML, I am looking at using gzip as well, which should compress it by about 90% or so, making it use much less bandwidth and thus be faster. I don't know how JMS handles large messages. We were using HornetQ server and client.
So I am curious what anyone thinks.. especially anyone that is knowledgeable with JMS and may understand REST as well. What benefits do we lose out on via JMS. Mind you, we were using a single queue and not broadcasting messages.. we wanted to make sure that one and only one end server got the message and handled it.
Thanks..look forward to anyone's thoughts on this.851827 wrote:
Thank you for the reply. One of the main reasons to switch to REST was JMS is strongly tied to Java. While I believe it can work with other message brokers that other platforms/languages can also use, we didn't want to spend more time researching all those paths. REST is very simple, works very well and is easy to implement in almost any language and platform. Our architecture is basically a front end rest API consumed by clients, and the back end servers are more like worker threads. We apply a set of rules, validations, and such on the front end, then send the work to be done to the back end. We could do it all in one server tier, but we also want to allow other 3rd parties to implement the "worker" server pieces in their own domains with their own language/platform of choice. Now, with this model, they simply provide a URL to send some REST calls to, and send some REST calls back to our servers.well, this sounds like this would be one of those requirements which might make jms not a good fit. as ejp mentioned, message brokers usually have bindings in multiple languages, so jms does not necessarily restrict you from using other languages/platforms as the worker nodes. using a REST based api certainly makes that more simple, though.
As for load balancing, I am not entirely sure how glassfish or JBoss does it. Last time I did anything with scaling, it involved load balancers in front of servers that were session/cookie aware for stateful needs, and could round robin or based on some load factor on each server send requests to appropriate servers in a cluster. If you're saying that JBoss and/or GlassFish no longer need that.. then how is it done? I read up on HornetQ where a request sent to one ip/hornetq server could "discover" other servers in a cluster and balance the load by sending requests to other hornetq servers. I assume this is how the JEE containers are now doing it? The problem with that to me is.. you have one server that is loaded with all incoming traffic and then has to resend it on to other servers in the cluster. With enough load, it seems that the glassfish or jboss server become a load balancer and not doing what they were designed to do.. be a JEE container. I don't recall now if load balancing is in the spec or not..I would think it would not be required to be part of a container though, including session replication and such? Is that part of the spec now?you are confusing many different types of scaling. different layers of the jee stack scale in different ways. you usually scale/load balance at the web layer by putting a load balancer in front of your servers. at the ejb layer, however, you don't necessarily need that. in jboss, the client-side stub for invoking remote ejbs in a cluster will actually include the addresses for all the boxes and do some sort of work distribution itself. so, no given ejb server would be receiving all the incoming load. for jms, again, there are various points of work to consider. you have the message broker itself which is scaled/load balanced in whatever fashion it supports (don't know many details on actual message broker impls). but, for the mdbs themselves, each jee server is pretty independent. each jee server in the cluster will start a pool of mdbs and setup a connection to the relevant queue. then, the incoming messages will be distributed to the various servers and mdbs accordingly. again, no single box will be more loaded than any other.
load balancing/clustering is not part of the jee "spec", but it is one of the many features that a decent jee server will handle for you. the point of jee was to specify patterns for doing work which, if followed, allow the app server to do all the "hard" parts. some of those features are required (transactions, authentication, etc), and some of those features are not (clustering, load-balancing, other robustness features).
I still would think dedicated load balancers, whether physical hardware or virtual software running in a cloud/VM setup would be a better solution for handling load to different tiers?like i said, that depends on the tier. makes sense in some situations, not others. (for one thing, load-balancers tend to be http based, so they don't work so well for non-http protocols.) -
We just implemented ISE 802.1x in couple of our Cisco 4507 switches and we are seeing the following error in the log.
%HA_EM-3-LOG: NAC-RADIUS-FAIL-OPEN-DEAD: All RADIUS servers are dead changing the nac-enforcement ACL to permit all
I paste it in the Cisco error message decoder and came back with not found.
Thanks...Jimmy,
Srory for the late reply but it turned out to be we needed to add the missing auth data vlan command on the switch. After that the error went away.
Thanks for you input I do appreciate it.
Jack. -
IPad 802.1x and Microsoft RADIUS
Is anyone running iPad 2's in the enterprise using Microsoft RADIUS server? Now I understand that you can't use device certs because iPads cannot be joined to the domain, but I can use user certs. Now I read that iOS support PKCS#1 and #12, but I do not have this option on my CA for a cert request? Can someone share some tips on how they deployed these devices on the enterprise network? I could really use some help here. Thanks.
> [email protected] wrote:
>
> > You can do 802.1x authentication in Windows XP and 2000 with service
pack
> > 3 or above withou the Odyssey client. You can see this when you right
> > click on your network card, choos properties and you should see an
> > authentication tab if you have XP or 2000 with the right service
pack.
> > This is built into Windows and will use the users login name and
password
> > for authentication.
>
> Yes, I'm quite aware of that. I just didn't understand what you meant
by
> "override" in this context. The bottom line is that yes, you can use
OK. As long as I can use the Novell Client and Windows for
authentication. The testing that we are doing is using Direct XML on the
Novell Server and Remote Loader on an AD server with IAS. The user names
and groups are synchronized to AD. THe authentication with then happend
at the AD server with IAS.
> the Windows client to authenticate against 802.1x compliant RADIUS
> servers, and NO, Novell's is not 802.1x compliant, and never will be.
> It's *possible* (but not confirmed) that Novell may be providing
> detailed and supported steps to get freeRADIUS working for such tasks,
> though. That's all I can tell you as that's all I know.
>
> --
> Jim
> NSC SYsop -
Is it a complex task to translate between JMS and MQ?
Hello!
I wonder if it is a complex task to translate a JMS message (javax.jms.Message) to a MQ message (com.xxx.MQMessage)?
xxx=I do not remember the package name for MQMessage
Right now I participate in a project where we need to do this translation.
(I must admit that I thougt there was no need for a translation. I thought that JMS was transparent to MQ and vice versa. But I guess I was wrong)
I would love to hear some experiance and perhaps if there is some "best practice", please let me know!
Best regards
Fredrikantsbull wrote:
I'm happy for you that you use WebLogic - however WebSphere MQ is the leading messaging technology in the industry. If it is configured correctly it guarantees 100% message retention. You may beg to differ, but you have nothing to back it up with so far - maybe IBM should be sued for false advertising if it is impossible (as you say)?Not really. IBM isn't a very important software company, IMO. They're huge in global services, but they passed leadership in hardware and software off to others decades ago. Or maybe you're one of those people who still lives in the 80s and thinks of IBM as a "leader".
There's a lot of IBM legacy out there. Banks are still running DB2, but nobody thinks it's a leader in the relational database space. There's a lot of Cobol code with CICS running on mainframes, but surely you're not going to cite that as cutting edge, are you?
Just curious - do you work for IBM?
All I know is that MQ is the industry standard, as you can easily discover on google or wikipedia or whatever you want. Wikipedia? Is that your best source? LOL!
Let's look at Wikipedia, shall we? Your own source tells me that WebSphere is ~40% of the market:
http://en.wikipedia.org/wiki/MQSeries
I'm even suspicious of these numbers, because I think they leave out the open source parts of the market. How do you quantify that? # downloads? # of systems in production? I'll bet that survey doesn't exist. And it looks different depending on whether we're talking about large or small companies.
Why don't you find some links to support your claim? You've done nothing but say "industry leading" and "guarantees 100%". Your "because I said so" isn't convincing, either.
Come back in a month - I have time.
Maybe if you are such a messaging expert you would have some reasons why the majority of the industry use MQ and not WebLogic even though WebLogic is supposedly better? Because the entire world isn't IBM anymore.
I worked on a Ministry of Justice project that used WebLogic application server and its JMS queues for a critical messaging component - and at least once every two weeks the queues would go down and there would be a mad rush to get them back up - this was probably a poorly configured installation of WebLogic, and is only one example, but it left me with a pretty poor opinion of the product.That's fair. I don't know anything about the version or the admins or the servers or even you. But if that's what your experience has been, I can't question it. Maybe I can question the competence of a Ministry of Justice (which country?) that doesn't seem to train their WebLogic and server admins properly. Maybe it's an organizational problem.
I can say that we have farms of WebLogic running on Solaris servers that are very reliable. I developed one app that faces out to the Internet that uses JMS, and that app hasn't had to come down in almost three years. Reliable enough?
WebSphere and WebLogic have been neck and neck in the Java EE app server space for a long time, each controlling 35-40% of the market. I think JBOSS and Glassfish are making some inroads there. Spring is making it possible to write enterprise apps that can be deployed on servlet/JSP engines.
And all of this discussion leaves out Microsoft, .NET, and MSMQ.
I would believe that MQ series has the lion's share of the middleware/messaging market, but I'd bet that it has less to do with the clear superiority of the product and more to do with the large legacy base that IBM has out there. It's a very old mainframe/COBOL/CICS kind of technology, and the organizations that brought it in tend to be large and conservative.
You didn't ask any questions about the OP's organization. I think that ought to factor into the discussion.
Oh, and by the way more than 80% of the companies on the Fortune 100 use WebSphere MQ - maybe you should inform them how rubbish it is?And 76.273% of all statistics are made up on the spot.
I'm not interested in convincing anybody of anything. It's my opinion that if I had a Java EE app server with JMS on it that I wouldn't bring in IBM's MQ Series just for the sake of having it. If there was a legacy system that I needed to integrate with that demanded I use MQ Series there'd be no question.
But why does it seem sensible to bring in yet another moving part, another expense, another separate piece to be configured and maintained and upgraded? Applications are hard enough to develop. I wouldn't use MQ Series for its own sake, and I'd challenge anybody who brought it in because "they said so".
% -
JMS on different physical servers
I have about 4 different weblogic instances running same application and running on different physical machines. One server has a topic defined and a deployed messaging bean is to listen to the messages comes to this topic. I have a foreign server and local jndi names defined on each of these servers which point to the server that has Topic defined. Server with topic defined comes up fine and runs just fine. But when I try to bring the other servers up, it fails on MDB deployment complaining no remote server found (connection not found). Basically throws JMSException: connection not found.
Pls post your MDB's DD and relevant part (i.e. JMS and Managed Server details) of your config.xml.
Cheers!
Dips -
Difference Between JMS and RMI
Difference Between JMS and RMI in J2EE Technologies
STFW
JMS - http://www.google.co.za/search?hl=en&q=what+is+jms&meta=
RMI - http://www.google.co.za/search?hl=en&q=what+is+rmi&meta= -
my question is regarding SharePoint 2013 Farm topology. if i want go with Streamlined topology and having (2 distribute cache and Rm servers+ 2 front-end servers+ 2 batch-processing servers+ cluster sql server) then how distributed servers will
be connecting to front end servers? Can i use windows 2012 NLB feature? if i use NLB and then do i need to install NLB to all distributed servers and front-end servers and split-out services? What will be the configuration regarding my scenario.
Thanks in Advanced!For the Distributed Cache servers, you simply make them farm members (like any other SharePoint servers) and turn on the Distributed Cache service (while making sure it is disabled on all other farm members). Then, validate no other services (except for
the Foundation Web service due to ease of solution management) is enabled on the DC servers and no end user requests or crawl requests are being routed to the DC servers. You do not need/use NLB for DC.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Maybe you are looking for
-
TS3899 All of a sudden, I can't open links in my emails. Not just yahoo, but others as well.
For the last 2 or 3 weeks, I haven't been able to open links in my emails. This includes personal & business accounts. One is Yahoo & the other is Outlook Exchange. I've never had any problem before. It's only on the IPad. I have 2 other tablets
-
ORA-01031: insufficient privileges in oracle 10.2 in windows 2008r2
Dear All, We have install SAP ecc6 EHP4 on oracle 10.2.0.5 on windows 2008R2 whenever we schedule any activity in db13 we are getting below error . ================================= Job started Step 001 started (program RSDBAJOB, variant &00000000000
-
HT4818 Can you use both Bootcamp and Parallels with the same Windows 7 installed
I have Parallels installed with Windows 7. Can I use both Bootcamp and Parallels on the same machine depending on whether I just want to work in Windows all day (Bootcamp) or alternate during the same session (Parallels)?
-
How to Access DB2 MQT (Materialized Query Table) in Crystal 10
DB2 V8 has a new construct called a Materialized Query Table (MQT) that is essentially a table containing the data represented by a view. This MQT does not appear in the Database List in Crystal under Table, View or Synonym. I assume it is due to the
-
Hi, Does anyone know if there is a service that allows with administration user to login to UCM but with the permissions of another user? I want to simulate the use of a particular user, but only have the admin user and pass. The idea was to have a s