[GLASSFISH-19207] after running asadmin enable-secure-admin , encounter problem stop/start glassfish Created: 22/Oct/12  Updated: 20/Dec/16  Resolved: 02/Mar/13

Status: Closed
Project: glassfish
Component/s: grizzly-kernel
Affects Version/s: 4.0_dev
Fix Version/s: None

Type: Bug Priority: Major
Reporter: teelucksingh Assignee: Ryan Lubke
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

running Glassfish-4.0-b59 on window XP platform with jdk1.7.0_07


Attachments: XML File after-change-domain.xml     XML File after-startup-domain.xml     File server.log-b59    
Issue Links:
Cloners
is cloned by GLASSFISH-21529 after running asadmin enable-secure-a... Closed
Related
is related to JAVASERVERFACES-2557 Failure with client side state saving... Closed

 Description   

This started on glassfish-4.0-b59 and b58, did not have this issue on glassfish-4.0-b57.

after running asadmin enable-secure-admin, and re-cycling glassfish
you cannot stop/start glassfish anymore.

error from the command line is this:
Z:\glassfish3\glassfish\bin>asadmin stop-domain
NCLS-ADMIN-0010
CLI306: Warning - The server located at Z:\glassfish3\glassfish\domains\domain
is not running.
Command stop-domain executed successfully.

When the process is checked glassfish is running.
Also, this was confirmed multiple times on b58 and 59 with same results.

The server.log is attached.



 Comments   
Comment by Tim Quinn [ 22/Oct/12 ]

I could not reproduce this on Mac OS X with Java 1.7.0_7 and promoted GlassFish build 59.

The error from the server log (thanks for that) shows that there is something going wrong in the SSL handshake. The secure admin logic has not changed in the recent builds, so it's not yet clear why the errors are happening in your environment.

I'm now trying to get a Windows XP system set up to try to reproduce the error there.

Comment by Tim Quinn [ 22/Oct/12 ]

I was able to reproduce the problem on Windows XP with Java 1.7.0_7 and GlassFish build 59.

I also saw the problem using Java 1.6.0 instead.

There was a Grizzly integration just prior to build 58, so I am transferring this to the Grizzly component.

Comment by oleksiys [ 23/Oct/12 ]

I see nothing wrong w/ Grizzly, the exception is thrown from SSL layer.
Reassigning to security team, may be this is caused by recent JDK updates.

Thanks.

Comment by Tim Quinn [ 23/Oct/12 ]

I have reproduced the problem on a Windows XP system.

Using GlassFish build 57 things work with both Java 1.6.0-37 and 1.7.0_09.

Using build 58 the sequence of steps fails with both versions of Java.

Here are the steps I used:

Install GlassFish.

asadmin start-domain
asadmin change-admin-password # answer prompts to give a non-empty admin password
asadmin enable-secure-admin # you should be prompted for the user and pw; press enter for the user and enter the new pw you set for the pw
asadmin stop-domain
asadmin start-domain
asadmin uptime

Both b57 and b58 will display the server's SSL cert information and prompt the user whether to trust it. (This is normal.)

b57 then prompts for the password and, if you provide it, the uptime command completes normally as expected.
b58 does not prompt for the password but instead reports the error.

Comment by larry.mccay [ 31/Oct/12 ]

After careful review, I am reassigning this to the grizzly team. There was a change made for SPDY which you can view here: http://java.net/projects/grizzly/sources/git/revision/f51d0801c29505b1c74768b73b15207c4b0ac418

SSLUtils and SSLFilter were both modified in this change and appear in the stacktrace in windows environments.
There have been issues with SPDY on windows due to a lack of support for NPN - perhaps there is some assumption of SPDY support leaking into SSL here?

Comment by Ryan Lubke [ 05/Dec/12 ]

The code referenced in the Oct 31 comment isn't currently what is integrated in v4 so it's not relevant.. For what it's worth, the correct code is in the 2.3.x branch.

That said, I've looked at the stacktrace and I'm in agreement with Alexey - this isn't a Grizzly issue.

See:

Caused by: java.security.NoSuchAlgorithmException: SunTlsRsaPremasterSecret KeyGenerator not available
	at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)
	at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:207)
	at sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:267)
	at sun.security.ssl.RSAClientKeyExchange.generateDummySecret(RSAClientKeyExchange.java:249)

This implies something isn't installed correctly or a configuration option is messing things up.
One possible problem that the searches pointed to was java.ext.dirs property causing issues.

I don't currently have a Windows VM available for testing. Tim or Tee, could either of you provide the domain.xml from your win32 environment once you start getting the error?

Note: I'm still of the opinion that this isn't a Grizzly issue, but will spend a few cycles to see if we can narrow down the issue.

Comment by Tim Quinn [ 05/Dec/12 ]

Attaching two domain.xml files:

after-startup-domain.xml - the file just after creating a new domain and starting it
after-change-domain.xml - the file just after enabling secure admin and restarting the domain

Both are from b58 (the first GlassFish build where this problem first appeared)

Comment by Tim Quinn [ 05/Dec/12 ]

At Ryan's request, here's some more information.

The GlassFish server.log shows java.ext.dirs defined as

C:\Program Files\Java\jre7/lib/ext:C:\Program Files\Java\jre7/jre/lib/ext:C:\tim\asgroup\b58\glassfish3\glassfish\domains\domain1/lib/ext

There is no lib directory under the jre directory on my system, so I ran

dir "C:\Program Files\Java\jre7\lib\ext" "C:\tim\asgroup\b58\glassfish3\glassfish\domains\domain1\lib\ext"

and here's the result:

Volume in drive C has no label.
Volume Serial Number is 8C50-8553

Directory of C:\Program Files\Java\jre7\lib\ext

10/23/2012 06:45 AM <DIR> .
10/23/2012 06:45 AM <DIR> ..
09/24/2012 09:28 PM 84,196 access-bridge.jar
09/24/2012 09:17 PM 8,934 dnsns.jar
09/24/2012 09:27 PM 43,593 jaccess.jar
09/24/2012 10:00 PM 1,013,521 localedata.jar
10/22/2012 05:05 PM 829 meta-index
09/24/2012 09:16 PM 15,943 sunec.jar
09/24/2012 09:26 PM 198,176 sunjce_provider.jar
09/24/2012 09:17 PM 30,695 sunmscapi.jar
09/24/2012 09:17 PM 238,226 sunpkcs11.jar
09/24/2012 09:29 PM 68,654 zipfs.jar
10 File(s) 1,702,767 bytes

Directory of C:\tim\asgroup\b58\glassfish3\glassfish\domains\domain1\lib\ext

12/05/2012 01:34 PM <DIR> .
12/05/2012 01:34 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 8,502,603,776 bytes free

Comment by Ryan Lubke [ 22/Feb/13 ]

Sorry for the delay in coming back to this.

I've just tested this with b76 on Windows 7 without issue.

@Tim and/or @Tee: Are you still able to reproduce this on XP with b76 (or later)?

Comment by Ryan Lubke [ 02/Mar/13 ]

Closing as cannot reproduce. If someone is still able to reproduce this, please re-open with details.

Generated at Thu Apr 27 09:26:20 UTC 2017 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.