Use this information to troubleshoot issues with your security configuration.
FFDC Exception:javax.net.ssl.SSLHandshakeException SourceId:com.ibm.ws.xs.ssl.channel.impl.SSLConnectionLink ProbeId:540 Reporter:com.ibm.ws.xs.ssl.channel.impl.SSLConnectionLink@60b2d165
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target
java.net.ConnectException: connect: Address is invalid on local machine, or
port is not valid on remote machine
at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:389)
at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:250)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:237)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:385)
at java.net.Socket.connect(Socket.java:540)
at
com.ibm.rmi.transport.TCPTransportConnection.createSocket(TCPTransportConnection.java:155)
at
com.ibm.rmi.transport.TCPTransportConnection.createSocket(TCPTransportConnection.java:167)
The address in this exception could be a catalog server,
container server, or client. Solution: See Configuring secure transport types for a table with the valid security configurations between clients and servers.
./xscmd.sh -user <user> -password <password> <other_parameters>
If this operation works for this user, then any xscmd operation might also be performed by the same user.Resolution: When eXtreme Scale components run with WebSphere Application Server, use the WebSphere Application Server administrative console to activate the security manager. Click Security > Global Security, and select the check boxes, Enable administrative security and Use Java 2 Security, to restrict application access to local resources.
Access to the management operations is controlled by the WebSphere Application Server security manager and is granted only to the users who belong to the WebSphere Administrator role. The xscmd command must be run from the WebSphere Application Server directory.
When eXtreme Scale components run in a stand-alone environment, additional steps are required to implement administrative security. You must run the catalog servers and container servers using the Java™ security manager, which requires a policy file.
grant codeBase "file:${objectgrid.home}/lib/*" {
permission java.security.AllPermission;
};
grant principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=OGSample"
{
permission javax.management.MBeanPermission "*", "getAttribute,setAttribute,invoke,queryNames,addNotificationListener,removeNotificationListener";
};
In this case, only the manager principal is authorized to do administrative operations using the xscmd command. Other lines can be added as necessary to give additional principals MBean permissions. A different type of principal is needed if you use LDAP authentication.
startOgServer.sh <arguments> -jvmargs -Djava.security.auth.login.config=jaas.config -Djava.security.manager
-Djava.security.policy="auth.policy" -Dobjectgrid.home=$OBJECTGRID_HOME
startXsServer.sh <arguments> -jvmargs -Djava.security.auth.login.config=jaas.config -Djava.security.manager
-Djava.security.policy="auth.policy" -Dobjectgrid.home=$OBJECTGRID_HOME
startOGServer.bat <arguments> -jvmargs -Djava.security.auth.login.config=jaas.config -Djava.security.manager
-Djava.security.policy="auth.policy" -Dobjectgrid.home=%OBJCTGRID_HOME%
startXsServer.bat <arguments> -jvmargs -Djava.security.auth.login.config=jaas.config -Djava.security.manager
-Djava.security.policy="auth.policy" -Dobjectgrid.home=%OBJCTGRID_HOME%
You specify -Djava.security.policy in this case, instead of -Djava.security.auth.policy.