1

I have two WebSphere servers. The 1-st (v.8.5.5) hosts my EJB Bean local (RunsAS 'Admin' role wich mapped to 'domain_user') The 2nd (v.7) one hosts FileNet ContentEngine 5.1. Is it ok when I deploy my Ejb bean to the 2nd Websphere and connecting with iiop://localhost:2809/FileNet/Engine.

But it is getting error when I connect remotely from 1nd WAS iiop://second-was:2809/FileNet/Engine

I have set theese configs:

System.setProperty("java.security.auth.login.config", "c:\eq\config\jaas.conf.WebSphere"); System.setProperty("com.ibm.CORBA.ConfigURL", "file:c:\ea\config\sas.client.props");

... then do PushSubject

[4/9/16 21:50:04:038 YEKT] 0000022f BusinessExcep E   CNTR0020E: EJB threw an unexpected (non-declared) exception during invocation of method "getDocumentContent" on bean "BeanId(web-services-bni#ejb-1.0.1-SNAPSHOT.jar#CeServiceImpl, null)". Exception data: com.filenet.api.exception.EngineRuntimeException: FNRCS0001E: SECURITY_ANONYMOUS_DISALLOWED: Access to Content Engine was not allowed because the request was made anonymously instead of by an authenticated user. The application server reported that the user was anonymous. errorStack={
    at com.filenet.engine.context.SecurityContext.<init>(SecurityContext.java:75)
    at com.filenet.engine.context.ServerCallContext.<init>(ServerCallContext.java:107)
    at com.filenet.engine.context.ServerCallContext.newInstance(ServerCallContext.java:1115)
    at com.filenet.engine.jca.impl.RequestBrokerImpl.executeSearch(RequestBrokerImpl.java:814)
    at com.filenet.engine.ejb.EngineCoreBean._executeSearch(EngineCoreBean.java:318)

my EJB code:

@DeclareRoles({"Everyone", "Admin"})
@RolesAllowed({"Everyone", "Admin"})
@RunAs("Admin")
@Stateless
public class CeServiceImpl implements CeServiceLocal {
    private static final Logger logger = Logger.getLogger(CeServiceImpl.class.getName());

    private CeServiceHelper serviceHelper;
    private Subject subject;

    @PostConstruct
    public void init() {
        logger.info("CeServiceImpl init started");

        String ceUri = ConfigHelper.getCeUri();
        if (ceUri == null) {
            logger.log(Level.SEVERE, "ceUri can not be null");
            throw new NullPointerException("ceUri can not be null");
        }
        logger.info("ceUri: " + ceUri);


        System.setProperty("java.security.auth.login.config", "c:\\ea\\config\\jaas.conf.WebSphere");
        System.setProperty("com.ibm.CORBA.ConfigURL", "file:c:\\ea\\config\\sas.client.props");


        Connection connection = Factory.Connection.getConnection(ceUri);

        subject = UserContext.createSubject(connection, "os_user", "password", "FileNetP8");
        try {
            UserContext.get().pushSubject(subject);
        } catch (Exception e) {
            logger.warning(e.getMessage());
        }


        serviceHelper = new CeServiceHelper(connection);

    }

By the way, my final goal is create remote connection transparently (without pushSubject, popSubject..)

ᄂ ᄀ
  • 5,669
  • 6
  • 43
  • 57
Azamat Almukhametov
  • 168
  • 1
  • 14

2 Answers2

0

I have got the following advice:

May be you should sync two WAS cells by:

  1. Generate LTPA keys at one WAS cell: http://www.ibm.com/support/knowledgecenter/was_beta/com.ibm.websphere.base.doc/ae/tsec_sslmanagelptakeys.html
  2. Import them on second WAS cell: http://www.ibm.com/support/knowledgecenter/was_beta/com.ibm.websphere.base.doc/ae/tsec_altpaimp.html?lang=en
Azamat Almukhametov
  • 168
  • 1
  • 14
  • Make sure that the servers can communicate on port 8880 with each other, they need to be able to exchange authentication info with each other – Robert vd S Apr 14 '16 at 14:04
0

You may check the datetime of the two servers: both must be synchronized to UTC time within a maximum of 5 mins. Hope this help.

Beerbauf
  • 21
  • 3