Monday Aug 30, 2010

PRLB feature in GlassFish 2.1.1

Currently SGESv2.x supports RMI-IIOP loadbalancing. But this loadbalancing is based on the InitialContext:when a new InitialContext() is created, a load balancing decision is made, binding that InitialContext to a replica, until the replica fails, at which point all requests using that InitialContext fail over to a new replica.
Refer :

The PRLB feature aims at addressing the requirement, where for the same EJB object of a stateless session bean, the method calls to the bean needs to be loadbalanced. An EJB instance is represented (in GlassFish) by a dynamic stub, which contains a reference to the endpoints. The loadbalancing of the calls happens in a round robin fashion. The list has the lifetime of the stub and anything
that clears or resets the list starts the PRLB process all over again. Hence, ideally an ejb lookup() would reset the list and restarts the
PRLB process.

In sun-ejb-jar.xml, a new optional boolean child element for the ejb element "per-request-load-balancing" is introduced.If per-request-load-balancing is set to true for a stateless session bean, per request load balancing will be enabled for invocations made through Remote EJB 2.x and 3.x client invocations on that bean. If set to false or not set, per request load balancing will not be enabled for the bean. The per-request-load-balancing element only applies to stateless session beans. Use of the element on other bean types will result in
a deployment error.

For example :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.1.1 EJB 3.0//EN" "">

The sun-ejb-jar.xml needs to be updated as above and EJB jar needs to be redeployed.

As a verification check, you can verify that this is configured properly by looking for the following (FINE, in the CORBA logger) log message when the EJB is loaded:

"Setting per-request-load-balancing policyfor EJB <EJBNAME>"

Important requisites for PRLB feature to work :

  •  The "per-request-load-balancing" property needs to be enabled in sun-ejb-jar.xml

Client Example:

public class EJBClient {
    public static void main(String args[]) {
    try {
    // only one lookup

    Object objref = initContext.lookup("test.cluster.loadbalancing.ejb.TestSessionBeanRemote");
        myGreeterRemote = (TestSessionBeanRemote)PortableRemoteObject.narrow(objref,

    } catch (Exception e) {

    for (int i=0; i < 10; i++ ) {
    // method calls in a loop.
        String theMessage = myGreeterRemote.sayHello(Integer.toString(i));
        System.out.println("got"+": " + theMessage);

Sunday Aug 29, 2010

Admin Console very slow in OGS 3.0.1

I installed OGS 3.0.1 for a customer escalation. I accessed the admin console and found that its was terribly slow.

Goggled on the net and landed up with suggestions to reduce this slowness.. If you are experiencing slowness and seeing the following message in your server.log

"Cannot refresh Catalog : Connection timed out"

Here are the tips to help you :

 1. Add the following option in your domain.xml


2. UpdateTool functionality 

 As Admin Console moved to make use of the OSGi architecture, updatetool functionality is implemented as a plugin module. The application (console) itself shouldn't know what needs to be done in any plugin. So, all you need to do is remove the updatetool plugin module if you don't want any updatetool feature in the console. However, this plugin module is part of the "glassfish-gui" IPS package, and one cannot just remove this particular module. As a workaround for now, just remove console-updatecenter-plugin.jar. You can do this:

\* cd glassfishv3/glassfish

\* mv modules/console-updatecenter-plugin.jar modules/console-updatecenter-plugin.jar.ORIG

\* rm -r domains/domain1/osgi-cache

\* rm -r domains/domain1/generated

Restart the server.

Here you go ... the admin console is all old self :) ..

Monday May 31, 2010

Client-Auth REQUESTED in GlassFish

Client Authentication is supported in GlassFish. This is one of the most common feature available in any web container.

Client-authentication can be enabled in Glassfish, by enabling the "client-auth-enabled" attribute of the "ssl" element of the http-listener. Currently, the clientauth can either be REQUIRED or NOT-REQUIRED.

But , as per\*,  the client-auth can 3 values

  • need - REQUIRED. The client certificate is MUST to authenticate
  • want - REQUESTED. The client certificate is OPTIONAL to authenticate
  • blank - NOT REQUIRED. Do not need a client certificate to authenticate

With 2.1.1 patch 6, we plan to support the "want". This is enabled in the patch by a system property.

In domain.xml, please add the following property to http-listener element

<property name="com.sun.grizzly.ssl.auth" value="want"/>

When the browser prompts for providing the certificate, it becomes optional for the user to accept or deny passing on the certificate, to access the resource. Also, the apps written on top of Glassfish can decide on how they want to authorize such a behavior.

This feature is also available on glassfish v3

Thursday Jan 21, 2010

Goodbye Sun !

Dear Sun,

You were the best. You will last till technology lives. My last 10 years association with you had been a mixture of pride, excitement, learning, happiness, sadness, anger, confusion and uncertainity. Thanks for all you have given to me and this technological world.

As Scott rightly summarized "Kicked Butt, Had Fun, Didn't Cheat, Loved Our Customers, Changed Computing Forever"


Sunday Jan 17, 2010

SGES v2.1.1 server certificate expired

The CA server certificate bundled with Sun GlassFish Enterprise Server v2.1.1 has expired since Jan 8, 2010.

Hence you would see SEVERE messages when you restart your domains. While this is being fixed in later SGES patches, you have a workaround to avoid these messages.

All you need to do is to remove the expired certificate from the keystore.

To remove from JKS keystore, use the following command
keytool -delete -alias verisignserverca -keystore <DOMAIN_ROOT>/config/cacerts.jks

To remove from NSS keystore, use the following command,
certutil -D -n verisignserverca -d <DOMAIN_ROOT>/config

Sunday Aug 23, 2009

Update on JSR196/JSR115 Agent

Here is an update on the JSR196/JSR115 agent.

 Due to various factors, the official release of JSR196/JSR115 based agent for Glassfish is being postponed. But the code has been committed to opensso project and anyone interested would have access to the agent.

The code is present at

The targets required to build the agent is integrated to the build system. One can use the following command to build the agent :

opensso/products/j2eeagents > ant jsr196_jsr115

Thursday Aug 20, 2009

What is the confusion in the Name ??

From the time I joined the GF team, I see a lot of confusion prevailing around the product name Sun Glassfish Enterprise Server v2.1. Now with v2.1.1 release coming up, there may be a lot of additional confusions.

I am trying my hand in clearing some confusion

Let us get one thing straight,

9.1, 9.1 UR1,  9.1UR2, v2.1, v2.1.1 are all essentially the same product and follow the same code line.

Mapping of these versions are :

SGES v2.1 <===> SJSAS 9.1UR2 patch 6

SGES v2.1.1 <===> SGES v2.1 patch 6 <===> SJSAS 9.1 UR2 patch 12

The most easiest way to  find the version you are using is by executing the following command:

<AS_INSTALL>/bin/asadmin version --verbose=true

Thursday May 07, 2009

TIME-WAIT in windows

Being in the Unix, I usually find hiccups when left to work on Windows.

Recently, I had to change the TCP/IP socket time_wait settings. After some search, I found this tip and it worked. Sharing it here ..

Use the Registry Editor and edit the following property. If the property is not present already, create one.

System Key: [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]
Value Name: TcpTimedWaitDelay
Data Type: REG_DWORD (DWORD Value)
Value Data: 30-300 seconds (decimal)

Wednesday Jan 28, 2009

JSR196/JSR115 based OpenSSO Agent

    Before I move and start blogging about my current assignment, I thought it would be a good idea to dedicate some posts to my previous assignment. Just before moving to Glassfish sustaining, I was involved in developing a new OpenSSO Agent which would be based on JSR196 and JSR115 specifications for performing authentication and authorization respectively. The experience on working on this agent was mind-blowing.

    Implementing the JSR196 provider was little straight forward with the help of this blog. But JSR115 provider posed a real challenge. When I started off, there was not much documentation about building a new JSR115 provider except for the specification. Trust me, the specification was very complicated. Now that I have crossed all the hurdles, there exists a JSR115 provider which stores all the security constraints declared in web.xml in the OpenSSO Policy Store. The policies follow the OpenSSO Policy format. The provider authorizes against the OpenSSO Enterprise.

      So what does this agent do ?. The Agent protects the application from the unauthorized intrusions. The authenication and authorization for the entry happens against the OpenSSO Enterprise Framework. The important advantage of the agent would be, this agent can work with any container as long as the container supports the specifications. (I have to add, currently some tweaking is required in the provider code to make this happen, since the agent's installer and configurator is written for Glassfish 2.1. Also, the admin apps of Glassfish uses its own default provider). It has also improvised a lot of usability from earlier Agent frameworks.

       Usecase of the agent is something like this : When an application is deployed, the J2EE policies declared in the web.xml is captured by the JSR115 provider. They are converted into OpenSSO policy format and stored in OpenSSO policy store. When a protected resource is accessed, the JSR196 provider comes into action. It redirects to the OpenSSO for performing authentication. Once authenticated by the OpenSSO, the JSR115 provider takes over to perform authorization of the access. The JSR115 provider depends on the OpenSSO policy engine to evaluate the policies and allow/deny the authenicated user for access of the protected resource.

Check-in of this code would be done in couple of days .. so all those interested can try out this agent and i'll be extremely interested to hear your feedback.

Thursday Jan 08, 2009

New Bee into Glassfish !!

After 8-9 years of working on various J2EE Applications, content management and identity management , I am moving into another domain of  sustaining application container ...I am entering with lot anxiety and eagerness .

Let me see what future holds for me :)

Monday Oct 06, 2008

Utility to download files on Solaris

For the past few months I had to work remotely quite often. My work sometimes requires me to download huge files hosted over the web. Since I work on my laptop, I used to download the files on my local machine and then transfer it back to my office machine. It was hogging the bandwidth and takes a lot of time too :(.

Thats when I got to know about this utility wget . Its very helpful in downloading files via HTTP and FTP.

These days I just  telnet to my machine and do a /usr/sfw/bin/wget URL. Saves a lot of time :) If you need more info about wget , just do wget --help

If you are behind proxy, you may need to export http_proxy=PROXYNAME:PROXYPORT to download files over the internet

Sunday Sep 07, 2008

Hello !!

I have been hesitating to get into official blogOworld, for the kind of addiction it offers :).

Finally gave up and here I am !!.

My plan is to write about work, tit-bits, and personal happenings (I have my personal blog and it needs its own share too ..)

Keep watching this space for more updates ...


Kalpana Karunamurthi


« April 2014