Sunday Aug 29, 2010

Admin Console very slow in OGS 3.0.1

I installed OGS 3.0.1 for a customer escalation. I accessed the admin console and found that its was terribly slow.

Goggled on the net and landed up with suggestions to reduce this slowness.. If you are experiencing slowness and seeing the following message in your server.log

"Cannot refresh Catalog : Connection timed out"

Here are the tips to help you :

 1. Add the following option in your domain.xml


2. UpdateTool functionality 

 As Admin Console moved to make use of the OSGi architecture, updatetool functionality is implemented as a plugin module. The application (console) itself shouldn't know what needs to be done in any plugin. So, all you need to do is remove the updatetool plugin module if you don't want any updatetool feature in the console. However, this plugin module is part of the "glassfish-gui" IPS package, and one cannot just remove this particular module. As a workaround for now, just remove console-updatecenter-plugin.jar. You can do this:

\* cd glassfishv3/glassfish

\* mv modules/console-updatecenter-plugin.jar modules/console-updatecenter-plugin.jar.ORIG

\* rm -r domains/domain1/osgi-cache

\* rm -r domains/domain1/generated

Restart the server.

Here you go ... the admin console is all old self :) ..

Monday May 31, 2010

Client-Auth REQUESTED in GlassFish

Client Authentication is supported in GlassFish. This is one of the most common feature available in any web container.

Client-authentication can be enabled in Glassfish, by enabling the "client-auth-enabled" attribute of the "ssl" element of the http-listener. Currently, the clientauth can either be REQUIRED or NOT-REQUIRED.

But , as per\*,  the client-auth can 3 values

  • need - REQUIRED. The client certificate is MUST to authenticate
  • want - REQUESTED. The client certificate is OPTIONAL to authenticate
  • blank - NOT REQUIRED. Do not need a client certificate to authenticate

With 2.1.1 patch 6, we plan to support the "want". This is enabled in the patch by a system property.

In domain.xml, please add the following property to http-listener element

<property name="com.sun.grizzly.ssl.auth" value="want"/>

When the browser prompts for providing the certificate, it becomes optional for the user to accept or deny passing on the certificate, to access the resource. Also, the apps written on top of Glassfish can decide on how they want to authorize such a behavior.

This feature is also available on glassfish v3

Sunday Jan 17, 2010

SGES v2.1.1 server certificate expired

The CA server certificate bundled with Sun GlassFish Enterprise Server v2.1.1 has expired since Jan 8, 2010.

Hence you would see SEVERE messages when you restart your domains. While this is being fixed in later SGES patches, you have a workaround to avoid these messages.

All you need to do is to remove the expired certificate from the keystore.

To remove from JKS keystore, use the following command
keytool -delete -alias verisignserverca -keystore <DOMAIN_ROOT>/config/cacerts.jks

To remove from NSS keystore, use the following command,
certutil -D -n verisignserverca -d <DOMAIN_ROOT>/config

Sunday Aug 23, 2009

Update on JSR196/JSR115 Agent

Here is an update on the JSR196/JSR115 agent.

 Due to various factors, the official release of JSR196/JSR115 based agent for Glassfish is being postponed. But the code has been committed to opensso project and anyone interested would have access to the agent.

The code is present at

The targets required to build the agent is integrated to the build system. One can use the following command to build the agent :

opensso/products/j2eeagents > ant jsr196_jsr115

Thursday Aug 20, 2009

What is the confusion in the Name ??

From the time I joined the GF team, I see a lot of confusion prevailing around the product name Sun Glassfish Enterprise Server v2.1. Now with v2.1.1 release coming up, there may be a lot of additional confusions.

I am trying my hand in clearing some confusion

Let us get one thing straight,

9.1, 9.1 UR1,  9.1UR2, v2.1, v2.1.1 are all essentially the same product and follow the same code line.

Mapping of these versions are :

SGES v2.1 <===> SJSAS 9.1UR2 patch 6

SGES v2.1.1 <===> SGES v2.1 patch 6 <===> SJSAS 9.1 UR2 patch 12

The most easiest way to  find the version you are using is by executing the following command:

<AS_INSTALL>/bin/asadmin version --verbose=true

Wednesday Jan 28, 2009

JSR196/JSR115 based OpenSSO Agent

    Before I move and start blogging about my current assignment, I thought it would be a good idea to dedicate some posts to my previous assignment. Just before moving to Glassfish sustaining, I was involved in developing a new OpenSSO Agent which would be based on JSR196 and JSR115 specifications for performing authentication and authorization respectively. The experience on working on this agent was mind-blowing.

    Implementing the JSR196 provider was little straight forward with the help of this blog. But JSR115 provider posed a real challenge. When I started off, there was not much documentation about building a new JSR115 provider except for the specification. Trust me, the specification was very complicated. Now that I have crossed all the hurdles, there exists a JSR115 provider which stores all the security constraints declared in web.xml in the OpenSSO Policy Store. The policies follow the OpenSSO Policy format. The provider authorizes against the OpenSSO Enterprise.

      So what does this agent do ?. The Agent protects the application from the unauthorized intrusions. The authenication and authorization for the entry happens against the OpenSSO Enterprise Framework. The important advantage of the agent would be, this agent can work with any container as long as the container supports the specifications. (I have to add, currently some tweaking is required in the provider code to make this happen, since the agent's installer and configurator is written for Glassfish 2.1. Also, the admin apps of Glassfish uses its own default provider). It has also improvised a lot of usability from earlier Agent frameworks.

       Usecase of the agent is something like this : When an application is deployed, the J2EE policies declared in the web.xml is captured by the JSR115 provider. They are converted into OpenSSO policy format and stored in OpenSSO policy store. When a protected resource is accessed, the JSR196 provider comes into action. It redirects to the OpenSSO for performing authentication. Once authenticated by the OpenSSO, the JSR115 provider takes over to perform authorization of the access. The JSR115 provider depends on the OpenSSO policy engine to evaluate the policies and allow/deny the authenicated user for access of the protected resource.

Check-in of this code would be done in couple of days .. so all those interested can try out this agent and i'll be extremely interested to hear your feedback.

Thursday Jan 08, 2009

New Bee into Glassfish !!

After 8-9 years of working on various J2EE Applications, content management and identity management , I am moving into another domain of  sustaining application container ...I am entering with lot anxiety and eagerness .

Let me see what future holds for me :)

Monday Oct 06, 2008

Utility to download files on Solaris

For the past few months I had to work remotely quite often. My work sometimes requires me to download huge files hosted over the web. Since I work on my laptop, I used to download the files on my local machine and then transfer it back to my office machine. It was hogging the bandwidth and takes a lot of time too :(.

Thats when I got to know about this utility wget . Its very helpful in downloading files via HTTP and FTP.

These days I just  telnet to my machine and do a /usr/sfw/bin/wget URL. Saves a lot of time :) If you need more info about wget , just do wget --help

If you are behind proxy, you may need to export http_proxy=PROXYNAME:PROXYPORT to download files over the internet


Kalpana Karunamurthi


« July 2016