2. About Sun GlassFish Enterprise Server
3. Known Issues and Limitations
Enterprise Server does not detect conflicts with the heartbeat port of a cluster (Issue number 1967)
Domain creation stops on NFS server running 64-bit Linux (Issue Number 1961)
Performance degradation seen when a huge log file is rotated (6718611)
Failed to Deploy Generic RA Resource Adapter against IBM MQ (Issue 6605)
Standalone instances sometimes obtain files from other instances (6698604)
Startup Message from the start-cluster command are too verbose (6728317)
Failed to Deploy Generic RA Resource Adapter against IBM MQ (Issue 6605)
The package-appclient script does not work if domain1 is not present (6171458)
Starting the Server with additional JMX Agent is not supported (6200011)
.asadmintruststore file not described in the Enterprise Server documentation (6315957)
Clustered instances fail to start due to a timeout in reaching the JMS broker (6523663)
Cannot display jmaki chart in Netscape 8.1.3, Mozilla 1.7 and Safari 2.0.4 browsers (6543014)
Default ports changing in each AS major release (6566481)
The create-domain command fails with custom master password in AIX (6628170)
Solution: (AIX) To Create a Domain With a Custom Master Password
AIX: 0403-027 The parameter list is too long (6625591)
(AIX) To Increase the Maximum Length of the Command Line
Apache and Load Balancer Plugin
SGES 2.1.1 Patch 2 LB plugin on WS7u8 crashes the web server on SUSE Linux 10 SP2 (6928066)
Must start Apache Web Server as root (6308021)
Library JAR packaged in Application Client Archive overwrites MANIFEST file (6193556)
ACC always tries to connect to localhost:3700 (6527987)
Unable to start domain , missing sunpkcs11.jar (6571044)
PreparedStatement errors (6170432)
Java DB is not started after machine reboot or server start (6515124)
Autodeployment fails on a cluster sometimes (6610527)
Bundled ANT throws java.lang.NoClassDefFoundError (6265624)
Application specific classloader not used by JSP compilation (6693246)
Javadoc Inconsistencies (various IDs)
GlassFish 2.x documentation referring to invalid create-session-store command (6935976)
HTTP Service Statistics attributes discrepancies (7018903)
Glassfish GFv2 Mod_JK AJP listens to all interfaces (7008190)
[UB]The *Global Transaction support box* is nowhere to be found (7536)
Misleading Documentation for Configuring JMS Physical Destinations
Upgrade Procedure is Confusing
Resouce Injection does not work in HandlerChain (6750245)
HADB Configuration with Double Networks (no ID)
HADB Database Creation Fails (no ID)
hadbm set does not check resource availability (disk and memory space) (5091280)
Heterogeneous paths for packagepath not supported (5091349)
hadbm createdomain may fail (6173886, 6253132)
Starting, stopping, and reconfiguring HADB may fail or hang (6230792, 6230415)
The management agent terminates with the exception "IPV6_MULTICAST_IF failed" (6232140)
clu_trans_srv cannot be interrupted (6249685)
hadbm does not support passwords containing capital letters (6262824)
Install/removal and symlink preservation (6271063)
Management agents in global and local zones may interfere (6273681)
Non-root users cannot manage HADB (6275319)
The Management Agent should not use special-use interfaces (6293912)
Reassembly failures on Windows (6291562)
Session state not maintained if the browser has another cookie with / path (6553415)
LB does not work with IIS 6; SASL32.DLL and ZLIB.DLL missing under as-install/lib (6572184)
DAS creation/startup and HA package propagation issues in Global Zone (6573511)
Enable/disable LB for an instance/cluster should show correct status (6595113)
Installer decoration image shows old product version (6862674)
The start-domain Command Times Out on OpenSolaris 2008.11 (6820169 and 6741572)
Enterprise profile installation is not supported with a 64-bit JVM on a 64-bit platform (6977626)
Installation with 64-bit JDK Fails (6796171)
Enterprise Server installer crashes on Linux (6739013)
Installation shutdown hanging on some Linux systems after clicking the "Finish" button (5009728)
On Windows, the imq directory needs to be created during installation (6199697)
IFR. Was not able to install AS in the sparse local zone, MQ packages issue. (6555578)
After upgrade, the following exceptions are seen in the log when a domain is started. (6774663)
TopLink expects my Collection field/property to be cloneable (Issue Tracker 556)
GenerationType.IDENTITY and DataDirect Driver with SyBase (Issue Tracker 2431)
Setting ejb-timer-service property causes set command to fail (6193449)
Error thrown when list JMS physical destinations within non-DAS config (6532532)
Win2003 only: Non-paged pool leak memory, breaking tcp stack and richaccess test (6575349)
Setting debug statement for access,failure causes hang in server startup (6180095)
Log level Setting for Persistence Cannot Be Made Persistent (13253247)
Enterprise Server Does Not Start If MQ Broker is Not Started (6740797)
MQ broker fails to start with cluster profile on Linux (6524871)
Mismatch of old and new classes is created when imqjmsra.jar is loaded before upgrade (6740794)
Open JNDI Browsing from Admin UI dumps a huge amount of exceptions in the server.log (6591734)
AIX: monitor command doesn't work on AIX (6655731)
Solution: To Install the Missing libcliutil.so Library File
Installation Log Shows Failures for Samples Installation (6802286)
After upgrade Enterprise Server samples and JES5 portal samples compete on derby port 1527 (6574563)
Expired Root CA for CN=GTE CyberTrust Root 5, OU=GTE CyberTrust Solutions, Inc. (17405362)
To Delete the GTE CyberTrust Root 5 Certificate From the Truststore
Modify Policy Files for Existing Domains (17419736 and 17574160)
CA Certificate bundled with Enterprise Server v2.1.1 has expired (12287499)
OutofMemory Error in SSL Scenarios During Heavy Stress (JDK 6 Issue 23)
AIX: WSS dynamic encrypt key test failed due to server side certification validation error (6627379)
SSL termination is not working (6269102)
Socket connection leak with SSL (6492477)
Different domains are lost during upgrade when different build combinations are used (6546130)
Localized Online Help for asupgrade GUI Does Not Exist (6610170)
Solution: To Preserve All Node Agents in a Side-by-Side Upgrade of Multiple Domains
In-place upgrade does not update the index.html file of existing domain (6831429)
Unable to compile JSP page on resource constrained servers (6184122)
Enterprise Server does not support auth-passthrough Web Server 6.1 Add-On (6188932)
AS 9.1 b50e.Linux. Can not start WS after AS LB installation: libjvm.so:cannot open shared (6572654)
Ant task wsimport fails with Java EE SDK b33d (using JDK 1.6) with NoClassDefFoundError (6527842)
publish-to-registry commands fail in IFR EE builds (6602046)
wscompile fails with "package javax.xml.rpc does not exist" on JDK6 u4 b3 (6638567)
This section describes known issues and associated solutions related to Enterprise Server and web application security and certificates.
During startup of an Enterprise Server instance, an expired certificate is reported in the instance's server.log log file as follows:
The "GTE CyberTrust Root 5" certificate expired on August 15th 2013
The log file shows the validity of the certificate as follows:
Subject: CN=GTE CyberTrust Root 5, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US ... Validity: [From: Fri Aug 14 15:50:00 BST 1998, To: Thu Aug 15 00:59:00 BST 2013]
The solution depends on whether the instance is configured to use a server SSL certificate that uses this certificate as part of its trust path.
If the instance is not configured this way, ignore the warning. The functionality of the instance is unaffected.
If no server certificate has been signed by GTE CyberTrust Root 5 certificate, delete the certificate from the truststore. For instructions, see To Delete the GTE CyberTrust Root 5 Certificate From the Truststore.
Note - In the latest releases of Java SE 6 and Java SE 7, this certificate is no longer present by default. The only GTE certificate has the alias gtecybertrustglobalca and does not expire until August 2018.
Otherwise, contact the issuing certificate authority (CA) to resolve the issue.
The CA will either reissue the certificate with an up to date or alternate root certificate or will provide an updated certificate to install in the truststore.
To determine that the new certificate is correct, confirm that the issuer's subject is as follows:
CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc."
Note - How to perform some steps in this task depends on whether the domain uses a JKS keystore or an NSS keystore. The keystore that a domain uses depends on the profile with which the domain was created:
A domain that is created with the developer profile or the cluster profile uses a JKS keystore.
A domain that is created with the enterprise profile uses an NSS keystore.
prompt% cd as-install/domains/domain-name/config/
The files to copy depend on the type of the keystore.
cert8.db
key3.db
prompt% keytool -delete -alias gtecybertrust5ca -keystore cacerts.jks
When prompted, provide the master password of the domain.
prompt% certutil -D -d . -n gtecybertrust5ca
When prompted, provide the master password of the domain.
Deleting the expired certificate prevents the certificate from being propagated to new domains.
prompt% cd as-install/lib/install/templates
The files to copy depend on the type of the keystore.
cert8.db
key3.db
prompt% keytool -delete -alias gtecybertrust5ca -keystore cacerts.jks
prompt% keytool -delete -alias gtecybertrust5ca -keystore ee/cacerts.jks
When prompted, provide the master password of the domain.
prompt% certutil -D -d . -n gtecybertrust5ca
prompt% certutil -D -d ee -n gtecybertrust5ca
When prompted, provide the master password of the domain.
Note - To ensure that the instances are synchronized with the DAS, you must start the instances individually, even if the instances are members of a cluster. Starting a cluster does not synchronize the instances in the cluster.
If you start an instance by starting the node agent for the host where the instance resides, you must specify the --syncinstances option of the start-node-agent command. Otherwise, the instance is not synchronized.
As a result of changes to the security implementation in JDK 1.6.0_51, additional permissions are required to prevent some operations from failing. For example, an attempt by an application to perform a transaction might fail with the java.io.SerializablePermission enableSubclassImplementation exception.
For each existing domain, add the following permissions to the grant block for the basic set of permissions in the domain-dir/config/server.policy file:
permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.lang.RuntimePermission "accessClassInPackage.com.sun.org.apache.xml.internal.utils"; permission java.lang.RuntimePermission "accessClassInPackage.com.sun.org.apache.xerces.internal.dom"; permission java.lang.RuntimePermission "accessClassInPackage.com.sun.org.apache.xerces.internal.jaxp";
The CA certificate bundled with Enterprise Server v2.1.1 has expired since Jan 08, 2010. Hence some SEVERE log messages may be observed while starting the domain.
These messages are harmless but can be eliminated. Remove the expired certificate from the keystore. To remove the certificate from the JKS keystore, use the following command:
keytool delete -alias verisignserverca -keystore domain-dir/config/cacerts.jks
To remove the certificate from the NSS keystore, use the following command:
certutil -D -n verisignserverca -d domain-dir/config
A JDK bug (See: https://jdk6.dev.java.net/issues/show_bug.cgi?id=23) in JDK6 Sun PKCS11 Provider could cause an OutOfMemoryError when running certain SSL scenarios under heavy stress.
If you run into this issue, remove sun.security.pkcs11.SunPKCS11 provider from the java.security file in your JRE installation.
On the AIX platform, dynamic encryption for the determination of an encryption key for a response is failing. The failure occurs during the validation of the certificate on the server side.
In response to the failure, the following error messages are written to the server's log file server.log:
Unable to validate certificate
Error occurred while resolving key information com.sun.xml.wss.impl.WssSoapFaultException: Certificate validation failed
Install Metro 1.1 on Enterprise Server v2.1.1
A method in an enterprise bean whose run-as, or propagated, security identity is defined by using the @RunAs annotation attempts to invoke a method in another enterprise bean. If no run-as principal is defined in the sun-ejb-jar.xml deployment descriptor file, the attempt might fail with a javax.ejb.AccessLocalException exception.
javax.ejb.AccessLocalException: Client not authorized for this invocation.
In the sun-ejb-jar.xml deployment descriptor file, define in the principal-name element the principal name for which the run-as role specified.
SSL termination is not working; when Load Balancer (Hardware) is configured for SSL termination, the Enterprise Server changes the protocol from https to http during redirection.
Add a software load balancer between the hardware load balancer and the Enterprise Server.
Because of a JVM bug, there is a leak issue with some JDK versions when security-enabled is set to true on an HTTP listener. Specifically, the steps to reproduce this bug are as follows:
Set security-enabled to true on the HTTP listener:
<http-listener acceptor-threads="1" address="0.0.0.0" blocking-enabled="false" default-virtual-server="server" enabled="true" family="inet" id=" http-listener-1" port="8080" security-enabled="true" server-name="" xpowered-by="true">
Comment out stopping domain at the end of quicklook tests.
Run quicklook tests.
Check socket usage:
netstat -an | grep 8080
The following are shown to be in use:
*.8080 *.* 0 0 49152 0 LISTEN *.8080 *.* 0 0 49152 0 BOUND
This issue is tracked on the GlassFish site at http://java.net/jira/browse/GLASSFISH-849.
Upgrade to the latest JDK version.
An unspecified vulnerability in Oracle Sun GlassFish Enterprise Server 2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration. See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0807.
Upgrade to Oracle GlassFish Server 3.1 or later.