How to connect an application client to secured WAS 7 environment.

The Application Client form IBM is designed for thin and fat clients. Some of this information is from the IBM Information Centre for WAS 7 (http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp) and some of it is written by me. Use it as a reference in case you ever need it.

  • IBM Thin Client for Java API for XML-based Web Services (JAX-WS)
  • IBM Thin Client for Java API for XML-based RPC (JAX-RPC)
  • IBM Thin Client for Java Messaging Service (JMS)
  • IBM Resource Adapter for JMS
  • IBM Thin Client for JPA
  • IBM Thin Client for EJB.

Choosing a type of client

A client provides the framework for client applications that run separately from your application server.

About this task

Decision factors for choosing a client include whether you want to run a client application on Java Platform, Enterprise Edition (Java EE) or Java Platform, Standard Edition (J2SE) ; whether you want ease of use with a small installation footprint or full-function with medium to large footprint; and whether you need licence to copy or redistribute the client.

A usual first decision to make is do you want a client application that runs on Java EE or J2SE?. This leads you to choose from the main types of clients, as described in this topic. Otherwise, if you want to run an ActiveX program, or a Java applet, to interact with enterprise beans on WebSphere® Application Server, your decision is only for one of those types of client.

Procedure

  • J2SE

    If you want to run a lightweight client application, without the resource and processing cost of the Java EE platform for WebSphere Application Server on the client machine, then choose either the Java thin client or the stand-alone thin clients to run on J2SE.

    • If you want a client with a small installation footprint, that you can embed into your application, and that runs under an IBM, Sun, or HP-UX JRE, choose the stand-alone clients. Each client is an embeddable single jar with small footprint; for example, the Thin Client for JMS with WebSphere Application Server, com.ibm.ws.sib.client.thin.jms_7.0.0.jar needs about 2 MB of disk space. For notable restrictions of stand-alone clients, see the client comparison table in Client applications.
    • If you want a full-function client with medium to large footprint, that runs under the IBM JRE supplied, choose the Java thin client.
      • If you run your client application to use the installed files of Application Client for WebSphere Application Server, you need about 400 MB of disk space (as part of the Application Client installation). Choose this option if you intend to copy and redistribute the Java thin client, within your licensing agreement.
      • If you run your client application to use the installed files of the WebSphere Application Server, you need about 1 GB of disk space (as part of the Application Server installation). Choose this option if you do not mind the larger footprint, and you want maintenance support for the Java thin client.

    However, the thin clients running on J2SE do not support a Java EE container that provides easy access to system services for object resolution, security, Reliability Availability and Servicability (RAS), and other services. Also, thin clients running on J2SE do not initialize any of the services that the client application might require.

  • Java EE

    If you want to run a Java client application that makes full use of the Java EE platform features of WebSphere Application Server, then choose the Java EE client.

    • If you run your client application to use the installed files of Application Client for WebSphere Application Server, you need about 400 MB of disk space (as part of the Application Client installation). Choose this option if you intend to copy and redistribute the Java EE client, within your licensing agreement.
    • If you run your client application to use the installed files of the WebSphere Application Server, you need about 1 GB of disk space (as part of the Application Server installation). Choose this option if you do not mind the larger footprint, and you want maintenance support for the Java EE client.

    The Java EE client provides a container that client applications can use to access system services. The Java EE client also initializes the runtime environment for client applications.

  • ActiveX to Enterprise JavaBeans (EJB) Bridge

    If you want ActiveX programs to access enterprise beans on WebSphere Application Server, choose this client.

  • Applet client

    If you want a browser-based Java client application program that provides a richer and more robust environment than the one offered by the Applet > Servlet > enterprise bean model, choose this client.

Extra Thin client information

Getting server objects and resources.

A stand-alone client application can get suitable server objects and resources (like connection factories, JMS queues, and data sources) programmatically without using JNDI. Alternatively, a client application can use full JNDI support provided by the Thin Client for EJB.

Compiling stand-alone thin client applications.

To compile your client application, include the JAR files needed in the CLASSPATH setting for the javac command; for example, any extra JAR files for the client application’s own classes, JAR files for IBM® Thin clients used, and JAR files for JDBC provider classes.

For the stand-alone thin clients, the following JAR files are provided in the /runtimes/ directory of either an Application Client installation or Application Server installation:

Table 1. JAR files for stand-alone thin clients. JAR files for stand-alone thin clients descriptions
JAR file

Description

com.ibm.jaxws.thinclient_7.0.0.jar IBM Thin Client for Java API for XML-based Web Services (JAX-WS). This file enables a Java SE client application to use the JAX-WS programming model to invoke Web services that are hosted by the application server.
com.ibm.ws.ejb.thinclient_7.0.0.jar Thin Client for Enterprise Java Beans (EJB) . This file enables a Java SE client application to access remote Enterprise Java Beans on a server through Java Naming and Directory Interface (JNDI) look up. If this file is running with a non-IBM product JRE on a non-IBM product platform, the IBM ORB implementation library, com.ibm.ws.orb_7.0.0.jar, is also needed.
IBM Thin Client for Java Persistence API (JPA). This file allows a Java SE client application to use the Java Persistence API (JPA) to store and retrieve persistent data through the application server.
com.ibm.ws.messagingClient.jar With the com.ibm.ws.ejb.thinclient_7.0.0.jar file, this file enables a Java SE client application to use WebSphere® MQ messaging provider JMS resources from the WebSphere Application Server JNDI namespace. WebSphere MQ client jar files are also needed, and must be obtained from the WebSphere MQ product.
com.ibm.ws.orb_7.0.0.jar The IBM ORB implementation library. This file is needed if the IBM Thin Client for EJB is running with a non-IBM product JRE on a non-IBM product platform.
com.ibm.ws.sib.client.thin.jms_7.0.0.jar IBM Thin Client for Java Messaging Service (JMS). This file enables a Java SE client application to use JMS resources of the default messaging provider. For languages other than US English, you also need the additional language files from sibc.nls.zip, which provides language-specific resource bundles.
com.ibm.ws.sib.client_ExpeditorDRE_7.0.0.jar The JMS Client packaged for Lotus® Expeditor.
com.ibm.ws.webservices.thinclient_7.0.0.jar IBM Thin Client for Java API for XML-based RPC (JAX-RPC). This file enable a Java SE client application to use the JAX-RPC programming model to invoke Web services that are hosted by the application server.

If you are running two or more of these stand-alone thin clients together, you must obtain all the clients that you are using from the same installation of Application Client for WebSphere Application Server, the same installation of the WebSphere Application Server product, or the same service refresh.

Note: You can communicate with WAS as a basic Java client using many different approaches as long as you understand that IBM has intended you to use the Application client (Not that have to, but there are nuances) and that there are specific assumptions made due to IBMs preference. Also the documentation and knowledge is always found in IBM Information Centres around the topic of Application clients, so it is good to know how IBM is thinking.

However, even when using an Application client you still need JARS from an actual WAS server for example when doing JMS from an external client you will need to reference the WMQ jar files find in the WAS installation or when connecting to MBeans you will need. some of the above JARs. So It makes me wonder why they don’t just document the simple ways? IBM does confuse this topic greatly and it is hard to find good examples in their online docs.

This document is by no means an exhaustive list of examples, but it serves as guide for when you are building our own apps using Eclipse mindset as opposed to IBM Rational Application Developer mindset.

JNDI initalContext Information

To develop a Java thin client application, you developing the application code, generate the client bindings needed for the enterprise bean and CORBA objects, and package these pieces together to install on the client machine.

With the Java thin client, the client application must code explicitly the fully-qualified location for each resource that it uses. For example, a Java thin client application that looks up an enterprise bean Home contains the following code:

java.lang.Object ejbHome =

initialContext.lookup(“the/fully/qualified/path/to/actual/home/in/namespace/MyEJBHome”);

MyEJBHome = (MyEJBHome)javax.rmi.PortableRemoteObject.narrow(ejbHome, MyEJBHome.class);

The Java thin client application must know the fully-qualified physical location of the enterprise bean Home in the namespace. If this location changes, the thin client application must also change the value placed on the lookup() statement.

To compile a Java thin client application, include the client jars file needed by the application in the CLASSPATH setting for the javac command.


Security (WAS GLobal Security = On)

The example in this document are focused around Global Security being turned on and so this reference will give you the required insights to use in any client application which wishes to connect to a secured WebSphere Application Server.

Downloading and installing the IBM Application Client

You can download the latest version of the WebSphere Application client from the following URL:

http://www14.software.ibm.com/webapp/download/preconfig.jsp?id=2009-09-15+16%3A54%3A48.621697R&S_TACT=&S_CMP=

Note: WAS Application Client also comes with the full WAS media is you have access to download from IBM.

I downloaded the Application Client for WebSphere Application Server V7.0

trial_client_7000_windows.ia32.zip (337.0MB)

Expand the downloaded file. Locate the AppClient folder and click install.

For example:

C:\Downloads\trial_client_7000_windows.ia32\AppClient\install.exe

This wizard installs Application Clients for WebSphere Application Server. This installation includes the following products:

  • Java 2 Enterprise Edition (Java EE) and Java thin application client and samples
  • Applet client and samples
  • ActiveX to Enterprise JavaBeans (EJB) bridge.

Installing on Windows 7 will present this error, ignore.

Choose an appropriate location. I chose to use c:\ibm\appclient7

Lets now try and build a sample client and also try and see if we can get some of the example working.

Important notes from IBM regarding Application Clients

This information below is quite useful when you are wanting to build a java client outside of using the IBM Application Client.

Important: The Administration Thin Client is supported for the IBM SDKs. It is also supported for the corresponding Sun Java Development Kit (JDK) with the same major version, provided that:

  • The client administration application uses only the SOAP connector.
  • The client administration application uses the com.ibm.websphere.management.AdminClientFactory API to get the JMX client.
  1. Make the Administration Thin Client JAR files available by copying com.ibm.ws.admin.clientXXX.jar from a WebSphere® Application Server environment to an environment outside of WebSphere Application Server, for example, c:\MyThinClient. The com.ibm.ws.admin.client_7.0.0.jar Administration Thin Client JAR file is located in one of the following locations:
  • The AppServer/runtimes directory.
  • The AppClient/runtimes directory, if you optionally selected the Administration Thin Client when you installed the application client.
  1. Use the Administration Thin Client JAR files to compile and test administration client programs. For Java applications, you can compile and run the JAR files within a standard Java 2 Platform, Standard Edition environment. For more information see the Compiling an administration application using the Thin Administration Client topic.
  2. Copy the messages directory from the app_server_root/properties directory to the C:\MyThinClient\properties directory.

4.If security is turned on, you also need the following files:

  • Copy the com.ibm.ws.security.crypto.jar file from either the AppServer/plugins directory or the AppClient/plugins directory and put it in the C:\MyThinClient directory.
  • If you are using the IPC connector, optionally copy the ipc.client.props file from the AppServer\profiles\profileName/properties or the AppClient\properties directory and put it in the C:\MyThinClient\properties directory. Alternatively, you can set the properties in the ipc.client.props file programmatically in your Java code.
  • If you are using the SOAP connector, optionally copy the soap.client.props file from the AppServer\profiles\profileName\properties directory and put it in the C:\MyThinClient\properties directory. Then, enable the client security by setting the com.ibm.CORBA.securityEnabled property to true.

    Alternatively, you can set the properties in the soap.client.props file programmatically in your Java code.

    Later I will try this in the code

  • If you are using RMI or JSR160RMI connectors, copy the sas.client.props file from the AppServer/profiles/profileName/properties directory and put it in the C:\MyThinClient\properties directory.
  • Copy or generate the ssl.client.props file from either the AppServer\profiles\profileName/properties directory or the AppClient/properties directory and put it in the C:\MyThinClient\properties directory.

    Note: This file contains the user.root property. You must modify the value to your thin client directory, for example, C:\MyThinClient.

  • If you are using the IBM SDK, copy the key.p12 and trust.p12 files from AppServer\profiles\profileName\etc directory and put it to C:\MyThinClient\etc directory.
  • To complete this task, copy the file to your thin client directory or run a script to generate the file. For more information, see the following topics:
  • – ssl.client.props client configuration file
  • – Interoperating with previous product versions
  • – retrieveSigners command
  • Secure installation for client signer retrieval in SSL
  • Copy the wsjaas_client.conf files from either the AppServer\profiles\profileName/properties directory or the AppClient/properties directory, and put them in the C:\MyThinClient\properties directory.
  • If you are using the Oracle JDK, change the following properties in the ssl.client.props file so that it uses JKS key and truststores and the Oracle implementation of the key and trust managers:

com.ibm.ssl.alias=DefaultSSLSettings

com.ibm.ssl.protocol=SSL

com.ibm.ssl.securityLevel=HIGH

com.ibm.ssl.trustManager=SunX509

com.ibm.ssl.keyManager=SunX509

com.ibm.ssl.contextProvider=SunJSSE

com.ibm.ssl.enableSignerExchangePrompt=gui

# Keystore information

com.ibm.ssl.keyStoreName=ClientDefaultKeyStore

com.ibm.ssl.keyStore=${user.root}/etc/keystore.jks

com.ibm.ssl.keyStorePassword=keystore_password

com.ibm.ssl.keyStoreType=JKS

com.ibm.ssl.keyStoreProvider=SUN

com.ibm.ssl.keyStoreFileBased=true

# Truststore information

com.ibm.ssl.trustStoreName=ClientDefaultTrustStore

com.ibm.ssl.trustStore=${user.root}/etc/truststore.jks

com.ibm.ssl.trustStorePassword=truststore_password

com.ibm.ssl.trustStoreType=JKS

com.ibm.ssl.trustStoreProvider=SUN

com.ibm.ssl.trustStoreFileBased=true5.

Launch the Administration Thin Client or run the wsadmin tool remotely in a Java 2 Platform, Standard Edition environment.

To launch your administration application, use the following sample launch scripts:

set WAS_HOME=c:\MyThinClient

set USER_INSTALL_ROOT=%WAS_HOME%

set JAVA_HOME=location_of_the_JRE_file

@REM C_PATH is the class path. Add to it as needed.

set C_PATH=%WAS_HOME%\com.ibm.ws.admin.client_7.0.0.jar;%WAS_HOME%\com.ibm.ws.security.crypto.jar

set SOAPURL=-Dcom.ibm.SOAP.ConfigURL=%WAS_HOME%\properties\soap.client.props

if exist %JAVA_HOME%\bin\java.exe (

set JAVA_EXE=%JAVA_HOME%\bin\java

) else (

set JAVA_EXE=%JAVA_HOME%\jre\bin\java

)

%JAVA_EXE% -classpath “%C_PATH%” -Duser.install.root=%USER_INSTALL_ROOT% -Dcom.ibm.SSL.ConfigURL=file:%WAS_HOME%/properties/ssl.client.props %SOAPURL% your_class_file

#!/bin/bash

WAS_HOME=/MyThinClient

USER_INSTALL_ROOT=${WAS_HOME}

JAVA_HOME=location of the JRE file

# C_PATH is the class path. Add to it as needed.

C_PATH=${WAS_HOME}/com.ibm.ws.admin.client_7.0.0.jar:${WAS_HOME}/com.ibm.ws.security.crypto.jar

SOAPURL=-Dcom.ibm.SOAP.ConfigURL=${WAS_HOME}/properties/soap.client.props

if [[ -f ${JAVA_HOME}/bin/java ]]; then

JAVA_EXE=”${JAVA_HOME}/bin/java”

else

JAVA_EXE=”${JAVA_HOME}/jre/bin/java”

fi

${JAVA_EXE} -classpath “${C_PATH}” -Duser.install.root=${USER_INSTALL_ROOT} -Dcom.ibm.SSL.ConfigURL=file:${WAS_HOME}/properties/ssl.client.props ${SOAPURL} your_class_file

6.Deploy the stand-alone JAR files and the administrative client applications and start the applications outside of a WebSphere Application Server environment.

=====================

Some Notes:

you can find a index.html detailing the application clients example

<was_app_cklinet_root>\samples\docs\Gallery\en\index.html

For example:

C:\ibm\appclient7\samples\docs\Gallery\en\index.html

======================

Different ways to use WAS properties in your Java applications:

There are two ways to refer to the WAS props files as required to connect to a secures WAS server ie Global security is turned on.

1. You can pass the following two commands as JVM arguments

-Dcom.ibm.SSL.ConfigURL=file:c:/mythinclient/properties/ssl.client.props

-Dcom.ibm.SOAP.ConfigURL=file:c:/mythinclient/properties/soap.client.props

These two commands provide all the required configuration for an SSL based configuration.

Note: You will need to specify the appropriate user.root=c:/mythinclient location in the ssl.client.props file.

This method is designed to be managed via a command line environment setup up script. Typically the standard IBM application client is setup via a command line bat/sh file to set appropriate JVM arguments as seen above.

2. Or you can specify all properties in the code for example:

// Set up a Properties object for the JMX connector attributes

Properties clientProps = new Properties();

clientProps.setProperty(

AdminClient.CONNECTOR_TYPE, AdminClient.CONNECTOR_TYPE_SOAP);

clientProps.setProperty(AdminClient.CONNECTOR_HOST, “localhost”);

clientProps.setProperty(AdminClient.CONNECTOR_PORT, “8880”);

clientProps.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED, “true”);

clientProps.setProperty(AdminClient.USERNAME, “wasadmin”);

clientProps.setProperty(AdminClient.PASSWORD, “wasadmin”);

clientProps.setProperty(“com.ibm.ssl.keyStoreFileBased”, “true”);

clientProps.setProperty(“com.ibm.ssl.trustStoreFileBased”, “true”);

clientProps.setProperty(“com.ibm.ssl.keyStore”, keyStoreFile);

clientProps.setProperty(“javax.net.ssl.keyStore”, keyStoreFile);

clientProps.setProperty(“com.ibm.ssl.keyStorePassword”, keyPassword);

clientProps.setProperty(“javax.net.ssl.keyStorePassword”, keyPassword);


if (keyStoreFile.endsWith(“.p12”) || keyStoreFile.endsWith(“.P12”))

        {

     clientProps.setProperty(“com.ibm.ssl.keyStoreType”, “PKCS12”);

     clientProps.setProperty(“javax.net.ssl.keyStoreType”, “PKCS12”);

        } else

        {

             clientProps.setProperty(“com.ibm.ssl.keyStoreType”, “JKS”);

             clientProps.setProperty(“javax.net.ssl.keyStoreType”, “JKS”);

        }

clientProps.setProperty(“com.ibm.ssl.trustStore”, trustStoreFile);

clientProps.setProperty(“javax.net.ssl.trustStore”, trustStoreFile);

clientProps.setProperty(“com.ibm.ssl.trustStorePassword”, trustPassword);

clientProps.setProperty(“javax.net.ssl.trustStorePassword”, trustPassword);

        if (trustStoreFile.endsWith(“.p12”) || trustStoreFile.endsWith(“.P12”))

        {

             clientProps.setProperty(“com.ibm.ssl.trustStoreType”, “PKCS12”);

             clientProps.setProperty(“javax.net.ssl.trustStoreType”, “PKCS12”);

        } else

        {

             clientProps.setProperty(“com.ibm.ssl.trustStoreType”, “JKS”);

             clientProps.setProperty(“javax.net.ssl.trustStoreType”, “JKS”);

        }

Test project – Testing an application connection

Java build path for my test projects is shown below

Notice all I am referencing is the two JARs as mentioned earlier in the documentation.

===========

You can use this code approach as you wish to use the IBM Application Client JAR files ie to get an AppClient object. However as I mentioned earlier it is possible to also connect using a Java client without expressly referring the AppClient object.. The next example shows how to do this.

References:

http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.base.iseries.doc/info/iseries/ae/rsec_sslclientpropsfile.html##

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply