-
Notifications
You must be signed in to change notification settings - Fork 587
-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPE in LTPAConfigurationImpl.loadConfig #7448
Comments
Discussed in #was-security: https://ibm-cloud.slack.com/archives/C324NP6H5/p1556903477018100 |
A few random thoughts, which may or may not be relevant:
|
It has to be determined why config admin provided a null value for the "expiration" attribute. |
The service is not passed the attribute values from metatype, [5/7/19 16:23:00:866 UTC] 00000020 id=26fe8f0b om.ibm.ws.security.token.ltpa.internal.LTPAConfigurationImpl > activate Entry |
Is the server configuration available to reproduce this? |
unzip the recreate.zip and run the |
Add the following to the end of your
This also has the added benefit of doing some work in your docker build to cache the configuration changes of your application so it doesn't have to happen each time you start a new container based on your image. |
An alternative work around is to not run the installUtility against your defaultServer configuration. Instead list the features you want to install, for example:
|
hey @tjwatson - I am curious as to why one of the workarounds is to install the features individually vs doing as fyi: the Docker images for OL and WL already have a docker server start / stop warmup optimization - which although don't have the application classes in the cache, do improve the startup considerably. They do add about 60-80 MB to the Docker layer though. So if you do another server warmup it would duplicate most of the cache and cause the image to be even more bloater - yes, it would then have a better cache, but probably not worth the double footprint hit. And, if would have to worry about changing the group permissions (see the last part of this command) |
When doing If instead you use
|
I tried the workaround of starting (with --clean) and stopping the server at the end of my Dockerfile (https://github.com/IBMStockTrader/trader/blob/master/Dockerfile), and it seems to be working. Thanks for the quick suggestion. I'll be happy to test the real fix whenever it's ready, and remove the workaround. Thanks again! |
So a working 19.0.0.4-based image of my Trader UI microservice is in DockerHub now, available via "docker pull ibmstocktrader/trader:latest". My colleague Greg Hintermeister is about to deploy it to IKS and try it. |
Tom will provide Docker to John to test. |
I provided John @jwalcorn with a Dockerfile in my fork of trader at https://github.com/tjwatson/trader/tree/LibertyIssue7448 This does require |
@jwalcorn - Let us know if the fix did pass verification and the issue can be closed. |
Just tested it built against the latest 19.0.0.5 GM-candidate Liberty build, without the workaround, and all is good! |
@jwalcorn - Thank you and Tom thank you too. Please close the issue since the code testing passed with the green release build. |
I've owned a simple Stock Trader application for the past couple of years. Almost all of the microservices run on Liberty in Docker containers on Kubernetes (I've run it in ICP, IKS, and OCP). All has been fine as I moved up to each new Liberty release, until the new 19.0.0.4 came out last week. First a tech sales guy reported it, then I reproduced the problem myself. All I have to do is build the Docker container for my
trader
UI microservice against 19.0.0.4, and the server will fail to start, with an NPE early on as the security service tries to initialize. If I go back to 19.0.0.3, all is fine. The log output is as follows:I'll attach the full messages.log, a trace.log with
*=info:com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all
, and my server.xml (the full code is in GitHub at https://github.com/IBMStockTrader/trader). Note my app actually uses JWT, not LTPA, but it appears Liberty loads the LTPA stuff whenever the security service starts. Please let me know if any other traces or other info are needed. I'm holding off on pushing 19.0.0.4-based images to DockerHub until this is fixed, so that at least the people just using the pre-built images are OK - but some people prefer to build it themselves, and they will be broken now.The text was updated successfully, but these errors were encountered: