Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | An unexpected exception occurred when trying to create or register an mBean. |
Action | There might be a problem with the configuration. The exception might include details. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | An unexpected error occurred during security initialization. |
Action | This is a general error. Look for previous messages that are related to SSL initialization or to a configuration problem. Enabling SSL=all=enabled debug trace might yield additional information. |
Explanation | The security object cannot be created from the repository. This is an internal error. The security.xml file might be corrupted or missing. |
Action | Contact your service representative. |
Explanation | This exception is unexpected. The cause is not immediately known. |
Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ . |
Explanation | The specified resource could not be loaded due to an exception. |
Action | Check for a configuration problem related to the resource. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | When the server is running in FIPS mode, the IBMJCEFIPS provider should be listed in the java.security file, and positioned before the IBMJCE provider in the list. |
Action | To ensure FIPS algorithms usage for all WebSphere Application Server process types, uncomment the IBMJCEFIPS provider in the java.security file, check that it is positioned before the IBMJCE provider in the list, and renumber the provider list in sequential order. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | An unexpected error occurred while stopping the SSL component. |
Action | This is a general error. Look for previous messages that are related to the error or to a configuration problem. Enabling SSL=all=enabled debug trace might yield additional information. |
Explanation | A certificate is about to expire in the keystore. |
Action | Open the keystore and validate the expiration dates on all certificates in the keystore. Generate new certificates, if necessary. |
Explanation | A certificate is expired in the keystore. |
Action | Open the keystore and validate the expiration dates on all certificates in the keystore. Remove any expired certificates. |
Explanation | The type of keystore that has been configured is not valid for the specified alias. |
Action | Change the keystore type in the SSL configuration. |
Explanation | There might be a problem with the syntax of the ssl.client.props file or the location of the file might not be valid. |
Action | Review the error returned and check the syntax and location of the ssl.client.props file. |
Explanation | A class loading error occurred loading the custom trust manager that is configured. |
Action | Ensure the class can be found in the environment. |
Explanation | A class loading error occurred loading the custom key manager that is configured. |
Action | Ensure the class can be found in the environment. |
Explanation | An error occurred during the SSL handshake. It might require a signer export/import from the target host to the client TrustStore. |
Action | Review the extended error message from the TrustManager to determine what needs to change between the target SSL configuration and the client SSL configuration. |
Explanation | The certificate alias specified for this SSL configuration is not in the specified KeyStore. |
Action | Either add a certificate into the KeyStore with the specified certificate alias or change the specified certificate alias to match an alias found in the client KeyStore. |
Explanation | The certificate alias specified for this SSL configuration is not in the specified KeyStore. |
Action | Either add a certificate into the KeyStore with the specified certificate alias or change the specified certificate alias to match an alias found in the server KeyStore. |
Explanation | There was a classloading error trying to load the HTTPS URLStreamHandler class. |
Action | Check the SSL configuration to ensure the context provider is correct for the platform. |
Explanation | A change was made to the security.xml file. An error occurred when the system then tried to read the changed configuration. |
Action | Review the exception message text and verify the SSL configuration parameters are valid. |
Explanation | JSSE URL hostname verification checks that the X509 Certificate Common Name (CN) matches the hostname it is from. This hostname verification check is being set to be disabled by default for URL connections. |
Action | To enable default JSSE URL hostname verification, set the com.ibm.ssl.performURLHostNameVerification property to true. |
Explanation | The handshake protocol specified is not recognized as a valid handshake protocol. |
Action | Check the SSL configuration to ensure the correct handshake protocol is specified. |
Explanation | The SSL context provider specified is not recognized as a valid context provider. |
Action | Check the SSL configuration to ensure the correct SSL context provider is specified. |
Explanation | The DefaultKeyStores between cell and node will have exchange signers with corresponding DefaultTrustStores. An error occurred during this process. |
Action | A manual signer exchange might be required. |
Explanation | An error occurred while creating the file-based keystore or truststore during process initialization. |
Action | Check that the keystore or truststore settings in the ssl.client.props are current and valid. |
Explanation | An error occurred during process startup while creating this certificate. |
Action | Check that the default self-signed certificate property values (com.ibm.ssl.defaultCertReq*) are valid. |
Explanation | An error occurred while creating or opening the keystore. |
Action | Check the properties in the keystore configuration and ensure the keystore exists. |
Explanation | An error occurred while initializing the schedule. |
Action | Check that the properties for the scheduler are valid. Ensure the /etc directory is writable. |
Explanation | An error occurred reading the date from the schedule file in /etc. |
Action | Ensure the /etc directory is writable and the file has not been modified. |
Explanation | An error occurred sending email to the specified SMTP server. |
Action | Ensure the SMTP server specified is valid and that your company firewall policy allows sending to SMTP ports. |
Explanation | This information concerns certificate expiration. |
Action | You may need to manage certificates to resolve the reported problems. |
Explanation | A problem occurred starting the expiration monitor command task. |
Action | Try starting the expiration monitor directly to determine more information about the error. |
Explanation | The hostname must be entered in the hostlist in the same canonical format as it appears in the serverindex.xml file. |
Action | Edit the hostlist to convert it to the required canonical format. |
Explanation | The server SSL signer has to be added to the client trust store. The signers can either be downloaded autonatically from the server, or provided manually during the connection attempt. |
Action | Either run the retrieveSigners utility or enable the signer exchange prompt. |
Explanation | When the server starts for the first time as a stand-alone application server or in a Network Deployment configuration, each server creates a keystore and truststore for the default Secure Sockets Layer (SSL) configuration. When the server creates these files, by default, it uses WebAS for the password. |
Action | Do not use the default password in production. Change the default password for the keystore and the truststore by editing the ssl.client.props file. When you change the passwords in the ssl.client.props file, you must use the PropFilePasswordEncoder utility to re-encode the new passwords. |
Explanation | After creating a chained or self-signed certificate, the corresponding signer certificate could not be stored in the issued certificates key store. |
Action | Check the associated error information for the cause of the problem. |
Explanation | An error occurred while creating a chained certificate during process startup. |
Action | Check that the default chained certificate property values (com.ibm.ssl.defaultCertReq*) are valid and that a valid certificate exists in the root key store. |
Explanation | There is a configuration problem with custom encryption. |
Action | Review the exception and logs to identify and resolve the issue with custom encryption. |
Explanation | A custom encrypted password was received, but the necessary custom algorithm required to use it is not configured. |
Action | Configure the necessary custom algorithm. |
Explanation | It was not possible to get the initilization status of the specified HW crypto provider. |
Action | Ensure that the HW crypto provider is functioning and configured correctly. |
Explanation | It was not possible to get an instance of the specified HW crypto provider. |
Action | Ensure that the HW crypto provider is functioning and configured correctly. |
Explanation | It was not possible to get an instance of the specified HW crypto provider for the given reasons. |
Action | Ensure that the HW crypto provider is functioning and configured correctly. |
Explanation | Although UseFIPS has been enabled, the FIPS-approved cryptographic algorithms cannot be used because the SSL configuration is not using a FIPS-approved JSSE Provider. |
Action | To ensure the use of FIPS-approved cryptographic algorithms, modify the SSL configuration to use a FIPS-approved JSSE Provider. |
Explanation | The KeySet either does not have a keyGenerationClass defined, or it cannot find the keyGenerationClass, or a read-only KeyStore is associated with the KeySet, or the KeyStore does not allow the writing of secret keys. |
Action | Modify the configuration so that a proper keyGenerationClass is configured and a KeyStore type is configured that allows the writing of secret keys. |
Explanation | An error occurred while retrieving keys from the KeyStore for the specified KeySet. |
Action | Check that the KeySet configuration is correct. |
Explanation | Either the runtime could not find the key generation class configured for the KeySet or the class does not implement either com.ibm.websphere.crypto.KeyGenerator or com.ibm.websphere.crypto.KeyPairGenerator. |
Action | Ensure the key generation class configured is specified in a location that can be found by the application server runtime environment. Check the information center for specifying custom classes so that the runtime environment can find them. |
Explanation | The keys passed as input might not have been correctly formed or the keystore could not be accessed to store them. |
Action | Determine the cause based on the exception, then adjust the configuration accordingly. |
Explanation | A problem occurred while a new key reference was being created for the specified KeySetGroup. After the key reference was created in the configuration, the key was generated. One of these steps did not succeed. |
Action | Determine the cause based on the exception, then adjust the configuration accordingly. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | There's a problem writing to the specified log file. |
Action | Change the log file path or make sure the file specified is not in use. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | The remote keystore is not found. |
Action | Issue -listRemoteKeyStoreNames command to get the list of names. |
Explanation | The alias specified was not found in the truststore. |
Action | Issue -listRemoteKeyStoreNames command to get the list of names. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | The local keystore is not found. |
Action | Try issuing -listLocalKeyStoreNames command to get the list of names. |
Explanation | The start date of the certificate is not valid. |
Action | Ensure that the client clock matches up with the server clock. Otherwise, create a certificate with the proper start date. |
Explanation | The certificate has expired. |
Action | Replace the certificate with a valid certificate. |
Explanation | Check the command line to ensure the specified option is correct. |
Action | Check the usage help and retry after correcting the option. |
Explanation | Check the command line to ensure the specified options are correct. |
Action | Check the usage help and retry after correcting the option. |
Explanation | There are no SSL configuration properties set. The property 'com.ibm.SSL.ConfigURL' might not be set properly, or there might have been an error parsing the SSL client configuration. |
Action | Check the ssl.client.props file for errors and make sure 'com.ibm.SSL.ConfigURL' is set property. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | There is a problem writing to the specified log file. |
Action | Change the log file path to the correct log file, or make sure the file specified is not in use. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | The specified option is not correct. |
Action | Check the usage help, then retry after correcting the option. |
Explanation | A specified option is not correct. |
Action | Check the usage help, then retry after correcting the option. |
Explanation | An attempt to load the custom PKI client implementation failed because the class could not be found by the classloader. |
Action | Check that the custom class exists in the classes directory for your inatallation. |
Explanation | An attempt to load the custom PKI client implementation did not succeed because the class is not an instance of com.ibm.ws.ssl.WSPKIClient. |
Action | Check that the custom class implements com.ibm.ws.ssl.WSPKIClient. |
Explanation | The certificate specified is not a personal certificate. |
Action | Rerun the command with a personal certificate alias name. |
Explanation | The system could not receive the certificate from the Certificate Authority (CA) because the public keys do not match. |
Action | Rerun the command using a certificate retrieved from a Certificate Authority (CA) that was generated with the certificate request coming form this specified alias in this keystore. |
Explanation | The local keyStore is not found. |
Action | Check that the keyStore exists on the client and has an alias in ssl.client.props. |
Explanation | In order to receive a certificate in a keystore the public key of the certificate must match the public key of a certificate in the keystore. |
Action | Run the command with a certificate that has a public key that matches the public key of a certificate in the keystore. |
Explanation | The certificate request was not processed immediately by the Certificate Authority (CA) and must be obtained out-of-band. |
Action | Run queryCertificate to check on the status of the certificate and receive it if the request has been processed. |
Explanation | The value provided is not of the correct type. |
Action | Check the usage help and retry after correcting the type of the value. |
Explanation | A proper value was not provided on the command line. |
Action | Check the usage help, then retry after correcting the option. |
Explanation | An error occurred while initializing the Certificate Authority (CA) implementation. |
Action | Check the associated error message. |
Explanation | An error occurred while attempting to create a Certificate Authority (CA) signed certificate. |
Action | Check the associated error message. |
Explanation | An error occurred while attempting to revoke a Certificate Authority (CA)) signed certificate. |
Action | Check the associated error message. |
Explanation | An error occurred while attempting to query the certificate authority (CA) for a signed certificate. |
Action | Check the associated error message. |
Explanation | The system is trying to write a received certificate to a read-only keystore. |
Action | Specify a keystore that is writable. |
Explanation | The certificate request received from the Certificate Authority (CA) could not be stored successfully in the specified keystore. The certificate has therefore been revoked and you need to retry the request to obtain a new certificate. |
Action | Check the previous error messages related to storing the keystore, and correct the issues arising, then retry the certificate request. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | The PKCS10 certifcate request could not be created becasue of the specified error. |
Action | Check the message logs for details. |
Explanation | The system could not create the certificate request because the alias specified already exists in the keystore. |
Action | Specify another alias name. |
Explanation | The subjectDN supplied does not conform to the X500Principal standard. |
Action | Check the subjectDN and ensure that it is in the correct form. |
Explanation | One or more provided options were not recognized and will be ignored. |
Action | Check the command usage and ensure the arguments supplied are correct. |
Explanation | The custom attributes were not entered in the proper form. |
Action | Check the usage help, then retry after correcting the custom attributes. |
Explanation | The attribute passed to the implementation is null or not of the correct type. |
Action | Ensure that the required attribute is passed to the implementation. |
Explanation | The byte array of the certificate request is null. |
Action | Check that a valid certificate request byte array is passed to the implementation. |
Explanation | The byte array of the revocation password for this request is null. |
Action | Check that a valid revocation password byte array is passed to the implementation. |
Explanation | This exception is unexpected. The cause is not immediately known. |
Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ . |
Explanation | The temporary file could not be written to the file system. |
Action | Ensure the path to the temporary file exists, is writable, and has space available. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | The specified error occurred when requesting the certificate. |
Action | Check the log file for detailed error information. |
Explanation | The specified error occurred when revoking the certificate. |
Action | Check the log file for detailed error information |
Explanation | The specified error occurred when querying the certificate. |
Action | Check the log file for detailed error information. |
Explanation | No valid certificate chain is available to the implementation. |
Action | Check that a valid certificate chain is being passed to the implementation. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | A request to revoke a Certificate Authority (CA) signed certificate has been issued. |
Action | Verify with the external Certificate Authority (CA) that the certificate has been successfully revoked. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | An error occurred adding the IBMJCEFIPS cryptographic module. Initialization of the server will continue, but SSL support may not be available. |
Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ . |
Explanation | An error was encountered while creating the default SSL configuration. |
Action | If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ . |
Explanation | The SSL certificate does not exist and will be generated automatically. This may take a few seconds. Any services requiring SSL will not start until the SSL certificate has been generated and the configuration is ready. |
Action | No action is required. |
Explanation | The SSL certificate was generated in the amount of time specified. |
Action | No action is required. |
Explanation | The SSL certificate could not be created at the specified location. |
Action | Ensure the location is accessible by the server process. Any FFDCs may indicate a fatal error in generating or loading the keys. |
Explanation | The keystore configuration does not specify a password for the default keystore. |
Action | Modify the default keystore configuration to specify a password. |
Explanation | The keystore configuration does not contain all the information needed. |
Action | Modify the keystore configuration object to contain the keystore's location and type. |
Explanation | The keystore location references a location that does not exist. |
Action | Change the keyStore location to a file that valid path. |
Explanation | The keystore configuration requires a password of at least 6 characters in order to create the default keystore. |
Action | Modify the default keystore configuration to specify a password of at least 6 characters. |
Explanation | The keystore file does not exist or the keystore type or password is not correct so any SSL configuration that references the keystore will is not be usable. |
Action | Fix the problem with the keystore configuration. |
Explanation | This message is for informational purposes only. |
Action | No action is required. |
Explanation | The keystore file specified was modified and the runtime will start using the updated keystore file. |
Action | No action is required. |
Explanation | There was an error while trying to recover the key from the keystore file. There may be a problem with the key or the key password is not correct. |
Action | Check the keystore to make sure the key entry exists and make sure the correct password is configured to access the key entry. |
Explanation | There was an error while trying to initialize the keymanager. Unable to create an SSLContext when the private key password is not correct or when a keystore that has multiple keys with different passwords. |
Action | Ensure the private key password is correct and the keystore does not have multiple keys with different passwords before using the keystore for SSL connections. |
Explanation | There is something wrong with the hardware configuration preventing the keystore from being useable. If there is an SSL configuration that is referencing this keystore it will not be useable. |
Action | Ensure that the hardware configuration file contains the required attributes, name and library. Make sure other attributes in the configuration file follow the hardware device specification. |
Explanation | Conflicting OutboundConnection elements are defined in the server configuration. To determine the outbound SSL configuration, the server uses the first OutboundConnection element that it processes. |
Action | Review the conflicting OutboundConnection elements in the server configuration, and remove the element that you do not need. |
Explanation | The outboundConnection element with an asterisk (*) as the host and port is in conflict with the outboundSSLRef attribute that is configured. The server uses the SSL configuration that is specified by the outboundSSLRef attribute. |
Action | Review the conflicting configuration and determine which configuration to use as the default SSL configuration. Remove the configuration that you do not need. |
Explanation | SSL initialization has been attempted because the ssl feature has been loaded. The initialization could not complete, because the default SSL configuration expects a keystore element with the specified id value and a password. The keyStore element is missing, or the password is not specified. |
Action | If SSL is not required, this message can be ignored. If SSL is required, review the configuration and either add the missing keystore, or change the default SSL configuration to use a different keystore. |
Explanation | The default SSL configuration expects a keystore element, which does not exist. |
Action | Review the configuration and either change the configuration to reference an existing keystore, or define the referenced keystore. |