|
Problem(Abstract) |
On 17 March 2005, 2:08:18 PM CST, dummy key files shipped
with IBM WebSphere Application Server V5.0 through V5.0.2.2 will expire.
If your security is enabled using these expired certificates, your servers
will not initialize and your running servers will stop operating. |
|
|
|
Resolving the
problem |
Problem details
If you configured WebSphere Application Server to use security and have
not configured new SSL trust and key stores, you are affected by the
following problems:
- The following error messages will appear in the
SystemOut.log file during server start:
[9/29/50 12:59:45:172 CDT] 36640dee
KeyStoreKeyLo E WSEC5156E:
An exception while retrieving the key from KeyStore
object:
java.security.cert.CertificateExpiredException:
NotAfter:
Sat Oct 01 04:54:06 CDT 2011
at sun.security.x509.CertificateValidity.valid
(CertificateValidity.java:284)
at sun.security.x509.X509CertImpl.checkValidity
(X509CertImpl.java:425)
at sun.security.x509.X509CertImpl.checkValidity
(X509CertImpl.java:398)
at
com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator.
validateCert(KeyStoreKeyLocator.java:266) |
|
- When the certificates expire, the following message is
received in the SystemOut.log file for the server:
[8/7/05 12:57:33:375 CDT]
c1e56e2 SASRas E JSAS0455E:
ERROR in sasOutboundSSLConfig: The certificate with
alias
websphere dummy server from keyStore
C:\was\5.0.2\AppServer/etc/DummyServerKeyFile.jks
is expired. |
|
- Three other similar errors will occur.
The default certificates for WebSphere Application Server V5.0 through
V5.0.2.2 expire on 17 March 2005, 2:08:18 PM CST.
Note: This certificate expiration can be extended to 2021 by
installing PQ77264, delivered in Cumulative Fix V5.0.2.3, as well as in
the V5.1 release. The fixes are available for download at Recommended
Updates for WebSphere Application Server.
- These certificates are not supported for production
environments. Do not use these certificates if IIOP over SSL and HTTPS
communications must be secure.
- This problem affects anyone using security or using SSL in
the plug-in, who has not applied new SSL trust and key stores.
- Once you change your certificates, your client-side
programs might be affected. You might need to update your sas.client.props
and soap.client.props files to point to the new certificates.
Note: If you are not certain which certificates you are using for
WebSphere Application Server, or when they expire, you can use the ACert
tool to check SSL certificates for expiration dates.
Solution for WebSphere Application
Server
To fix this problem, do one of the following:
- Apply the Interim Fix for APAR PQ77264.
This upgrades the certificates for WebSphere Application Server V5.0
through V5.0.2.2. These new certificates expire in 2021.
- Upgrade to WebSphere Application Server Fix Pack 5.0.2.3
or higher (see Recommended
Updates). The default certificates provided by the product expire in
2021.
- Follow the instructions for creating
custom SSL Key files.
Note: It is recommended that you test applications with V5.0.2.3
or higher before promoting this fix into a production environment.
Unique solution for WebSphere
Application Server for z/OS
This problem applies to WebSphere Application Server V5.0 for z/OS if one
of the following conditions is true:
- A cell does not have PTF W502000
applied.
- If you are above PTF W502000
and have not applied APAR PQ83348
and followed its instruction to change to the RACF supported keyring
security approach.
- If you are at PTF W502000
and chose not to change to RACF supported keyring security approach:
- Upgrade and switch to RACF support keyring security approach (see APAR
PQ83348
for directions)
- Remove the dummy*.jks files and replace with...proper security files
with instructions at: .x.x.x.x.x.x
- For complete instructions for configuring SSL support, see the WebSphere Application Server Information Center for V5.0
on z/OS
|
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
WebSphere Application Server for z/OS |
Security |
z/OS |
5.0 |
|
Organizational Productivity- Portals & Collaboration |
WebSphere Portal |
Security |
|
|
|
Messaging Applications |
Lotus Domino |
WebSphere Application Server Integration |
|
|
|
Application Servers |
WebSphere Application Server Enterprise |
Security |
|
|
|
Business Integration |
WebSphere Studio Application Developer Integration Edition |
General |
|
|
|
Application Servers |
WebSphere Application Server - Express |
Security |
|
|
|
Business Integration |
WebSphere Adapters |
|
|
|
|
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|