Synchronization failure caused by SSLHandshakeException
 Technote (troubleshooting)
 
Problem(Abstract)
Attempting to synchronize the node fails with ADMS0005E and ADMC0053E errors and SSLHandshakeException exceptions.
 
Symptom
The nodeagent systemout.log shows:

ADMS0005E: The system is unable to generate synchronization request:
com.ibm.websphere.management.exception.AdminException: Admin client
connection to deployment manager is unavailable
 .
Caused by: com.ibm.websphere.management.exception.ConnectorException:
ADMC0053E: The system cannot create a SOAP connector to connect to host
.
Caused by: java.lang.reflect.InvocationTargetException
.
Caused by: com.ibm.websphere.management.exception.
 ConnectorNotAvailableException: [SOAPException:
  faultCode=SOAP-ENV:Client; msg=Error opening socket:
  javax.net.ssl.SSLHandshakeException:
  java.security.cert.CertificateException: Certificate not Trusted;
  targetException=java.lang.IllegalArgumentException: Error opening
  socket: javax.net.ssl.SSLHandshakeException:
  java.security.cert.CertificateException: Certificate not Trusted]
 .
 Caused by: [SOAPException: faultCode=SOAP-ENV:Client;
 msg=Error opening socket: javax.net.ssl.SSLHandshakeException:
 java.security.cert.CertificateException: Certificate not Trusted;
 targetException=java.lang.IllegalArgumentException:
 Error opening socket: javax.net.ssl.SSLHandshakeException:
 java.security.cert.CertificateException: Certificate not Trusted]
 
Cause
All of the SSL Configuration Repertoires being used are not using the same key files (jks).
The key files being used are defined in the repertoires displayed in Administrative Console
by selecting Security > SSL.
 
Resolving the problem
To change the files being in used in the Repertoires, complete the following steps:
  • Versions 5.0, 5.1 and 6.0
    1. Logon to the Administrative Console
    2. Click Security > SSL
    3. Select a Repertoire being used
    4. Enter the correct values for:
      Key File Name
      Key File Password
      Trust File Name
      Trust File Password
    5. Repeat for each repertoire being used
    6. Click Apply and Save the changes
    7. If necessary, disable global security to synchronize these changes to the nodeagent
    8. Restart the nodeagent
    9. Enable global security

    The synchronization should start working

  • Versions 6.1
    1. Logon to the Administrative Console
    2. Click Security > SSL certificate and key management > SSL configurations
    3. Select a SSL Configuration being used
    4. Change the Keystore and Trust store names as appropriate. If you are not sure which one to select, click on "Key stores and certificates" to see what the actual keystore and trust store are.
    5. Repeat for each repertoire being used
    6. Click Apply and Save the changes
    7. If necessary, disable global security to synchronize these changes to the nodeagent
    8. Restart the nodeagent
    9. Enable global security

    The synchronization should start working.
If this does not allow you to synchronize the node, you might be running into the problem where something is setting the system property to use the CACERTS as the default key/truststore. The solution to this is described in technote # 1227028, KeyRingFileException when server starts. This can be resolved by defining the system properties to use the keystore/truststore following these steps:
  1. Logon to the Administrative Console
  2. Click System Administration > Node Agents > Node Agent
  3. Under Server Infrastructure expand Java™ and Process Management
  4. Click Process Definition
  5. Click Java Virtual Machine
  6. Click Custom Properties
  7. Click "New" to add a new property:

    In the name field, enter javax.net.ssl.trustStore
    In the value field, enter the full path and name to your trust store file
  8. Click Apply and Save the changes
  9. Repeat to add these 3 properties:

    name: javax.net.ssl.trustStorePassword
    value: <password>

    name: javax.net.ssl.keyStore
    value: <Full path to key store file>

    name: javax.net.ssl.keyStorePassword
    value :<password>
  10. Apply and Save the changes
  11. If necessary, disable global security to synchronize these changes to the nodeagent
  12. Restart the nodeagent
  13. Enable global security

The synchronization should start working.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Windows
Software version: 6.1
Software edition:
Reference #: 1233153
IBM Group: Software Group
Modified date: Mar 24, 2006