TroubleShooting: SSL/JSSE problems for Versions 5.0 and 5.1
 Technote (troubleshooting)
 
Problem(Abstract)
TroubleShooting for problems with the WebSphere® Application Server SSL/JSSE component. This should help address common issues with this component before calling IBM support and save you time.
 
Resolving the problem
Getting background information on SSL/JSSE
What type of SSL connection are you trying to create? This effects the key and trust store used by WebSphere, and where the files to be used are set.
  • Enabling security - Nodeagent to Deployment Manager SSL communication:
    SSL Repertoire is set in the Administrative Console under SystemAdministration -> dmgr -> JMX Connectors -> SOAPConnector -> Custom Properties -> sslConfig

  • SSL Between WebSphere and LDAP server
    SSL Repertoire is set in the Administrative Console under Security -> User Registries -> LDAP

  • SSL Between Java Client and WebSphere Server
    SSL Repertoire is set in the Administrative console under Security -> Authentication Protocol -> CSIv2 Inbound/Outbound Transport

    If Java client uses SAS to connect to WebSphere, in the same area there is a SAS Inbound/Outbound Transport Area.

  • SSL Request from Web Client (Browser) to WebSphere Server
    SSL Repertoire is set in Admniistrative Console under Servers -> Application Servers -> <servername> -> Web Container -> HTTP Transports. Each transport with SSL enabled will have its own SSL Repertoire to set.

  • SSL outbound connection from an application running in WebSphere Application Server to another server.
    Unless the javax.net.ssl.keystore and javax.net.ssl.truststore properties are set by your application, the default keystore and truststore file is <WAS_HOME>/java/jre/lib/security/cacerts. There is no WebSphere SSL Repertoire to set for this type of connection.

Other information on SSL:
  • SSL and Public-Key Overviews
http://developer.mozilla.org/en/docs/Introduction_to_Public-Key_Cryptography
http://developer.mozilla.org/en/docs/Introduction_to_SSL
  • SSL Repertoires in WebSphere
http://publib.boulder.ibm.com/infocenter/ws51help/topic/com.ibm.websphere.base.doc/info/aes/ae/tsec_sslrep.html
  • SSL + LDAP
http://publib.boulder.ibm.com/infocenter/ws51help/topic/com.ibm.websphere.base.doc/info/aes/ae/tsec_ssldap.html
  • SSL + IHS
http://publib.boulder.ibm.com/infocenter/ws51help/topic/com.ibm.websphere.base.doc/info/aes/ae/tsec_rwsplug.html

Secure Sockets Layer provides the following…
  • Server can authenticate itself to a client
  • Client can authenticate itself to a server
  • An encrypted connection between the server and client
Public-Key Encryption
  • Uses a public key/private key to decrypt data
  • Is used during authentication of the server/client in SSL
  • Not used for data transfer due to the amount of computation needed
Symmetric-Key Encryption
  • Uses the same key on both the server and client
  • Key must be kept secret
  • Allows for two-way encryption/decryption

TroubleShooting steps to help resolve SSL/JSSE problems
  • Are you trying to replace the Dummy Key and Trust Files with your own certificates?

Yes - refer to Creating Custom Secure Socket Layer (SSL) Key Files for V5.0 using Self-Signed Certificates (GSK 5)

No - Move to next question

  • Are you receiving an 'unknown certificate' error?

Yes - refer to Outbound JSSE (SSL) calls fail in Network Deployment environment with Global Security enabled

Yes - Assure that your signer certificate is loaded in your trust file or cacerts.

No - Move to next question

  • Are you receiving an 'expired certificate' error?

Yes - refer to Expired Verisign Certificates in "cacerts" File for WebSphere Application Server V5.1

Yes - Open all key files, remove any expired certificates

No - Move to next question

  • Are you receiving a 'no certificate' error?

Yes - Make sure 'client authentication' is unckecked in the administrative console for the SSL Repertoire.

What to do Next?

If the above steps did not solve your problem, please see the MustGather for SSL/JSSE problems to continue investigation.

 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): AIX
Software version: 5.1
Software edition:
Reference #: 1236641
IBM Group: Software Group
Modified date: Aug 23, 2007