PQ95282: ADMIN CONSOLE LOCKS UP. USING LDAP SECURITY WITH SSL AFTER PQ90945

 Fixes are available

PQ95282; 5.1.1.1: Administrative console locks up using LDAP
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for AIX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Windows
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for HP-UX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Solaris
5.1.1.6: WebSphere Application Server Version 5.1.1 Cumulative Fix 6
5.1.1.7: WebSphere Application Server Version 5.1.1 Cumulative Fix 7
5.1.1.4: WebSphere Application Server Version 5.1.1 Cumulative Fix 4
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Linux



APAR status
Closed as program error.

Error description
Environment:
Webpshere Application server Version 5.1.1 cumulative fix 1
(V5.1.1.1).
Global Security is enabled
User Registry is LDAP.
Using SSL to comunicate between WAS and LDAP
 -
Scenario 1:
- Logon to Administrative Console.
- After 10-15 minutes the console locks up.
- Need to recycle Deployment Manager to clear it up.
 -
Scenario 2:
- Logon to Administractive Console with incorrect user id.
- No one is able to login with correct user.
- Need to recycle Deployment Manager to clear it up.
 -
Message issued:
the log is:
SECJ0336E:
Authentication failed for user
Root exception is java.io.IOException: Keystore was tampered
with, or password was incorrect
 at java.security.KeyStore.load(KeyStore.java:695)
 at com.ibm.ws.ssl.SSLConfig.getSSLContext(SSLConfig.java:882)
 -
Other possible messages that are resolved with this APAR:
 -
SSLConfig     d Exception getting SSL context:
Keystore was tampered with, or password was incorrect
 java.io.IOException: Keystore was tampered with, or password
 was  incorrect
  at com.ibm.crypto.provider.JavaKeyStore.engineLoad
  at java.security.KeyStore.load(KeyStore.java:695)
  at com.ibm.ws.ssl.SSLConfig.getKeyStore(SSLConfig.java:1063)
  at com.ibm.ws.ssl.SSLConfig.getSSLContext(SSLConfig.java:882)
  at com.ibm.ws.ssl.SSLConfig.getServerSocketFactory(SSLConfig
  at com.ibm.ws.ssl.SSLServerSocketFactory.createServerSocket
  at com.ibm.ws.http.HttpTransport.initialize(HttpTransport.
   ...
 -
SRVE0146E: Failed to Start Transport on host *, port 9443. The
most likely cause is that the port is already in use. Please
ensure that no other applications are using this port and
restart the server. com.ibm.ws.webcontainer.exception.
TransportException: Failed to start transport https:
java.io.IOException: Keystore was tampered with, or password
was incorrect
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users who have  *
*                 enabled global security and have configured  *
*                 LDAP to use SSL.                             *
****************************************************************
* PROBLEM DESCRIPTION: The Administration Console may hang.    *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When Global Security is enabled with user Registry as LDAP
and using SSL to comunicate between WAS and LDAP, the
following might happen.

Scenario 1:
- Logon to Administrative Console.
- After 10-15 minutes the console locks up.
-Need to recycle Deployment Manager to clear it up.

Scenario 2:
- Logon to Administractive Console with incorrect user id.
- No one is able to login with correct user.
- Need to recycle Deployment Manager to clear it up.

The error log will be
SECJ0336E:
Authentication failed for user
Root exception is java.io.IOException: Keystore was tampered
with, or password was incorrect

The reson for this was that the Keystore and Truststore
passwords were masked to prevent them from being displayed
in FFDC data.  This masking inadvertantly changed the
password for the runtime.
Problem conclusion
Keystore and Truststore passwords, as well as other SSL config
data are no longer logged at all removing the need for masking
the password.
Temporary fix Comments
APAR information
APAR number PQ95282
Reported component name WAS NETWRK DEPL
Reported component ID 5630A3601
Reported release 003
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-10-04
Closed date 2004-10-08
Last modified date 2005-10-13

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Publications Referenced

Fix information

Applicable component levels
R003 PSY    UP
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP
R103 PSY    UP
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 003
Software edition:
Reference #: PQ95282
IBM Group: Software Group
Modified date: Oct 13, 2005