PK07547: STOPSERVER OR WSADMIN SOAPCONNECTOR THROWS INVALID KEYSTORE FORMAT EXCEPTION FOR PKCS12 KEYSTORE TYPE.

APAR status
Closed as program error.

Error description
stopServer or wsadmin: SoapConnector throws Invalid keystore
format exception for PKCS12 keystore type.

WebSphere admin scripts like stopServer and wsadmin uses
soap.client.props to communicate with DMGR or appservers.
If these servers are configured SSL with non default JKS
keystore type (like PKCS12), the stopServer/wsadmin will throw
Invalid keystore format exception even after setting
keystoretype in soap.client.props file.

The stopServer with trace option the exception thrown is below.

[6/2/05 14:48:51:414 CEST]  7036705 SOAPConnector < reconnect
                                 [SOAPException:
fault code=SOAP-EN:Client; mig=Error opening socket:
java.net.SocketException: Invalid keystore format;
targetException=java.lang.IllegalArgumentException: Error
opening
socket: java.net.SocketException: Invalid keystore format]
Local fix Problem summary
****************************************************************
* USERS AFFECTED: Websphere Application server version 5.0.2   *
*                 and 5.1 users who use Key File Format:       *
*                 PKCS12 and Trust File Format: PKCS12,        *
*                 while setting SSL security and using SOAP    *
*                 as the preferred connector.                  *
****************************************************************
* PROBLEM DESCRIPTION: If you set  Key File Format: PKCS12     *
*                      and Trust File Format: PKCS12           *
*                      while setting SSL security then you     *
*                      get a connector exception if using      *
*                      SOAP Connector.                         *
*                                                              *
*                                                              *
*                      Soap connector does not work,that is,   *
*                      if wsadmin -conntype SOAP won't work,   *
*                      neither would stopServer/stopManager    *
*                      work with SOAP connector.               *
*                      It would fail with an "Invalid          *
*                      keystore format" error.                 *
*                      However, RMI connector works fine       *
*                      (try either starting a wsadmin, or      *
*                      stopServer/stopManager commands)        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
To recreate:
-- start administrative console, go to Security -->
SSL Configuration Repertoires,
pick the one used by the SOAP connector
(server.xml contains the
sslConfig property for SOAPConnector)
-- update the following fields:
    Key File Name: <location of key.p12 file>
    Key FIle Password: ikjune10
    Key File Format: PKCS12
    Trust File Name: <location of key.p12 file>
    Trust File Password: ikjune10
    Trust File Format: PKCS12
-- save and enable security
-- restart server
-- update sas.client.props file.
  The following fields need change:
    com.ibm.ssl.keyStoreType=PKCS12
    com.ibm.ssl.keyStore=<location of key.p12 file>
    com.ibm.ssl.keyStorePassword=ikjune10
    com.ibm.ssl.trustStoreType=PKCS12
    com.ibm.ssl.trustStore=<location of key.p12 file>
    com.ibm.ssl.trustStorePassword=ikjune10
-- update soap.client.props file.
  The following fields need change:
    com.ibm.ssl.keyStoreType=PKCS12
    com.ibm.ssl.keyStore=<location of key.p12 file>
    com.ibm.ssl.keyStorePassword=ikjune10
    com.ibm.ssl.trustStoreType=PKCS12
    com.ibm.ssl.trustStore=<location of key.p12 file>
    com.ibm.ssl.trustStorePassword=ikjune10

You will find soap connector does not work. If wsadmin
-conntype SOAP won't work, neither would stopServer/stopManager
work with SOAP connector. It would fail with an "Invalid
keystore format" error.
Problem conclusion
Code has been changed to handle this issue. The following lines
have been added to provide keyStoreType and trustStoreType
in soap.client.props

com.ibm.ssl.keyStoreType=PKCS12
com.ibm.ssl.trustStoreType=PKCS12


The fix for this APAR is currently targeted for inclusion
in fixpack 5.0.2.13 and  5.1.1.7.
Please refer to the Recommended Updates page for delivery
information:

http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix Comments
APAR information
APAR number PK07547
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 10I
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2005-06-17
Closed date 2005-08-11
Last modified date 2005-08-11

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
ADMINJMX          

Publications Referenced

Fix information
Fixed component name WAS BASE 5.0
Fixed component ID 5630A3600

Applicable component levels
R003 PSY    UP
R00A PSY    UP
R00H PSY    UP
R00I PSY    UP
R00P PSY    UP
R00S PSY    UP
R00W PSY    UP
R103 PSY    UP
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 10I
Software edition:
Reference #: PK07547
IBM Group: Software Group
Modified date: Aug 11, 2005