|
Problem(Abstract) |
Attempting to synchronize the node fails with ADMS0005E
and ADMC0053E errors and SSLHandshakeException exceptions. |
|
|
|
Symptom |
The nodeagent systemout.log shows:
ADMS0005E: The system is unable to generate synchronization request:
com.ibm.websphere.management.exception.AdminException: Admin client
connection to deployment manager is unavailable
.
Caused by: com.ibm.websphere.management.exception.ConnectorException:
ADMC0053E: The system cannot create a SOAP connector to connect to host
.
Caused by: java.lang.reflect.InvocationTargetException
.
Caused by: com.ibm.websphere.management.exception.
ConnectorNotAvailableException: [SOAPException:
faultCode=SOAP-ENV:Client; msg=Error opening socket:
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificate not Trusted;
targetException=java.lang.IllegalArgumentException: Error opening
socket: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificate not Trusted]
.
Caused by: [SOAPException: faultCode=SOAP-ENV:Client;
msg=Error opening socket: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificate not Trusted;
targetException=java.lang.IllegalArgumentException:
Error opening socket: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificate not
Trusted] |
|
|
Cause |
All of the SSL Configuration Repertoires being used are
not using the same key files (jks).
The key files being used are defined in the repertoires displayed in
Administrative Console
by selecting Security > SSL. |
|
|
Resolving the
problem |
To change the files being in used in the Repertoires,
complete the following steps:
- Versions 5.0, 5.1 and 6.0
- Logon to the Administrative Console
- Click Security > SSL
- Select a Repertoire being used
- Enter the correct values for:
Key File Name
Key File Password
Trust File Name
Trust File Password
- Repeat for each repertoire being used
- Click Apply and Save the changes
- If necessary, disable global security to synchronize these changes to
the nodeagent
- Restart the nodeagent
- Enable global security
The synchronization should start working
- Versions 6.1
- Logon to the Administrative Console
- Click Security > SSL certificate and key management > SSL
configurations
- Select a SSL Configuration being used
- Change the Keystore and Trust store names as appropriate. If you are
not sure which one to select, click on "Key stores and certificates" to
see what the actual keystore and trust store are.
- Repeat for each repertoire being used
- Click Apply and Save the changes
- If necessary, disable global security to synchronize these changes to
the nodeagent
- Restart the nodeagent
- Enable global security
The synchronization should start working.
If this does not allow you to synchronize the node, you might be running
into the problem where something is setting the system property to use the
CACERTS as the default key/truststore. The solution to this is described
in technote # 1227028, KeyRingFileException
when server starts. This can be resolved by defining the system
properties to use the keystore/truststore following these steps:
- Logon to the Administrative Console
- Click System Administration > Node Agents > Node Agent
- Under Server Infrastructure expand Java™ and Process Management
- Click Process Definition
- Click Java Virtual Machine
- Click Custom Properties
- Click "New" to add a new property:
In the name field, enter javax.net.ssl.trustStore
In the value field, enter the full path and name to your trust store file
- Click Apply and Save the changes
- Repeat to add these 3 properties:
name: javax.net.ssl.trustStorePassword
value: <password>
name: javax.net.ssl.keyStore
value: <Full path to key store file>
name: javax.net.ssl.keyStorePassword
value :<password>
- Apply and Save the changes
- If necessary, disable global security to synchronize these changes to
the nodeagent
- Restart the nodeagent
- Enable global security
The synchronization should start working.
|
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|