BBOO0222I ADMS0016I: Configuration synchronization failed.
 Technote (troubleshooting)
 
Problem(Abstract)
After successful migration from WebSphere® Application Server V5.0.2 to WebSphere Application Server V5.1 (build W510201), the following error occurs when starting the Node Agent:
Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening
socket: javax.net.ssl.SSLHandshakeException: unknown certificate; targetException=java.lang.IllegalArgumentException: Error opening
socket: javax.net.ssl.SSLHandshakeException: unknown certificate]
 
Cause
The cell was initially built at W502xxx. At that level JSSE did not support ACF2 keyrings, although SSL did. JSSE used JKS files in the HFS for its keystore and truststore. Even though the migration was to W510xxx, the standard migration steps don't take care of this and manual steps are required.
 
Resolving the problem
There are two ways to fix the problem.
  • Recommended technique: Configure WebSphere Application Server to use ACF2 keyring as the System SSL instead of the JKSs files for JSSE.
  • Alternative technique: Copy the JKS files from the W502xxx libraries to the W510xxx libraries.

To turn off global security:
  1. Shut down the cell,
  2. Change to bin directory for the Deployment Manager (DM)
  3. SU to the default administrators id,
  4. Issue command: ./wsadmin.sh -conntype NONE
  5. When prompted by wsadmin type "securityoff"
  6. Wait for the message that indicates that global security is off
  7. Type "quit" to exit wsadmin.
  8. Repeat for each Node
    Note: This is required for all WebSphere Application Server processes to be aware that global security is off.
  9. Start the DM, the node agents and the Application Servers.
  10. After the cell starts, verfify the node agends synchronize successfully with the DM.
    Notes:
    • The administrative console can display process status.
    • The administrative console will prompt for a userID and password.

Verifying JSSE services:
After successfully configuring global security, verify that JSSE services are still
using JKS files
  1. Check in the DM by:
    1. Opening the administrative console,
    2. Selecting System Administration > Deployment Manager > Administration Services > JMX Connectors > SOAPConnector >Custom Properties > sslConfig
  2. Verify that the value for sslConfig should be dmnode/RACFJSSESettings, where dmnode is the name of your DM node.
  3. If sslConfig is not set to RACFJSSESettings,
    1. Select sslConfig,
    2. Select appropriate setting from pulldown list,
    3. Verify box is checked to synchronize changes with servers,
    4. Save the setting.
  4. For each node agent,
    1. Open administrative console,
    2. Select System Administration > Node Agents > node_agent > Administration Services > JMX Connectors > SOAPConnector > Custom Properties > sslConfig
  5. Verify that the value for sslConfig should be node/RACFJSSESettings, where node_agent is the name of your Application Server node.
  6. If sslConfig is not set to RACFJSSESettings,
    1. Select sslConfig,
    2. Select appropriate setting from pulldown list,
    3. Verify box is checked to synchronize changes with servers,
    4. Save the setting.
  7. For the Application Servers,
    1. Open administrative console,
    2. Select Servers > Application Servers > server_name > Administration Services > JMX Connectors > SOAPConnector > Custom Properties > sslConfig.
  8. Verify that the value for sslConfig should be node/RACFJSSESettings, where server_name is the name of your Application Server node.
  9. If sslConfig is not set to RACFJSSESettings,
    1. Select sslConfig,
    2. Select appropriate setting from pulldown list,
    3. Verify box is checked to synchronize changes with servers,
    4. Save the setting.
  10. Stop cell, then restart to start synchronization.
 
 
 


Document Information


Current web document: swg21207127.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > Security
Operating system(s): z/OS
Software version: 6.0.1
Software edition:
Reference #: 1207127
IBM Group: Software Group
Modified date: May 20, 2005