PK56728: SSL HANDSHAKE FAILURES OCCUR BECAUSE THE WRONG SSL CONFIG IS LOADED WHEN ATTEMPTING TO VERIFY IF A CERTIFICATE IS TRUSTED.

 A specific fix for this item is not yet available electronically

This record will be updated with a link to the fix if the APAR is new.
For APARs older than 365 days, contact your support center.



APAR status
Closed as program error.

Error description
SSL handshake failres will occur in the application server
similar to the following:
CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN
"CN=IBM-9CF1B65E7C1.pok.ibm.com, O=IBM, C=US" was sent from
target host:port "IBM-9CF1B65E7C1.pok.ibm.com:9445".  The
signer may need to be added to local trust store
"safkeyring:///WB3RING" located in SSL configuration alias
"WB3MNLC1/DefaultIIOPSSL" loaded from SSL configuration file
"security.xml".  The extended error message from the SSL
handshake exception is: "No trusted certificate found".
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of IBM WebSphere Application       *
*                 Server V6.1.0 with security enabled in a     *
*                 mixed-platform cell where one of the nodes   *
*                 is on z/OS using RACF keystores.             *
****************************************************************
* PROBLEM DESCRIPTION: SSL handshake failures will occur in    *
*                      the application server similar to the   *
*                      following:                              *
*                      CWPKI0022E: SSL HANDSHAKE FAILURE:      *
*                      A signer with SubjectDN                 *
*                      "CN=IBM-9CF1B65E7C1.pok.ibm.com,        *
*                      O=IBM, C=US" was sent from target       *
*                      host:port                               *
*                      "IBM-9CF1B65E7C1.pok.ibm.com:9445".     *
*                      The signer may need to be added to      *
*                      local trust store                       *
*                      "safkeyring:///WB3RING" located in      *
*                      SSL configuration alias                 *
*                      "WB3MNLC1/DefaultIIOPSSL" loaded from   *
*                      SSL configuration file "security.xml".  *
*                      The extended error message from the     *
*                      SSL handshake exception is: "No         *
*                      trusted certificate found".             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
An empty string was being sent to the JSSEHelper to get the
sslconfig alias name.  Since the code only checked for a null
value, a cell-level sslconfig was being returned instead of the
node-level one. The cell-level config pointed to a RACF
keystore, which cannot be read on Microsoft Windows, resulting
in a "No trusted certificate found" error.
Problem conclusion
A check has been added for an empty string in the
getProperties method of JSSE Helper to alleviate this problem.

APAR PK56728 is currently targeted for inclusion in Service
Level (Fix Pack) 6.1.0.11 of WebSphere Application Server V6.1
for z/OS.
Temporary fix Comments
APAR information
APAR number PK56728
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 610
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2007-11-16
Closed date 2008-02-25
Last modified date 2008-02-25

APAR is sysrouted FROM one or more of the following:
PK45085

APAR is sysrouted TO one or more of the following:

Modules/Macros

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSN    UP
R601 PSN    UP
R610 PSY    UP


Document Information


Current web document: swg1PK56728.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK56728
IBM Group: Software Group
Modified date: Feb 25, 2008