PK56728: SSL HANDSHAKE FAILURES OCCUR BECAUSE THE WRONG SSL CONFIG IS LOADED WHEN ATTEMPTING TO VERIFY IF A CERTIFICATE IS TRUSTED. | |||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description SSL handshake failres will occur in the application server similar to the following: CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=IBM-9CF1B65E7C1.pok.ibm.com, O=IBM, C=US" was sent from target host:port "IBM-9CF1B65E7C1.pok.ibm.com:9445". The signer may need to be added to local trust store "safkeyring:///WB3RING" located in SSL configuration alias "WB3MNLC1/DefaultIIOPSSL" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found".Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server V6.1.0 with security enabled in a * * mixed-platform cell where one of the nodes * * is on z/OS using RACF keystores. * **************************************************************** * PROBLEM DESCRIPTION: SSL handshake failures will occur in * * the application server similar to the * * following: * * CWPKI0022E: SSL HANDSHAKE FAILURE: * * A signer with SubjectDN * * "CN=IBM-9CF1B65E7C1.pok.ibm.com, * * O=IBM, C=US" was sent from target * * host:port * * "IBM-9CF1B65E7C1.pok.ibm.com:9445". * * The signer may need to be added to * * local trust store * * "safkeyring:///WB3RING" located in * * SSL configuration alias * * "WB3MNLC1/DefaultIIOPSSL" loaded from * * SSL configuration file "security.xml". * * The extended error message from the * * SSL handshake exception is: "No * * trusted certificate found". * **************************************************************** * RECOMMENDATION: * **************************************************************** An empty string was being sent to the JSSEHelper to get the sslconfig alias name. Since the code only checked for a null value, a cell-level sslconfig was being returned instead of the node-level one. The cell-level config pointed to a RACF keystore, which cannot be read on Microsoft Windows, resulting in a "No trusted certificate found" error.Problem conclusion A check has been added for an empty string in the getProperties method of JSSE Helper to alleviate this problem. APAR PK56728 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.11 of WebSphere Application Server V6.1 for z/OS.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: PK45085 APAR is sysrouted TO one or more of the following: Modules/Macros Publications Referenced
|
Document Information |
Current web document: swg1PK56728.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK56728
IBM Group: Software Group
Modified date: Feb 25, 2008
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.