|
Problem(Abstract) |
Message indicates that DummyClientTrustFile.jks cannot be
located, and the following entries are seen in the joblog:
[RAGui] Using network deployment default: SOAP connector at port 8879
java.lang.RuntimeException:
C:\Programs\IBM\WebSphereClientDevelopmentKitforzOS\
etc\DummyClientTrustFile.jks (The system cannot find the path specified)
[SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket:
javax.net.ssl.SSLHandshakeException: unknown certificate;
targetException=java.lang.Illegal ArgumentException: Error opening
socket:javax.net.ssl.SSLHandshakeException: unknown certificate]
When attempting to use Tivoli® Performance Viewer with IBM® WebSphere®
Application Server for z/OS® V5.0, the following problems are encountered
after the WebSphere Client Development kit was installed on the
workstation. In WebSphere Application Server in Network Deployment mode,
PMI has been enabled on Application Servers and the Node Agent.
Upon startup of the Deployment Manager, you can see that SOAP and RMI
ports are available (ports 8879 and 9809). If you start the Performance
Viewer you receive a prompt to enter network configuration. If you choose
SOAP with the correct DNS and port configuration, you might receive an
error message stating that the host is not available.
Using the PING command, you can see that the network setup is okay. |
|
|
|
Cause |
The server certificate was not imported into the client
trust store. |
|
|
Resolving the
problem |
Import the CA for the servers into the client trust store.
On the Client side, the CA for the server must be imported into the
'DummyClientTrustFile.jks'. This failure is occurring during the SSL
Handshake when WebSphere Application Server for z/OS uses RACF® for
keyStore and trustStore files. The DummyClientTrustFile.jks resides on the
client side. For example:
C:\Programs\IBM\WebSphereClientDevelopmentKitforzOS\etc
does not include the CA certificate necessary for the client(TPV).
The following steps will describe how to export and import WebSphere
Application Server CA into the client side trustStore file:
- Export the CA certificate from RACF on z/OS using the following
command:
RACDCERT CERTAUTH EXPORT(LABEL('WebSphereCA'))DSN(WASCA.CERTBIN
FORMAT(CERTDER)
OPUT WASCA.CERTBIN '/tmp/wasca.cert' binary convert(no)
- Import it into the keystore/truststore on Windows® after FTPing if
from z/OS to
C:/tmp using the following command:
keytool -import -alias 'WebSphereCA' -file C:/tmp/wasca.cert -v
-keystore
C:\Programs\IBM\WebSphereClientDevelopmentKitforzOS\etc\DummyClientTrustFile.jks
Note: This command must be entered on one line and assumes you
have the DummyClientTrustFile.jks in this directory:
C:\Programs\IBM\WebSphereClientDevelopmentKitforzOS\etc
When prompted for the password, type WebAS
|
|
|
|
|
|
|