Default SSL Certificates expire on 17 March 2005, 2:08:18 PM CST for WebSphere Application Server V5.0
 Technote (troubleshooting)
 
Problem(Abstract)
On 17 March 2005, 2:08:18 PM CST, dummy key files shipped with IBM® WebSphere® Application Server V5.0 through V5.0.2.2 will expire. If your security is enabled using these expired certificates, your servers will not initialize and your running servers will stop operating.
 
Resolving the problem
Problem details
Solution for WebSphere Application Server
Unique solution for WebSphere Application Server for z/OS®


Problem details
If you configured WebSphere Application Server to use security and have not configured new SSL trust and key stores, you are affected by the following problems:
  • The following error messages will appear in the SystemOut.log file during server start:

    [9/29/50 12:59:45:172 CDT] 36640dee KeyStoreKeyLo E WSEC5156E:
       An exception while retrieving the key from KeyStore object:
       java.security.cert.CertificateExpiredException: NotAfter:
       Sat Oct 01 04:54:06 CDT 2011
       at sun.security.x509.CertificateValidity.valid
          (CertificateValidity.java:284)
       at sun.security.x509.X509CertImpl.checkValidity
          (X509CertImpl.java:425)
       at sun.security.x509.X509CertImpl.checkValidity
          (X509CertImpl.java:398)
       at com.ibm.wsspi.wssecurity.config.KeyStoreKeyLocator.
          validateCert(KeyStoreKeyLocator.java:266)

  • When the certificates expire, the following message is received in the SystemOut.log file for the server:

    [8/7/05 12:57:33:375 CDT]  c1e56e2 SASRas        E JSAS0455E:
       ERROR in sasOutboundSSLConfig: The certificate with alias
       websphere dummy server from keyStore
       C:\was\5.0.2\AppServer/etc/DummyServerKeyFile.jks
       is expired.

  • Three other similar errors will occur.

The default certificates for WebSphere Application Server V5.0 through V5.0.2.2 expire on 17 March 2005, 2:08:18 PM CST.

Note: This certificate expiration can be extended to 2021 by installing PQ77264, delivered in Cumulative Fix V5.0.2.3, as well as in the V5.1 release. The fixes are available for download at Recommended Updates for WebSphere Application Server.
  • These certificates are not supported for production environments. Do not use these certificates if IIOP over SSL and HTTPS communications must be secure.

  • This problem affects anyone using security or using SSL in the plug-in, who has not applied new SSL trust and key stores.

  • Once you change your certificates, your client-side programs might be affected. You might need to update your sas.client.props and soap.client.props files to point to the new certificates.

Note: If you are not certain which certificates you are using for WebSphere Application Server, or when they expire, you can use the ACert tool to check SSL certificates for expiration dates.


Solution for WebSphere Application Server
To fix this problem, do one of the following:
  • Apply the Interim Fix for APAR PQ77264. This upgrades the certificates for WebSphere Application Server V5.0 through V5.0.2.2. These new certificates expire in 2021.

  • Upgrade to WebSphere Application Server Fix Pack 5.0.2.3 or higher (see Recommended Updates). The default certificates provided by the product expire in 2021.

  • Follow the instructions for creating custom SSL Key files.

    Note: It is recommended that you test applications with V5.0.2.3 or higher before promoting this fix into a production environment.


Unique solution for WebSphere Application Server for z/OS
This problem applies to WebSphere Application Server V5.0 for z/OS if one of the following conditions is true:
  • A cell does not have PTF W502000 applied.

  • If you are above PTF W502000 and have not applied APAR PQ83348 and followed its instruction to change to the RACF supported keyring security approach.

  • If you are at PTF W502000 and chose not to change to RACF supported keyring security approach:
    1. Upgrade and switch to RACF support keyring security approach (see APAR PQ83348 for directions)

    2. Remove the dummy*.jks files and replace with...proper security files with instructions at: .x.x.x.x.x.x

    3. For complete instructions for configuring SSL support, see the WebSphere Application Server Information Center for V5.0 on z/OS
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS Security z/OS 5.0
Organizational Productivity- Portals & Collaboration WebSphere Portal Security
Messaging Applications Lotus Domino WebSphere Application Server Integration
Application Servers WebSphere Application Server Enterprise Security
Business Integration WebSphere Studio Application Developer Integration Edition General
Application Servers WebSphere Application Server - Express Security
Business Integration WebSphere Adapters
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Current web document: swg21199976.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Windows
Software version: 5.0.2.2
Software edition:
Reference #: 1199976
IBM Group: Software Group
Modified date: Mar 17, 2005