javax.net.ssl.SSLHandhsakeException: certificate expired
 Technote (troubleshooting)
 
Problem(Abstract)
You receive message javax.net.ssl.SSLHandhsakeException: certificate expired while trying to access the administrative console from the browser in Network Deployment.

This might also occur during other WebSphere® Application Server administrative functions.

This indicates that the certificate presented to the client by WebSphere Application Server has an expired date. These certificates are self-signed certificates; however, this can occur with any SSL certificate.
 
Cause
During the ISPF Customization process, WebSphere Application Server creates a self-signed certificate. These certificates can expire. If they do, new ones must be created and added to you RACF® Keyring (if using RACF), thenn set as a DEFAULT certificate.
To verify the certificate is expired:

Step 1
List all the certificates for a keyring for the USERID assigned to the particular control region. Find the certificate marked as DEFAULT. This certificate is the one presented to clients.

RACDCERT LISTRING(WASKeyring) ID(CBSYMSR1)
where WASKeyring and CBSYMSR1 should be changed to your keyring and userid:

RACDCERT LISTRING(WASKeyring) ID(CBSYMSR1)

Digital ring information for user CBSYMSR1:

Ring:
>WASKeyring< Cert Label        Cert Owner     USAGE      DEFAULT
-----------------------       ------------   --------   -------
DefaultWASCert.BBOC001          ID(CBSYMSR1)   PERSONAL     YES  
WebSphereCA                     CERTAUTH       CERTAUTH     NO  
Verisign Class 3 Primary CA     CERTAUTH       CERTAUTH     NO  
Verisign Class 1 Primary CA     CERTAUTH       CERTAUTH     NO  
RSA Secure Server CA            CERTAUTH       CERTAUTH     NO  
Thawte Server CA                CERTAUTH       CERTAUTH     NO  
Thawte Premium Server CA        CERTAUTH       CERTAUTH     NO  
Thawte Personal Basic CA        CERTAUTH       CERTAUTH     NO  
Thawte Personal Freemail CA     CERTAUTH       CERTAUTH     NO  
Thawte Personal Premium CA      CERTAUTH       CERTAUTH     NO  
Verisign International Svr CA   CERTAUTH       CERTAUTH     NO  

STEP 2
Display the DEFAULT certificate.

Note: The END DATE: is the expiration date. The certificate is NOT expired in this case.

The certificate was signed by:

Issuer's Name:
>CN=WAS CertAuth for Security Domain.OU=WebSphere for zOS<


RACDCERT LIST (LABEL('DefaultWASCert.BBOC001')) ID(CBSYMSR1)

Digital certificate information for user CBSYMSR1:

Label: DefaultWASCert.BBOC001
Certificate ID: 2QjDwuLo1OLZ8cSFhoGkk6PmweLDhZmjS8LC1sPw8PFA
Status: TRUST
Start Date: 2004/04/12 00:00:00
End Date: 2010/12/31 23:59:59
Serial Number:
>01<
Issuer's Name:
>CN=WAS CertAuth for Security Domain.OU=WebSphere for zOS<
Subject's Name:
>CN=CBSYMSR1.BBOC001.OU=CB390.O=IBM<
Private Key Type: Non-ICSF
Private Key Size: 1024
Ring Associations:
Ring Owner: CBSYMSR1
Ring:
>WASKeyring<
 
Resolving the problem
You need a new, unexpired certificate set to DEFAULT.
The first RACF command below creates a new certificate. The second command connects the new certificate to the Keyring and marks it default.

Note: This certificate is self-signed and might not be suitable for your installation. In this case you must request a certificate from an external CA.

/* Generating certificates for WebSphere Deployment Manager */
"RACDCERT ID (DMCR1) GENCERT SUBJECTSDN(CN('DMCR1.BBODMGR') O('IBM') OU('CB390')) WITHLABEL('DefaultWASDmgrCert')
SIGNWITH(CERTAUTH LABEL('WebSphereCA')) NOTAFTER(DATE(2010/12/31))

NOTE: the "NOTAFTER" value set can NOT be later than the "End-Date" assigned to the CA certificate. To display the CA certificate issue:

RACDCERT LIST (LABEL('WebSphereCA')) CERTAUTH
where WebSphereCA is replaced with the Label of your CA.


/* Connecting Certificates to the Deployment Manager keyring */
RACDCERT ID(DMCR1)
CONNECT (LABEL('DefaultWASDmgrCert') RING(WASKeyring ) DEFAULT)
 
 
 


Document Information


Current web document: swg21174361.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > Security
Operating system(s): z/OS
Software version: 5.1
Software edition:
Reference #: 1174361
IBM Group: Software Group
Modified date: Jul 15, 2004