javax.net.ssl.SSLHandshakeException: unknown certificate received when Tivoli Performance Viewer (TPV) starts
 Technote (troubleshooting)
 
Problem(Abstract)
Message indicates that DummyClientTrustFile.jks cannot be located, and the following entries are seen in the joblog:

[RAGui] Using network deployment default: SOAP connector at port 8879
java.lang.RuntimeException:
C:\Programs\IBM\WebSphereClientDevelopmentKitforzOS\
etc\DummyClientTrustFile.jks (The system cannot find the path specified)
[SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket:
javax.net.ssl.SSLHandshakeException: unknown certificate;
targetException=java.lang.Illegal ArgumentException: Error opening
socket:javax.net.ssl.SSLHandshakeException: unknown certificate]



When attempting to use Tivoli® Performance Viewer with IBM® WebSphere® Application Server for z/OS® V5.0, the following problems are encountered after the WebSphere Client Development kit was installed on the workstation. In WebSphere Application Server in Network Deployment mode, PMI has been enabled on Application Servers and the Node Agent.

Upon startup of the Deployment Manager, you can see that SOAP and RMI ports are available (ports 8879 and 9809). If you start the Performance Viewer you receive a prompt to enter network configuration. If you choose SOAP with the correct DNS and port configuration, you might receive an error message stating that the host is not available.

Using the PING command, you can see that the network setup is okay.
 
Cause
The server certificate was not imported into the client trust store.
 
Resolving the problem
Import the CA for the servers into the client trust store.

On the Client side, the CA for the server must be imported into the 'DummyClientTrustFile.jks'. This failure is occurring during the SSL Handshake when WebSphere Application Server for z/OS uses RACF® for keyStore and trustStore files. The DummyClientTrustFile.jks resides on the client side. For example:

C:\Programs\IBM\WebSphereClientDevelopmentKitforzOS\etc

does not include the CA certificate necessary for the client(TPV).

The following steps will describe how to export and import WebSphere Application Server CA into the client side trustStore file:
  1. Export the CA certificate from RACF on z/OS using the following command:

    RACDCERT CERTAUTH EXPORT(LABEL('WebSphereCA'))DSN(WASCA.CERTBIN
    FORMAT(CERTDER)
    OPUT WASCA.CERTBIN '/tmp/wasca.cert' binary convert(no)

  2. Import it into the keystore/truststore on Windows® after FTPing if from z/OS to
    C:/tmp using the following command:

    keytool -import -alias 'WebSphereCA' -file C:/tmp/wasca.cert -v
    -keystore

    C:\Programs\IBM\WebSphereClientDevelopmentKitforzOS\etc\DummyClientTrustFile.jks

    Note: This command must be entered on one line and assumes you have the DummyClientTrustFile.jks in this directory:
    C:\Programs\IBM\WebSphereClientDevelopmentKitforzOS\etc

    When prompted for the password, type WebAS
 
 
 


Document Information


Current web document: swg21178203.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > PMI/Performance Tools
Operating system(s): z/OS
Software version: 5.1
Software edition:
Reference #: 1178203
IBM Group: Software Group
Modified date: Aug 30, 2004