PK62783: FOR JCERACFKS SSL.CLIENT.PROPS AFTER MIGRATION HAS INCORRECT COM.IBM.SSL.TRUSTSTORETYPE=JKS, KEYSTORE & TRUSTSTOREFILEBASED=TRUE

 Fixes are available

6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for i5/OS
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Linux
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Solaris
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for HP-UX
6.1.0.17: WebSphere Application Server V6.1 Fix Pack 17 for Windows
6.1.0.17 WebSphere Application Server V6.1 Fix Pack 17 for AIX
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for AIX
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for HP-UX
6.1.0.19 WebSphere Application Server V6.1 Fix Pack 19 for i5/OS
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Linux
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Solaris
6.1.0.19: WebSphere Application Server V6.1 Fix Pack 19 for Windows
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server



APAR status
Closed as program error.

Error description
After migration to V6.1, the following incorrect values were
seen for several properties in the ssl.client.props file:
.
com.ibm.ssl.trustStoreType=JKS
com.ibm.ssl.keyStoreFileBased=true
com.ibm.ssl.trustStoreFileBased=true
.
Based on the V6.0 soap.client.props file, these properties
should have been:
com.ibm.ssl.trustStoreType=JCERACFKS
com.ibm.ssl.keyStoreFileBased=false
com.ibm.ssl.trustStoreFileBased=false
.
This problem was discovered when connecting the Deployment
Manager using wsadmin.sh failed because the trustStoreType was
incorrectly set to JKS; and so the signer certificate wasn't
found. The following error was received:
.
----------------------------------------------------------------
/WebSphere/V6R1/DeploymentManager/profiles/default/bin:>wsadmin.
sh

*** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host localhost is not found in trust
store safkeyring:///
WASKeyring.PLEX1.

Here is the signer information (verify the digest value matches
what is displaye
d at the server):

Subject DN:    CN=BOSSXXXX.PLEX1.L2.IBM.COM, OU=PLEX1, O=IBM
Issuer DN:     CN=WAS CertAuth for Security Domain, OU=SY1
Serial number: 6
Expires:       Fri Dec 31 23:59:59 EST 2010
SHA-1 Digest:
B2:07:D6:EE:91:0C:E6:37:3D:D0:21:54:E2:C0:70:DD:93:C0:C3:B0
MD5 Digest:    83:33:E5:42:EF:0C:34:2A:F7:57:86:C0:9C:CB:FA:B8

Subject DN:    CN=WAS CertAuth for Security Domain, OU=SY1
Issuer DN:     CN=WAS CertAuth for Security Domain, OU=SY1
Serial number: 0
Expires:       Fri Dec 31 23:59:59 EST 2010
SHA-1 Digest:
B2:07:D6:EE:91:0C:E6:37:3D:D0:21:54:E2:C0:70:DD:93:C0:C3:B0
MD5 Digest:    83:33:E5:42:EF:0C:34:2A:F7:57:86:C0:9C:CB:FA:B8

Add signer to the trust store now? (y/n)

CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN
"CN=BOSSXXXX.PLEX1.L2.IBM.COM, OU=PLEX1, O=IBM" was sent from
target host:port "localhost:8879".  The signer may need to be
added to local trust store "safkeyring:///WASKeyring.PLEX1"
located in SSL configuration alias "DefaultSSLSettings" loaded
from SSL configuration file
"file:/WebSphere/V6R1/DeploymentManager/profiles/default/propert
ies/ssl.client.props".  The extended error message from the SSL
handshake exception is: "No trusted certificate found".


CWPKI0040I: An SSL handshake failure occurred from a secure
client.  The server's SSL signer has to be added to the client's
trust store.  A retrieveSigners utility is provided to download
signers from the server but requires administrative permission.
Check with your administrator to have this utility run to setup
the secure enviroment before running the client.  Alternatively,
the com.ibm.ssl.enableSignerExchangePrompt can be enabled in
ssl.client.props for "DefaultSSLSettings" in order to allow
acceptance of the signer during the connection attempt.

WASX7023E: Error creating "SOAP" connection to host "localhost";
exception information:
com.ibm.websphere.management.exception.ConnectorNotAvailableExce
ption: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error
opening socket: javax.net.ssl.SSLHandshakeException:
com.ibm.jsse2.util.h: No trusted certificate found;
targetException=java.lang.IllegalArgumentException: Error
opening socket: javax.net.ssl.SSLHandshakeException:
com.ibm.jsse2.util.h: No trusted certificate found]
WASX7213I: This scripting client is not connected to a server
process; please refer to the log file
/WebSphere/V6R1/DeploymentManager/profiles/default/logs/wsadmin.
traceout for additional information.
WASX8011W: AdminTask object is not available.
WASX7029I: For help, enter: "$Help help"
wsadmin>
----------------------------------------------------------------
Local fix
To avoid a SSL Handshake error when connecting using wsadmin.sh,
please adjust the ssl.client.props file trustStoreType property
appropriately.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V6.1 for z/OS using JCERACF and the          *
*                 ssl.client.props instead of the              *
*                 soap.client.props                            *
****************************************************************
* PROBLEM DESCRIPTION: The migration does not copy the         *
*                      trustStoreType from the                 *
*                      soap.client.props to the                *
*                      ssl.client.props correctly.             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When migration executes it creates a ssl.client.props that
contains all information from the soap.client.props except the
trustStoreType. This value always defaults to JCE, which is
invalid when the customer is using RACF.
Problem conclusion
The migration code has been updated to correctly copy the value
from ssl.client.props to the soap.client.props

APAR PK62783 is currently targeted for inclusion in Service
Level (Fix Pack) 6.1.0.17 of WebSphere Application Server V6.1
for z/OS.

Please refer to URL:
//www.ibm.com/support/docview.wss?rs=404&uid=swg27006970
for Fix Pack availability.
Temporary fix Comments
APAR information
APAR number PK62783
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 610
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2008-03-14
Closed date 2008-04-28
Last modified date 2008-07-02

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSN    UP
R601 PSN    UP
R610 PSY UK36750    UP08/06/10 P F806

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PK62783.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK62783
IBM Group: Software Group
Modified date: Jul 2, 2008