PK62783: FOR JCERACFKS SSL.CLIENT.PROPS AFTER MIGRATION HAS INCORRECT COM.IBM.SSL.TRUSTSTORETYPE=JKS, KEYSTORE & TRUSTSTOREFILEBASED=TRUE | |||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description After migration to V6.1, the following incorrect values were seen for several properties in the ssl.client.props file: . com.ibm.ssl.trustStoreType=JKS com.ibm.ssl.keyStoreFileBased=true com.ibm.ssl.trustStoreFileBased=true . Based on the V6.0 soap.client.props file, these properties should have been: com.ibm.ssl.trustStoreType=JCERACFKS com.ibm.ssl.keyStoreFileBased=false com.ibm.ssl.trustStoreFileBased=false . This problem was discovered when connecting the Deployment Manager using wsadmin.sh failed because the trustStoreType was incorrectly set to JKS; and so the signer certificate wasn't found. The following error was received: . ---------------------------------------------------------------- /WebSphere/V6R1/DeploymentManager/profiles/default/bin:>wsadmin. sh *** SSL SIGNER EXCHANGE PROMPT *** SSL signer from target host localhost is not found in trust store safkeyring:/// WASKeyring.PLEX1. Here is the signer information (verify the digest value matches what is displaye d at the server): Subject DN: CN=BOSSXXXX.PLEX1.L2.IBM.COM, OU=PLEX1, O=IBM Issuer DN: CN=WAS CertAuth for Security Domain, OU=SY1 Serial number: 6 Expires: Fri Dec 31 23:59:59 EST 2010 SHA-1 Digest: B2:07:D6:EE:91:0C:E6:37:3D:D0:21:54:E2:C0:70:DD:93:C0:C3:B0 MD5 Digest: 83:33:E5:42:EF:0C:34:2A:F7:57:86:C0:9C:CB:FA:B8 Subject DN: CN=WAS CertAuth for Security Domain, OU=SY1 Issuer DN: CN=WAS CertAuth for Security Domain, OU=SY1 Serial number: 0 Expires: Fri Dec 31 23:59:59 EST 2010 SHA-1 Digest: B2:07:D6:EE:91:0C:E6:37:3D:D0:21:54:E2:C0:70:DD:93:C0:C3:B0 MD5 Digest: 83:33:E5:42:EF:0C:34:2A:F7:57:86:C0:9C:CB:FA:B8 Add signer to the trust store now? (y/n) CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=BOSSXXXX.PLEX1.L2.IBM.COM, OU=PLEX1, O=IBM" was sent from target host:port "localhost:8879". The signer may need to be added to local trust store "safkeyring:///WASKeyring.PLEX1" located in SSL configuration alias "DefaultSSLSettings" loaded from SSL configuration file "file:/WebSphere/V6R1/DeploymentManager/profiles/default/propert ies/ssl.client.props". The extended error message from the SSL handshake exception is: "No trusted certificate found". CWPKI0040I: An SSL handshake failure occurred from a secure client. The server's SSL signer has to be added to the client's trust store. A retrieveSigners utility is provided to download signers from the server but requires administrative permission. Check with your administrator to have this utility run to setup the secure enviroment before running the client. Alternatively, the com.ibm.ssl.enableSignerExchangePrompt can be enabled in ssl.client.props for "DefaultSSLSettings" in order to allow acceptance of the signer during the connection attempt. WASX7023E: Error creating "SOAP" connection to host "localhost"; exception information: com.ibm.websphere.management.exception.ConnectorNotAvailableExce ption: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found] WASX7213I: This scripting client is not connected to a server process; please refer to the log file /WebSphere/V6R1/DeploymentManager/profiles/default/logs/wsadmin. traceout for additional information. WASX8011W: AdminTask object is not available. WASX7029I: For help, enter: "$Help help" wsadmin> ----------------------------------------------------------------Local fix To avoid a SSL Handshake error when connecting using wsadmin.sh, please adjust the ssl.client.props file trustStoreType property appropriately.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V6.1 for z/OS using JCERACF and the * * ssl.client.props instead of the * * soap.client.props * **************************************************************** * PROBLEM DESCRIPTION: The migration does not copy the * * trustStoreType from the * * soap.client.props to the * * ssl.client.props correctly. * **************************************************************** * RECOMMENDATION: * **************************************************************** When migration executes it creates a ssl.client.props that contains all information from the soap.client.props except the trustStoreType. This value always defaults to JCE, which is invalid when the customer is using RACF.Problem conclusion The migration code has been updated to correctly copy the value from ssl.client.props to the soap.client.props APAR PK62783 is currently targeted for inclusion in Service Level (Fix Pack) 6.1.0.17 of WebSphere Application Server V6.1 for z/OS. Please refer to URL: //www.ibm.com/support/docview.wss?rs=404&uid=swg27006970 for Fix Pack availability.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros Publications Referenced
|
Document Information |
Current web document: swg1PK62783.html
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 610
Software edition:
Reference #: PK62783
IBM Group: Software Group
Modified date: Jul 2, 2008
(C) Copyright IBM Corporation 2000, 2009. All Rights Reserved.