PK16652: JAVA.SECURITY.KEYSTOREEXCEPTION: NULL WHEN SETTING UP AN LDAP REGISTRY WITH A JSSE REPERTOIRE WITH SAFKEYRING URI

 A fix is available

Obtain the fix for this APAR



APAR status
Closed as program error.

Error description
Customer has setup an LDAP user registry with an
SSL Configuration pointing to an SSL Repoirtoire.
The SSL Repoirtoire has a Key File Name/Trust File Name with a
safkeyring uri.
.
The following error was seen in the job output.
Trace: 2005/05/26 11:48:25.245 01 t=7E4E88 c=UNK key=P8
(0000000A)
  Description: Log Boss/390 Error
  from filename: ./bborjtr.cpp
  at line: 830
The keystore or truststore type specified is invalid.  Adjusting
to use the correct type, however, please correct the SSL
configuration for performance reasons.
ver, please correct the SSL configuration for performance
reasons.
.
Trace: 2005/05/26 11:48:25.395 01 t=7E4E88 c=UNK key=P8
(13007002)
  FunctionName:
com.ibm.ws.security.registry.ldap.LdapRegistryImpl
  SourceId: com.ibm.ws.security.registry.ldap.LdapRegistryImpl
  Category: ERROR
  ExtendedMessage: SECJ0352E: Could not get the users matching
the pattern cn=BBOS001,ou=users,o=company,c=be because of the
followinng exception
javax.naming.CommunicationException:javax.naming.CommunicationEx
ception: myurl.this.company.bank:636.Root exception is
java.io.IOException: java.securty.KeyStoreException: null
com.ibm.ws.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.ja
.at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl
.at java.lang.reflect.Method.invoke(Method.java:391)
com.sun.jndi.ldap.Connection.createSocket(Connection.java:341)
.at com.sun.jndi.ldap.Connection.<init>(Connection.java:211)
.at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136)
com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1685)
.at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2616)
.at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:307)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.jav
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactor
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.jav
.at javax.naming.InitialContext.init(InitialContext.java:233)
.at javax.naming.InitialContext.<init>(InitialContext.java:209)
javax.naming.directory.InitialDirContext.<init>(InitialDirContex
com.ibm.ws.security.registry.ldap.LdapConfig.getRootDSE(LdapConf
com.ibm.ws.security.registry.ldap.LdapRegistryImpl.getRootDSE(Ld
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V5.0 for z/OS                                *
****************************************************************
* PROBLEM DESCRIPTION: The message "SRVE0500W: The keystore or *
*                      truststore type specified is invalid."  *
*                      appears in the servant region job log   *
*                      when creating a new JSSE SSL            *
*                      repertoire using a safkeyring:/// URI   *
*                      as the Key File Name or Trust File      *
*                      Name.                                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When creating a new JSSE SSL repertoire in the Administrative
Console (Security > SSL > New JSSE Repertoire) you only have 3
choices when choosing a Key File Format or Trust File Format
(JKS, PKCS12 and JCEK). The problem arises if you want to use a
safkeyring:/// URI as the Key File Name or Trust File Name with
a Key/Trust File Format that is not in the choices on the admin
console, such as a JCERACFKS key store. If the default value of
JKS is chosen in the admin console, at runtime, all possible
Key Store formats should have been tried but instead only the
Key Store types JKS, PKCS12 and JCEKs were checked.
Problem conclusion
At runtime allow for JCERACFKS as a possible Key Store format
when creating/using a JSSE SSL repertoire.

APAR PK16652 is associated with SERVICE LEVEL W502038 of
WebSphere Application Server V5.0 for z/OS.
Temporary fix Comments
APAR information
APAR number PK16652
Reported component name WEBSPHERE FOR Z
Reported component ID 5655I3500
Reported release 500
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2005-12-13
Closed date 2006-01-23
Last modified date 2006-02-02

APAR is sysrouted FROM one or more of the following:
PK06785

APAR is sysrouted TO one or more of the following:

Modules/Macros
BBOUBINF          

Publications Referenced

Fix information
Fixed component name WEBSPHERE FOR Z
Fixed component ID 5655I3500

Applicable component levels
R500 PSY UK11044    UP06/01/27 P F601

  Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.


Document Information


Current web document: swg1PK16652.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 500
Software edition:
Reference #: PK16652
IBM Group: Software Group
Modified date: Feb 2, 2006