|
Problem(Abstract) |
After successful migration from WebSphere® Application
Server V5.0.2 to WebSphere Application Server V5.1 (build W510201), the
following error occurs when starting the Node Agent:
Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening
socket: javax.net.ssl.SSLHandshakeException: unknown certificate;
targetException=java.lang.IllegalArgumentException: Error opening
socket: javax.net.ssl.SSLHandshakeException: unknown
certificate]
|
|
|
|
Cause |
The cell was initially built at
W502xxx. At that level JSSE did not support ACF2
keyrings, although SSL did. JSSE used JKS files in the HFS for its
keystore and truststore. Even though the migration was to
W510xxx, the standard migration steps don't take
care of this and manual steps are required. |
|
|
Resolving the
problem |
There are two ways to fix the problem.
- Recommended technique: Configure WebSphere Application
Server to use ACF2 keyring as the System SSL instead of the JKSs files for
JSSE.
- Alternative technique: Copy the JKS files from the
W502xxx libraries to the
W510xxx libraries.
To turn off global security:
- Shut down the cell,
- Change to bin directory for the Deployment Manager (DM)
- SU to the default administrators id,
- Issue command: ./wsadmin.sh -conntype NONE
- When prompted by wsadmin type "securityoff"
- Wait for the message that indicates that global security is off
- Type "quit" to exit wsadmin.
- Repeat for each Node
Note: This is required for all WebSphere Application Server processes to
be aware that global security is off.
- Start the DM, the node agents and the Application Servers.
- After the cell starts, verfify the node agends synchronize
successfully with the DM.
Notes:
- The administrative console can display process
status.
- The administrative console will prompt for a userID and
password.
Verifying JSSE services:
After successfully configuring global security, verify that JSSE services
are still
using JKS files
- Check in the DM by:
- Opening the administrative console,
- Selecting System Administration > Deployment Manager
> Administration Services > JMX Connectors >
SOAPConnector >Custom Properties >
sslConfig
- Verify that the value for sslConfig should be
dmnode/RACFJSSESettings, where dmnode is the name of your
DM node.
- If sslConfig is not set to RACFJSSESettings,
- Select sslConfig,
- Select appropriate setting from pulldown list,
- Verify box is checked to synchronize changes with servers,
- Save the setting.
- For each node agent,
- Open administrative console,
- Select System Administration > Node Agents >
node_agent > Administration Services > JMX
Connectors > SOAPConnector > Custom Properties
> sslConfig
- Verify that the value for sslConfig should be
node/RACFJSSESettings, where node_agent is the name of
your Application Server node.
- If sslConfig is not set to RACFJSSESettings,
- Select sslConfig,
- Select appropriate setting from pulldown list,
- Verify box is checked to synchronize changes with servers,
- Save the setting.
- For the Application Servers,
- Open administrative console,
- Select Servers > Application Servers >
server_name > Administration Services > JMX
Connectors > SOAPConnector > Custom Properties
> sslConfig.
- Verify that the value for sslConfig should be
node/RACFJSSESettings, where server_name is the name of
your Application Server node.
- If sslConfig is not set to RACFJSSESettings,
- Select sslConfig,
- Select appropriate setting from pulldown list,
- Verify box is checked to synchronize changes with servers,
- Save the setting.
- Stop cell, then restart to start synchronization.
|
|
|
|
|
|
|