|
Problem(Abstract) |
You receive message
javax.net.ssl.SSLHandhsakeException: certificate expired while
trying to access the administrative console from the browser in Network
Deployment.
This might also occur during other WebSphere® Application Server
administrative functions.
This indicates that the certificate presented to the client by WebSphere
Application Server has an expired date. These certificates are self-signed
certificates; however, this can occur with any SSL certificate. |
|
|
|
Cause |
During the ISPF Customization process, WebSphere
Application Server creates a self-signed certificate. These certificates
can expire. If they do, new ones must be created and added to you RACF®
Keyring (if using RACF), thenn set as a DEFAULT certificate.
To verify the certificate is expired:
Step 1
List all the certificates for a keyring for the USERID assigned to the
particular control region. Find the certificate marked as DEFAULT. This
certificate is the one presented to clients.
RACDCERT LISTRING(WASKeyring) ID(CBSYMSR1)
where WASKeyring and CBSYMSR1 should be changed to your keyring and
userid:
RACDCERT LISTRING(WASKeyring) ID(CBSYMSR1)
Digital ring information for user CBSYMSR1:
Ring:
>WASKeyring< Cert Label Cert Owner
USAGE DEFAULT
----------------------- ------------
-------- -------
DefaultWASCert.BBOC001 ID(CBSYMSR1)
PERSONAL YES
WebSphereCA
CERTAUTH CERTAUTH NO
Verisign Class 3 Primary CA CERTAUTH
CERTAUTH NO
Verisign Class 1 Primary CA CERTAUTH
CERTAUTH NO
RSA Secure Server CA
CERTAUTH CERTAUTH NO
Thawte Server CA
CERTAUTH CERTAUTH NO
Thawte Premium Server CA CERTAUTH
CERTAUTH NO
Thawte Personal Basic CA CERTAUTH
CERTAUTH NO
Thawte Personal Freemail CA CERTAUTH
CERTAUTH NO
Thawte Personal Premium CA CERTAUTH
CERTAUTH NO
Verisign International Svr CA CERTAUTH
CERTAUTH NO
STEP 2
Display the DEFAULT certificate.
Note: The END DATE: is the expiration date. The certificate is NOT
expired in this case.
The certificate was signed by:
Issuer's Name:
>CN=WAS CertAuth for Security Domain.OU=WebSphere for zOS<
RACDCERT LIST (LABEL('DefaultWASCert.BBOC001')) ID(CBSYMSR1)
Digital certificate information for user CBSYMSR1:
Label: DefaultWASCert.BBOC001
Certificate ID: 2QjDwuLo1OLZ8cSFhoGkk6PmweLDhZmjS8LC1sPw8PFA
Status: TRUST
Start Date: 2004/04/12 00:00:00
End Date: 2010/12/31 23:59:59
Serial Number:
>01<
Issuer's Name:
>CN=WAS CertAuth for Security Domain.OU=WebSphere for zOS<
Subject's Name:
>CN=CBSYMSR1.BBOC001.OU=CB390.O=IBM<
Private Key Type: Non-ICSF
Private Key Size: 1024
Ring Associations:
Ring Owner: CBSYMSR1
Ring:
>WASKeyring< |
|
|
Resolving the
problem |
You need a new, unexpired certificate set to DEFAULT.
The first RACF command below creates a new certificate. The second command
connects the new certificate to the Keyring and marks it default.
Note: This certificate is self-signed and might not be suitable
for your installation. In this case you must request a certificate from an
external CA.
/* Generating certificates for WebSphere Deployment Manager */
"RACDCERT ID (DMCR1) GENCERT SUBJECTSDN(CN('DMCR1.BBODMGR') O('IBM')
OU('CB390')) WITHLABEL('DefaultWASDmgrCert')
SIGNWITH(CERTAUTH LABEL('WebSphereCA')) NOTAFTER(DATE(2010/12/31))
NOTE: the "NOTAFTER" value set can NOT be later than the "End-Date"
assigned to the CA certificate. To display the CA certificate issue:
RACDCERT LIST (LABEL('WebSphereCA')) CERTAUTH
where WebSphereCA is replaced with the Label of your CA.
/* Connecting Certificates to the Deployment Manager keyring */
RACDCERT ID(DMCR1)
CONNECT (LABEL('DefaultWASDmgrCert') RING(WASKeyring ) DEFAULT) |
|
|
|
|
|
|