PQ57010: WAS WILL NOT USE SELF-SIGNED CERTS FROM KEYFILE ONLY. MUST ALSO HAVE TRUSTFILE. SHOULD BE ABLE TO USE 1 FILE ONLY.

APAR status
Closed as program error.

Error description
Problem: Try to replace the dummyKeyring for the Admin Server
by using only one keyring database file rather than two seperate
files, 1 keyfile and 1 trustfile.
.
Using a trusted CA certificate does allow you to use one file
but using a self-signed certificate does not.
Local fix
Create a trustfile and a keyfile for certificates
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users of self   *
*                 signed certificates with security enabled    *
****************************************************************
* PROBLEM DESCRIPTION: If a user goes to the Security center,  *
*                      changes the standard server keyfile     *
*                      to another keyfile like self signed     *
*                      and enables security then user          *
*                      gets SSLHandshakeException              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
User is getting SSLHandShakeException when using his
own self signed certificate.

If the customer goes to the Security center, changes the
standard server keyfile to another keyfile like self signed
and enables security then the user gets SSLHandshakeException
Problem conclusion
The fix has two parts. One related to proper creation of
client and server side self signed jks files. The second part
consists of ORB code using appropriate JSSE API to use these
key and trust files in the SSL Connection creation logic of
Java ORB.

Code changes were made in Java ORB to use the proper JSSE
API calls to use jks files.

E-fix is available that has been tested to work.
Class files modified:
IIOPSSLConnection &
IIOPSSLConnectionClient
Temporary fix Comments
APAR information
APAR number PQ57010
Reported component name WEBSPHERE AES A
Reported component ID 5630A2300
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-01-23
Closed date 2002-01-30
Last modified date 2003-04-29

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
ORB          

Fix information
Fixed component name WEBSPHERE AES A
Fixed component ID 5630A2300

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ57010
IBM Group: Software Group
Modified date: Apr 29, 2003