We are trying to establish SSL connection to a secure web application from another application and both the applications are running in WAS4.0.7. We are getting SSLHandShake exception while trying to get the data in https mode but if we make a connection in http mode, we are successfully able to retrieve the data.
javax.net.ssl.SSLHandshakeException: certificate expired at com.ibm.jsse.be.a(Unknown Source) at com.ibm.jsse.be.startHandshake(Unknown Source) at com.ibm.net.ssl.www.protocol.https.b.n(Unknown Source) at com.ibm.net.ssl.www.protocol.https.p.connect(Unknown Source) at com.ibm.net.ssl.www.protocol.http.bw.getOutputStream(Unknown Source) at com.ibm.net.ssl.internal.www.protocol.https.HttpsURLConnection.getOutputStream(Unknown Source) at com.myapp.net..................
In some of the articles on the net, it is suggested to use the jsse jar provided by sun but we don't have such flexibility to use jsse jar provided by sun.
When you establish an https connection WAS will use either the certificates in cacerts or DummyServerKeyFile.jks as the client certificates for authentication. It is likely that whichever of these is being used contains an expired certificate. It is also possible the trust store contains an expired certificate, the exception would be thrown in that case too. Check those keystores and remove or update the expired certs. IBM has patches to do this for you I believe.
To clarify, I was fighting with the same issue, and the cert needed to be reloaded in the cacerts within the jdk that ships with WebSphere. Reloading the one in /opt/WebSphere/AppServer/etc/DummyServerTrustFile.jks had no effect on the expired certificate problem. here is where to get the new root certs for verisign and thawte.
Also, for more info on reloading certs, see this ]article
[ August 11, 2004: Message edited by: Steve Ferguson [ August 11, 2004: Message edited by: Steve Ferguson ]