aspose file tools*
The moose likes Websphere and the fly likes I NEED HELP PLEASE - Add Signer Cert to WebSphere Server 7 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Websphere
Bookmark "I NEED HELP PLEASE - Add Signer Cert to WebSphere Server 7" Watch "I NEED HELP PLEASE - Add Signer Cert to WebSphere Server 7" New topic
Author

I NEED HELP PLEASE - Add Signer Cert to WebSphere Server 7

barryman bevel
Greenhorn

Joined: Feb 24, 2009
Posts: 9
Hi,
I am trying to create an SSL connection to w3.ibm.com using WebSphere Server 7.0 Express on Linux. (yes I have access)

In the admin console I went to: SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates

Clicked on "Retrieve From Port", and use w3.ibm.com 443 - It imports the cert with no problem. Restart Server and then I get:

[04/03/09 12:37:52:562 GMT] 00000014 WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=bluepages.ibm.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=Terms of use at www.verisign.com/rpa (c)05, O=International Business Machines, L=Boulder, ST=Colorado, C=US" was sent from target host:port "unknown:0". The signer may need to be added to local trust store "/home/me/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/boxNode02Cell/nodes/boxNode02/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: invalid certificate, key identifier is missing from authority key identifier extension".

I hate WebSphere - I don't understand it at all. Can someone please help? I am about to give up.

Thank you!
f malin
Greenhorn

Joined: Jan 07, 2009
Posts: 19

According to the message, something appears to be wrong with the configuration, but since you used the admin console, I would think that it would be correct. To be sure, can you verify the following configuration information:

Check the security.xml file
  • /home/me/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/boxNode02Cell/security.xml
  • Look for the stanza containing : NodeDefaultSSLSettings, look for the value stored at : trustStore="KeyStore_boxNode02 ..."
  • (not sure of the complete name here)
  • Look for the keystore defined by the value in the trustStore field.
  • Now look for the location field, and verify that the file name at that location exists on the file system.



  • I am not sure what to do, if the information appears to be correct.
    barryman bevel
    Greenhorn

    Joined: Feb 24, 2009
    Posts: 9
    First thank you very much for your reply.

    I will check everything you said in detail and post back.

    barryman bevel
    Greenhorn

    Joined: Feb 24, 2009
    Posts: 9
    Here's the SSLConfig section from Security.xml:



    Here's the matching key stores for KeyStore_boxNode02_1 and KeyStore_boxNode02_2:


    Both files exist at the given location. I might reinstall WebSphere - backup security.xml and add the signer cert again and see what happens...

    Thanks for your help.
    Barry.
    f malin
    Greenhorn

    Joined: Jan 07, 2009
    Posts: 19

    Barry,
    I figured that the data would line up because of the way which you created it.

    Is there more information about the failure, such as a call stack that you can post? There may be an FFDC file which contains information about the failure which would be indicated in the SystemOut.log by a statement similar to this:
    [3/4/09 22:43:41:906 CST] 00000014 FfdcProvider I com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on C:\WAS70.1\profiles\AppSrv01\logs\ffdc\server1_30293029_09.03.04_22.43.41.875956615743042354157.txt
    near the error which you had previously posted:

    Frank
    barryman bevel
    Greenhorn

    Joined: Feb 24, 2009
    Posts: 9
    Thanks Frank

    I reinstalled WebSphere and tried again - exactly same error.

    Here's all the lines containing FFDC since I reinstalled:



    I "think" this appeared when I added the cert:






    The last line looks like what your talking about I think
    barryman bevel
    Greenhorn

    Joined: Feb 24, 2009
    Posts: 9
    Contents of /home/me/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_6dbc6dbc_09.03.05_14.47.19.62113562.txt

    [05/03/09 14:48:14:031 GMT] FFDC Exception:com.ibm.wsspi.genericbnf.exception.MalformedMessageException SourceId:HttpInboundLink.handleNewInformation ProbeId:2 Reporter:com.ibm.ws.http.channel.inbound.impl.HttpInboundLink@5ed05ed
    com.ibm.wsspi.genericbnf.exception.MalformedMessageException: Invalid LF found in token
    at com.ibm.ws.genericbnf.impl.BNFHeadersImpl.findTokenLength(BNFHeadersImpl.java:4534)
    at com.ibm.ws.genericbnf.impl.BNFHeadersImpl.parseTokenExtract(BNFHeadersImpl.java:4959)
    at com.ibm.ws.genericbnf.impl.GenericMessageImpl.parseLine(GenericMessageImpl.java:212)
    at com.ibm.ws.genericbnf.impl.GenericMessageImpl.parseMessage(GenericMessageImpl.java:348)
    at com.ibm.ws.http.channel.impl.HttpBaseMessageImpl.parseMessage(HttpBaseMessageImpl.java:2535)
    at com.ibm.ws.http.channel.impl.HttpServiceContextImpl.parseMessage(HttpServiceContextImpl.java:2569)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:328)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:272)
    at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
    at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
    at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
    at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
    at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
    at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
    at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:202)
    at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:766)
    at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:896)
    at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1527)

    ==> Performing default dump from com.ibm.ws.http.channel.impl.HTTPChannelDM :Thu Mar 05 14:48:14 GMT 2009
    +Data for directive [defaulthttpchannel] obtained.:
    ==> Dump complete for com.ibm.ws.http.channel.impl.HTTPChannelDM :Thu Mar 05 14:48:14 GMT 2009
    f malin
    Greenhorn

    Joined: Jan 07, 2009
    Posts: 19
    Barry,
    If you can send my you log files, I can see what I can find ... Look for a private message with my gmail account.
    I will post any finding back to the board.
    Frank
    Medha Kulkarni
    Greenhorn

    Joined: Oct 21, 2009
    Posts: 1
    Hi there,

    Is your problem solved? If yes, can you please tell me the solution, I am facing similar problem.

    Thanks and Regards,
    Medha



     
    Don't get me started about those stupid light bulbs.
     
    subject: I NEED HELP PLEASE - Add Signer Cert to WebSphere Server 7