I NEED HELP PLEASE - Add Signer Cert to WebSphere Server 7

Hi,
I am trying to create an SSL connection to w3.ibm.com using WebSphere Server 7.0 Express on Linux. (yes I have access)

In the admin console I went to: SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates

Clicked on "Retrieve From Port", and use w3.ibm.com 443 - It imports the cert with no problem. Restart Server and then I get:

[04/03/09 12:37:52:562 GMT] 00000014 WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=bluepages.ibm.com, OU=Terms of use at www.verisign.com/rpa (c)05, OU=Terms of use at www.verisign.com/rpa (c)05, O=International Business Machines, L=Boulder, ST=Colorado, C=US" was sent from target host:port "unknown:0". The signer may need to be added to local trust store "/home/me/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/boxNode02Cell/nodes/boxNode02/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: invalid certificate, key identifier is missing from authority key identifier extension".

I hate WebSphere - I don't understand it at all. Can someone please help? I am about to give up.

Thank you!

According to the message, something appears to be wrong with the configuration, but since you used the admin console, I would think that it would be correct. To be sure, can you verify the following configuration information:

Check the security.xml file

/home/me/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/boxNode02Cell/security.xml

Look for the stanza containing : NodeDefaultSSLSettings, look for the value stored at : trustStore="KeyStore_boxNode02 ..."

(not sure of the complete name here)

Look for the keystore defined by the value in the trustStore field.

Now look for the location field, and verify that the file name at that location exists on the file system.

I am not sure what to do, if the information appears to be correct.

First thank you very much for your reply.

I will check everything you said in detail and post back.

Here's the SSLConfig section from Security.xml:

Here's the matching key stores for KeyStore_boxNode02_1 and KeyStore_boxNode02_2:

Both files exist at the given location. I might reinstall WebSphere - backup security.xml and add the signer cert again and see what happens...

Thanks for your help.
Barry.

Barry,
I figured that the data would line up because of the way which you created it.

Is there more information about the failure, such as a call stack that you can post? There may be an FFDC file which contains information about the failure which would be indicated in the SystemOut.log by a statement similar to this:
[3/4/09 22:43:41:906 CST] 00000014 FfdcProvider I com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on C:\WAS70.1\profiles\AppSrv01\logs\ffdc\server1_30293029_09.03.04_22.43.41.875956615743042354157.txt
near the error which you had previously posted:

Frank

Thanks Frank

I reinstalled WebSphere and tried again - exactly same error.

Here's all the lines containing FFDC since I reinstalled:

[05/03/09 14:41:16:583 GMT] 00000000 ProviderTrack I com.ibm.ffdc.osgi.ProviderTracker AddingService FFDC1007I: FFDC Provider Installed: com.ibm.ws.ffdc.impl.FfdcProvider@2c762c76
[05/03/09 14:41:17:122 GMT] 00000000 AdminInitiali A   ADMN0015I: The administration service is initialized.
[05/03/09 14:41:18:579 GMT] 00000000 PluginConfigS I   PLGC0057I: The plug-in configuration service started successfully.
[05/03/09 14:41:18:771 GMT] 00000000 SSLComponentI I   CWPKI0001I: SSL service is initializing the configuration
[05/03/09 14:41:18:791 GMT] 00000000 WSKeyStore    W   CWPKI0041W: One or more key stores are using the default password.
[05/03/09 14:41:18:829 GMT] 00000000 SSLConfigMana I   CWPKI0027I: Disabling default hostname verification for HTTPS URL connections.
[05/03/09 14:41:18:852 GMT] 00000000 SSLDiagnostic I   CWPKI0014I: The SSL component's FFDC Diagnostic Module com.ibm.ws.ssl.core.SSLDiagnosticModule registered successfully: true.
[05/03/09 14:41:18:862 GMT] 00000000 SSLComponentI I   CWPKI0002I: SSL service initialization completed successfully
[05/03/09 14:41:18:893 GMT] 00000000 DiagnosticCon I com.ibm.wsspi.rasdiag.DiagnosticConfigHome setStateCollectionSpec RASD0012I: Updating State Collection Spec from Uninitialized Value to .*:.*=0
[05/03/09 14:41:18:920 GMT] 00000000 PMIImpl       A   CWPMI1001I: PMI is enabled
[05/03/09 14:41:21:118 GMT] 00000000 SibMessage    I   [:] CWSIU0000I: Release: WAS70.SIB Level: o0833.67
[05/03/09 14:41:21:607 GMT] 00000000 SecurityDM    I   SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.SecurityDM registered successfully: true.

I "think" this appeared when I added the cert:

The last line looks like what your talking about I think

Contents of /home/me/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_6dbc6dbc_09.03.05_14.47.19.62113562.txt

[05/03/09 14:48:14:031 GMT] FFDC Exception:com.ibm.wsspi.genericbnf.exception.MalformedMessageException SourceId:HttpInboundLink.handleNewInformation ProbeId:2 Reporter:com.ibm.ws.http.channel.inbound.impl.HttpInboundLink@5ed05ed
com.ibm.wsspi.genericbnf.exception.MalformedMessageException: Invalid LF found in token
at com.ibm.ws.genericbnf.impl.BNFHeadersImpl.findTokenLength(BNFHeadersImpl.java:4534)
at com.ibm.ws.genericbnf.impl.BNFHeadersImpl.parseTokenExtract(BNFHeadersImpl.java:4959)
at com.ibm.ws.genericbnf.impl.GenericMessageImpl.parseLine(GenericMessageImpl.java:212)
at com.ibm.ws.genericbnf.impl.GenericMessageImpl.parseMessage(GenericMessageImpl.java:348)
at com.ibm.ws.http.channel.impl.HttpBaseMessageImpl.parseMessage(HttpBaseMessageImpl.java:2535)
at com.ibm.ws.http.channel.impl.HttpServiceContextImpl.parseMessage(HttpServiceContextImpl.java:2569)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:328)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:272)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:202)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:766)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:896)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1527)

==> Performing default dump from com.ibm.ws.http.channel.impl.HTTPChannelDM :Thu Mar 05 14:48:14 GMT 2009
+Data for directive [defaulthttpchannel] obtained.:
==> Dump complete for com.ibm.ws.http.channel.impl.HTTPChannelDM :Thu Mar 05 14:48:14 GMT 2009

Barry,
If you can send my you log files, I can see what I can find ... Look for a private message with my gmail account.
I will post any finding back to the board.
Frank

Hi there,

Is your problem solved? If yes, can you please tell me the solution, I am facing similar problem.

Thanks and Regards,
Medha