LO93042: JVM CACERTS - DUPLICATED AND MISSING ROOT CAS

APAR status

• Closed as fixed if next.

Error description

• After moving to a new root CA we encountered "javax.net.ssl.
  SSLHandshakeException: com.ibm.jsse2.util.h: No trusted
  certificate found" exceptions when using HttpUrlConnection to
  connect to the server with the new certificate.
  
  Cutomer resolved this for the xpage context by importing the
  new root cert to the NAB and cross-certifiing it. But this
  workaround does not fix the exceptions in the java agent
  context, so we decided to update cacerts as documented here:
  http://www-01.ibm.com/support/docview.wss?uid=swg21588966
  
  However, there is already an entry called
  "ttelesecglobalrootclass2ca"
  (which is the root cert we needed to import), but surprisingly
  it contains the same certificate data as
  "ttelesecglobalrootclass3ca"
  

Local fix

• esolved this for the xpage context by importing the
  new root cert to the NAB and cross-certifiing it. But this
  workaround does not fix the exceptions in the java agent
  context, so we decided to update cacerts as documented here:
  http://www-01.ibm.com/support/docview.wss?uid=swg21588966
  
  However, there is already an entry called
  "ttelesecglobalrootclass2ca"
  (which is the root cert we needed to import), but surprisingly
  it contains the same certificate data as
  "ttelesecglobalrootclass3ca"
  

Problem summary

• This APAR is closed as FIN. We have deferred the fix to a
   future release.
  

Problem conclusion

Temporary fix

Comments

• This APAR is associated with SPR# SHJRAR7ECQ.
  This APAR is closed as FIN. We have deferred the fix to a
   future release.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels