IBM Support

PI89257: Error opening new SSL keystores with IHS 7.0

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Stash files(*.sth) created by java tools like Ikeyman and
ikeycmd/gsk7cmd are not readable by IHS 7.0

Local fix

  • As a work-around run the following gsk7capicmd command. This
command convert the stashfile to v1 encryption version in which
the gskit 7 verison recognize.

<ihsinst>/bin/gsk7capicmd -keydb -stashpw -db <name> -pw
<passwd>
For example:

<ihsinst>/bin/gsk7capicmd -keydb -stashpw -db key.kdb -pw
mypassword

Problem summary

  • ****************************************************************
* USERS AFFECTED:  Users of IBM HTTP Server 7.0                *
****************************************************************
* PROBLEM DESCRIPTION: IHS startup reports "SSL0104E: GSK      *
*                      could not initialize, Invalid password  *
*                      for keyfile."                           *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Java 1.6 (SR16 FP 41) and later uses a new password stashing
algorithm that SSL runtime in IHS cannot decode.  This only
affects newly created keystores, or keystores whose passwords
have been changed after SR16 FP 41.

Problem conclusion

  • IBM HTTP Server will update the bundled security library
to pick up support for the new stash file encoding format.
The fix will be included in the IBM HTTP Server 7.0.0.45
fix pack via the newer update for PI93619.

Temporary fix

  • In the interim, the stash files can be converted to the
original format by re-stashing the password with either
$IHSROOT/bin/gsk7capicmd or $IHSROOT/bin/gsk7cmd using
the "-keydb -stashpw" or "-keydb -v1stash" sub-commands
respectively

Comments

  • 



APAR Information




    

  • APAR number
    PI89257
    • 

  • Reported component name
    WEBSPHERE APP S
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-10-23
    • 

  • Closed date
    2017-10-30
    • 

  • Last modified date
    2018-03-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IBM HTTP SERVER
    • 

  • Fixed component ID
    5724J0801
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 September 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback