IBM Support

PI89257: Error opening new SSL keystores with IHS 7.0

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Stash files(*.sth) created by java tools like Ikeyman and
    ikeycmd/gsk7cmd are not readable by IHS 7.0
    

Local fix

  • As a work-around run the following gsk7capicmd command. This
    command convert the stashfile to v1 encryption version in which
    the gskit 7 verison recognize.
    
    <ihsinst>/bin/gsk7capicmd -keydb -stashpw -db <name> -pw
    <passwd>
    For example:
    
    <ihsinst>/bin/gsk7capicmd -keydb -stashpw -db key.kdb -pw
    mypassword
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM HTTP Server 7.0                *
    ****************************************************************
    * PROBLEM DESCRIPTION: IHS startup reports "SSL0104E: GSK      *
    *                      could not initialize, Invalid password  *
    *                      for keyfile."                           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Java 1.6 (SR16 FP 41) and later uses a new password stashing
    algorithm that SSL runtime in IHS cannot decode.  This only
    affects newly created keystores, or keystores whose passwords
    have been changed after SR16 FP 41.
    

Problem conclusion

  • IBM HTTP Server will update the bundled security library
    to pick up support for the new stash file encoding format.
    The fix will be included in the IBM HTTP Server 7.0.0.45
    fix pack via the newer update for PI93619.
    

Temporary fix

  • In the interim, the stash files can be converted to the
    original format by re-stashing the password with either
    $IHSROOT/bin/gsk7capicmd or $IHSROOT/bin/gsk7cmd using
    the "-keydb -stashpw" or "-keydb -v1stash" sub-commands
    respectively
    

Comments

APAR Information

  • APAR number

    PI89257

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-10-23

  • Closed date

    2017-10-30

  • Last modified date

    2018-03-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM HTTP SERVER

  • Fixed component ID

    5724J0801

Applicable component levels

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0"}]

Document Information

Modified date:
07 September 2022