Troubleshooting
Problem
HTTPS requests fail with an external symptom of HTTP 500 (Internal Server Error) status and http_plugin.log shows the following error:
gsk error 408 (GSK_ERROR_BAD_KEYFILE_PASSWORD)
Cause
This error occurs if the plugin-key.sth file for the HTTPS transport in the plugin-cfg.xml file does not exist, is corrupted, does not correspond with the existing plugin-key.kdb file. or is not readable by the user that starts the web server.
The path to plugin-key.sth is visible in plugin-cfg.xml, for example:
<Transport Hostname="backend.example.com" Port="9443" Protocol="https">
<Property name="keyring" value="/IBM/HTTPServer/Plugins/webserver1/plugin-key.kdb"/>
<Property name="stashfile" value="/IBM/HTTPServer/Plugins/webserver1/plugin-key.sth"/>
</Transport>
Resolving The Problem
To correct the problem, perform the following steps:
- Ensure the WebSphere WebServer Plugin is updated to at least 8.5.5.11 or 9.0.0.2. If IBM HTTP Server is the web server in use, make sure it is also updated to these maintenance levels.
- Confirm the path listed in plugin-cfg.xml for the plugin-key.sth exists
- Confirm every directory between "/" and "plugin-key.sth" is readable and executable by the user that starts the web server.
- Confirm plugin-key.sth itself is readable by the user that starts the web server
- Retest. If the symptom persists, continue with the following steps.
- Use either iKeyman (GUI) or "gsk8capicmd" to re-stash the keystore password
iKeyman:
Key Database file > stash password (the default password is WebAS)
gsk8capicmd:# Linux/AIX/Solaris cd /opt/IBM/WebSphere/Plugins if [ `uname -s` = "AIX" ]; then export LIBPATH=$PWD/gsk8/gsk8_64/lib64 else export LD_LIBRARY_PATH=$PWD/gsk8/gsk8_64/lib64 fi gsk8/gsk8_64/bin/gsk8capicmd_64 -keydb -stashpw -db config/webserver1/plugin-key.kdb -pw WebAS # Windows™: cd C:\Program Files (x86)\IBM\WebSphere\Plugins set PATH=%PATH%;gsk8\gsk8_32\lib; gsk8\gsk8_32\bin\gsk8capicmd -keydb -stashpw -db config\webserver1\plugin-key.kdb -pw WebAS
- If the symptom persists, and there is a plugin-key.rdb, temporarily move it out of the way and retest.
[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0.0.1;8.5.5;8.5;8.0;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Plug-in","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0.0.1;8.5.5;8.5;8.0;7.0","Edition":"Base;Network deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
02 July 2020
UID
swg21177702