IBM Support

ITM6: problem with LDAP certificates

Technical Blog Post


Abstract

ITM6: problem with LDAP certificates

Body

It may happen that LDAP server's certificates are changed but after their activation, a similar error message may occur in TEPS log file:

SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: The revocation status of the certificate with subject (CN=xxxx, O=yyyyy, L=zzzzz, ST=wwwwwww, C=AA) could not be determined.]' naming exception occurred during processing.
[8/3/17 14:10:51:568 CEST] 0000002b exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E  The 'javax.naming.CommunicationException: simple bind failed: a.b.c.d:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j:PKIX path validation failed: java.security.cert.CertPathValidatorException: The revocation status of the certificate with subject (CN=xxxx, O=yyyyy, L=zzzzz, ST=wwwwwww, C=AA) could not be determined.]' naming exception occurred during processing.
                                                    com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E  The 'javax.naming.CommunicationException: simple bind failed: a.b.c.d:636 [Root exception is javax.net.ssl.

In this case you may want to check the revocation setting in eWAS.
This property configures revocation checking for the Java Virtual Machine (JVM).
 

 

Open <ITMHOME>/<arch>/iw/profiles/ITMProfile/config/cells/ITMCell/security.xml
Check if it has:
"com.ibm.jsse2.checkRevocation" value="false"
You can disable it from console:
1. http://<hostname>:15205/ibm/console
2. go to SSL certificate and key management > Trust managers > IbmPKIX > Custom properties
3. click on com.ibm.jsse2.checkRevocation  and  change the value to false
4. click on apply + OK
5. and click on save (above of the page)

Alternatively you can directly edit <ITMHOME>/<arch>/iw/profiles/ITMProfile/config/cells/ITMCell/security.xml and change line:
name="com.ibm.jsse2.checkRevocation" value="true"
to:
name="com.ibm.jsse2.checkRevocation" value="false"

 

Restart TEPS (and so the eWAS) is needed in both cases.

 

 

 

Tutorials Point

 

Subscribe and follow us for all the latest information directly on your social feeds:

 

 

image

 

image

 

image

 

 

  

Check out all our other posts and updates:

Academy Blogs:https://goo.gl/U7cYYY
Academy Videos:https://goo.gl/TLfMoF
Academy Google+:https://goo.gl/HnTs0w
Academy Twitter :https://goo.gl/AhR8CL


image

 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11085307

Page Feedback