Topic
1 reply Latest Post - ‏2013-04-24T19:04:32Z by Sunit
H2DQ_Julian_Grunnell
22 Posts
ACCEPTED ANSWER

Pinned topic GSK_KEYFILE_CERT_EXPIRED

‏2013-04-18T12:54:35Z |

Hi - wonder if someone can help with the above error. We run both Websphere App Server and IBM HTTP Server 7 fixpack 25 and notice that after a new install of IBM HTTP Server it errors with:

 

[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - ERROR: lib_security: logSSLError: str_security (gsk error 107):  GSK_KEYFILE_CERT_EXPIRED
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment. Secure transports are not possible.
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security. Secure transports are not possible.
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - ERROR: ws_server: serverAddTransport: Failed to initialize security. Secure transports are not possible.
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - ERROR: ws_server: serverAddTransport: HTTPS Transport is skipped. IMPORTANT: If a HTTP transport is defined, it will be used for communication to the application server.
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: Plugins loaded.
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: --------------------System Information-----------------------
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: Bld version: 7.0.0.25
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: Bld date: Apr 18 2013, 10:48:22
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: Webserver: IBM_HTTP_Server
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: OS : Sun Solaris Sparc
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: Hostname = xxxxxxxxxxxxx
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: NOFILES = hard: 65536, soft: 65536
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: MAX COREFILE SZ = hard: INFINITE, soft: INFINITE
[Thu Apr 18 11:44:28 2013] 00004c3e 00000001 - PLUGIN: DATA = hard: INFINITE, soft: INFINITE
 

And it would appear that this is because the Plugin keystore has an expired cert in it (expired 26 April 2012) - a known issue and documented at http://www-01.ibm.com/support/docview.wss?uid=swg21577327

My question is why has this not been back fixed? I mean I just downloaded WAS to install IHS and then downloaded the relevant fixpacks for the Plugin and IHS. Surely this should be fixed and not rely on a manual fix after you've installed?

Thanks - Julian.

  • Sunit
    Sunit
    176 Posts
    ACCEPTED ANSWER

    Re: GSK_KEYFILE_CERT_EXPIRED

    ‏2013-04-24T19:04:32Z  in response to H2DQ_Julian_Grunnell

    If you were to generate a fresh plugin keystore you will not have any expired certs in it.

    plugin keystore is pushed by WAS (Deployment Manager) to HTTP Server if the HTTP server is federated. If not it has to be manually copied from WAS to IHS.

    Make sure that you have the correct keystore with unexpired certs with WAS.

     

    --Sunit