Topic
  • 10 replies
  • Latest Post - ‏2011-05-20T15:44:23Z by BitBandit
SystemAdmin
SystemAdmin
1215 Posts

Pinned topic With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

‏2004-04-19T13:46:12Z |
Hi :

I have IIS as a WebServer and WAS5.0.2.3 as an AppServer on Windows2000.
I turned on trace on IIS and run my app as with SSL

like

https://www.oft.state.ny.us/snoop/

the request does not get executed.

and when I look at the IIS log it says GSK_ERROR_BAD_CERT rc=414. It
works fine on http://.. . I searched on IBM Website and found following
fix for WAS4.0 and I applied the fix(Added path variable D:\Program
Files\ibm\gsk5\lib). Still same problem. Any clue what can be the
problem. Below is the IIS log. Here is the site for GSK_ERROR_FIX.

http://www-1.ibm.com/support/docview.wss?rs=203&context=SW000&q1=GSK_ERROR_BAD_CERT%28gsk+rc+414%29&uid=swg21052188&loc=en_US&cs=utf-8&lang=en+en
THanks in Advance.

Shrihas.

Here is the IIS log:

lib_stream: openStream: Opening the stream
Mon Apr 19 09:19:33 2004 00001570 00001548 - TRACE: lib_stream:
openStream: Stream is SSL
Mon Apr 19 09:19:33 2004 00001570 00001548 - ERROR: lib_stream:
openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc =
414)
Mon Apr 19 09:19:33 2004 00001570 00001548 - TRACE: lib_stream:
destroyStream: Destroying the stream
Updated on 2011-05-20T15:44:23Z at 2011-05-20T15:44:23Z by BitBandit
  • SystemAdmin
    SystemAdmin
    1215 Posts

    Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

    ‏2004-08-20T19:24:57Z  
    I've stumbled across the same error message today and after trying many things I'found a solution/workaround.
    My configuration is a WAS 5.0 install on Windows. Originally we were using the IBM http server, this was working fine. Unfortunately we needed a module to authenticate securid user which is only available for IIS.
    After switching over to IIS http was working fine, but https was not (r_gsk_secure_soc_init message in plugin.log). The solution we found was to delete the https port on the appserver we were using (port 9443 on server1).
    It look to me like the iis plugin wants to use ssl to forward requests to the appserver when the incoming connection is ssl. As we did not set up ssl between the plugin and the appserver this failed (although with a unhelpful error message). The http server plugin seems to be more intelligent and to fall back to plain http when ssl is not configured.
    Markus
  • SystemAdmin
    SystemAdmin
    1215 Posts

    Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

    ‏2004-10-31T13:14:41Z  
    I've stumbled across the same error message today and after trying many things I'found a solution/workaround.
    My configuration is a WAS 5.0 install on Windows. Originally we were using the IBM http server, this was working fine. Unfortunately we needed a module to authenticate securid user which is only available for IIS.
    After switching over to IIS http was working fine, but https was not (r_gsk_secure_soc_init message in plugin.log). The solution we found was to delete the https port on the appserver we were using (port 9443 on server1).
    It look to me like the iis plugin wants to use ssl to forward requests to the appserver when the incoming connection is ssl. As we did not set up ssl between the plugin and the appserver this failed (although with a unhelpful error message). The http server plugin seems to be more intelligent and to fall back to plain http when ssl is not configured.
    Markus
    I had the same problem and the solution is what the previous person posted. In our case we were running WebSphere Portal 5.0.2 on Solaris 9 using an external Sun Java Web Server 6.0 SP 5 (fka iPlanet). When we upgraded to Portal 5.0.2.2 we had this problem. We have two app svrs in a cluster.
    Sat Oct 30 14:13:24 2004 0000337a 00000038 - ERROR: ESI: getResponse: failed to get response: rc = 4
    Sat Oct 30 14:13:24 2004 0000337a 00000038 - ERROR: ws_common: websphereHandleRequest: Failed to handle request
    Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_server_group: serverGroupNextRoundRobinServer: Failed to
    find a server; all could be down or have reached the maximimum connections limit
    Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_common: websphereFindServer: Failed to find a server
    Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find
    a server

    The solution was to go to the depl. mgr Under Application Servers > WebSphere_Portal > Web Container >HTTP Transport
    deleted port 9091 ssl enabled = false, deleted 9444 ssl enabled = true, deleted 9044 ssl enabled = true (only kept 9081 ssl enabled = false)

    So I just kept http transport port 9081 (we don't use SSL between our web and app svrs).
    I did this, regenerated the plugin and if worked like a champ. For some reason having the extra http transport ports was not a problem prior to the Portal upgrade to 5.0.2.2. So Prior we had WAS 5.0.2 and after the upgrade we had WAS 5.0.2.6 which when we experienced this problem.

    I hope this help, James Stroud
  • SystemAdmin
    SystemAdmin
    1215 Posts

    Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

    ‏2005-02-03T23:03:37Z  
    I had the same problem and the solution is what the previous person posted. In our case we were running WebSphere Portal 5.0.2 on Solaris 9 using an external Sun Java Web Server 6.0 SP 5 (fka iPlanet). When we upgraded to Portal 5.0.2.2 we had this problem. We have two app svrs in a cluster.
    Sat Oct 30 14:13:24 2004 0000337a 00000038 - ERROR: ESI: getResponse: failed to get response: rc = 4
    Sat Oct 30 14:13:24 2004 0000337a 00000038 - ERROR: ws_common: websphereHandleRequest: Failed to handle request
    Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_server_group: serverGroupNextRoundRobinServer: Failed to
    find a server; all could be down or have reached the maximimum connections limit
    Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_common: websphereFindServer: Failed to find a server
    Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find
    a server

    The solution was to go to the depl. mgr Under Application Servers > WebSphere_Portal > Web Container >HTTP Transport
    deleted port 9091 ssl enabled = false, deleted 9444 ssl enabled = true, deleted 9044 ssl enabled = true (only kept 9081 ssl enabled = false)

    So I just kept http transport port 9081 (we don't use SSL between our web and app svrs).
    I did this, regenerated the plugin and if worked like a champ. For some reason having the extra http transport ports was not a problem prior to the Portal upgrade to 5.0.2.2. So Prior we had WAS 5.0.2 and after the upgrade we had WAS 5.0.2.6 which when we experienced this problem.

    I hope this help, James Stroud
    I had the same problem has above and the fix described in the proceding posts fixed the problem except that I had to manualy edit my plugin-cfg.xml file.
    I'm running WPS5.1 and IBM HTTP 2.0.47.1

    Excellent fix guys, thank you
  • SystemAdmin
    SystemAdmin
    1215 Posts

    Re: Same problem with portal 6.0

    ‏2007-02-11T03:09:41Z  
    I had the same problem has above and the fix described in the proceding posts fixed the problem except that I had to manualy edit my plugin-cfg.xml file.
    I'm running WPS5.1 and IBM HTTP 2.0.47.1

    Excellent fix guys, thank you
    Hi all!
    Same problem here.
    I am using Websphere Portal 6.0, Websphere Application Server 6.0.2.15

    What I did though was I removed the "WCInboundDefaultSecure" chain under:
    Servers -> Application Servers -> <server name(Websphere Portal in my case)> -> Web container settings -> Web container Transport chains.
    I then regenerated the plugin under the servers -> webserver menu and everything worked like a charm!

    Difficult problem though because before you could see the fault, trace logging had to be enabled in the plugin.

    Peter Grape
    Strand Interconnect AB
  • SystemAdmin
    SystemAdmin
    1215 Posts

    Re: Same problem with portal 6.0

    ‏2007-12-24T19:14:33Z  
    Hi all!
    Same problem here.
    I am using Websphere Portal 6.0, Websphere Application Server 6.0.2.15

    What I did though was I removed the "WCInboundDefaultSecure" chain under:
    Servers -> Application Servers -> <server name(Websphere Portal in my case)> -> Web container settings -> Web container Transport chains.
    I then regenerated the plugin under the servers -> webserver menu and everything worked like a charm!

    Difficult problem though because before you could see the fault, trace logging had to be enabled in the plugin.

    Peter Grape
    Strand Interconnect AB
    Thanks a lot Peter, it worked, we are on WAS 6.1.0.9

    Regards
    Meer Salimani
    FMR
  • SystemAdmin
    SystemAdmin
    1215 Posts

    Re: Same problem with portal 6.0

    ‏2008-02-19T06:23:20Z  
    Thanks a lot Peter, it worked, we are on WAS 6.1.0.9

    Regards
    Meer Salimani
    FMR
    Good Solution.
    WAS V 6.1.0.13 working
  • SystemAdmin
    SystemAdmin
    1215 Posts

    Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

    ‏2008-02-21T10:07:56Z  
    I've stumbled across the same error message today and after trying many things I'found a solution/workaround.
    My configuration is a WAS 5.0 install on Windows. Originally we were using the IBM http server, this was working fine. Unfortunately we needed a module to authenticate securid user which is only available for IIS.
    After switching over to IIS http was working fine, but https was not (r_gsk_secure_soc_init message in plugin.log). The solution we found was to delete the https port on the appserver we were using (port 9443 on server1).
    It look to me like the iis plugin wants to use ssl to forward requests to the appserver when the incoming connection is ssl. As we did not set up ssl between the plugin and the appserver this failed (although with a unhelpful error message). The http server plugin seems to be more intelligent and to fall back to plain http when ssl is not configured.
    Markus
    Hi,
    but what to do if I want to have SSL connection from client to IIS , and SSL connection from IIS to Application Server? I 'm actually receiving GSL_ERROR_BAD_CERT ..
    Thanks.
  • SystemAdmin
    SystemAdmin
    1215 Posts

    Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

    ‏2009-06-29T10:33:31Z  
    Hi,
    but what to do if I want to have SSL connection from client to IIS , and SSL connection from IIS to Application Server? I 'm actually receiving GSL_ERROR_BAD_CERT ..
    Thanks.
    Hi FED , Thats what I am workin on ..
  • sunny.sunny
    sunny.sunny
    1 Post

    Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

    ‏2009-09-11T18:41:45Z  
    Hi,
    but what to do if I want to have SSL connection from client to IIS , and SSL connection from IIS to Application Server? I 'm actually receiving GSL_ERROR_BAD_CERT ..
    Thanks.
    In WebSphere Application Server 6.1, each profile is created with its unique self signed certificates. All profiles have their own node level key and trust stores. For ND, there is also a cell level key store, CellDefaultKeyStore, and a cell level trust store, CellDefaultTrustStore, which are pointed out by all nodes in default cell settings. To establish a proper SSL configuration in which all nodes (including the dmgr node) can communicate with each other, their default certificates are added to the cell level trust store as signer certificates.

    In addition, for SSL to be properly configured between a web server and WebSphere Application Server 6.1, its plugin-key.kdb must include all nodes' default certificates as signer certificates, and web server node's default certificate must exist in the CellDefaultTrustStore considering that a web server also works in a node.

    The above is extract from
    Link: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21264477
  • BitBandit
    BitBandit
    1 Post

    Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

    ‏2011-05-20T15:44:23Z  
    I had the same problem and the solution is what the previous person posted. In our case we were running WebSphere Portal 5.0.2 on Solaris 9 using an external Sun Java Web Server 6.0 SP 5 (fka iPlanet). When we upgraded to Portal 5.0.2.2 we had this problem. We have two app svrs in a cluster.
    Sat Oct 30 14:13:24 2004 0000337a 00000038 - ERROR: ESI: getResponse: failed to get response: rc = 4
    Sat Oct 30 14:13:24 2004 0000337a 00000038 - ERROR: ws_common: websphereHandleRequest: Failed to handle request
    Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_server_group: serverGroupNextRoundRobinServer: Failed to
    find a server; all could be down or have reached the maximimum connections limit
    Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_common: websphereFindServer: Failed to find a server
    Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find
    a server

    The solution was to go to the depl. mgr Under Application Servers > WebSphere_Portal > Web Container >HTTP Transport
    deleted port 9091 ssl enabled = false, deleted 9444 ssl enabled = true, deleted 9044 ssl enabled = true (only kept 9081 ssl enabled = false)

    So I just kept http transport port 9081 (we don't use SSL between our web and app svrs).
    I did this, regenerated the plugin and if worked like a champ. For some reason having the extra http transport ports was not a problem prior to the Portal upgrade to 5.0.2.2. So Prior we had WAS 5.0.2 and after the upgrade we had WAS 5.0.2.6 which when we experienced this problem.

    I hope this help, James Stroud
    This solution worked awesome for me - I was having a lot of problem and disabling the SSL between the webserver and the application servers worked.

    Cheers!

    Paul
    SysGeeks.com: Remote System Administration and Monitoring