Topic
10 replies Latest Post - ‏2011-05-20T15:44:23Z by BitBandit
SystemAdmin
SystemAdmin
1215 Posts
ACCEPTED ANSWER

Pinned topic With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

‏2004-04-19T13:46:12Z |
Hi :

I have IIS as a WebServer and WAS5.0.2.3 as an AppServer on Windows2000.
I turned on trace on IIS and run my app as with SSL

like

https://www.oft.state.ny.us/snoop/

the request does not get executed.

and when I look at the IIS log it says GSK_ERROR_BAD_CERT rc=414. It
works fine on http://.. . I searched on IBM Website and found following
fix for WAS4.0 and I applied the fix(Added path variable D:\Program
Files\ibm\gsk5\lib). Still same problem. Any clue what can be the
problem. Below is the IIS log. Here is the site for GSK_ERROR_FIX.

http://www-1.ibm.com/support/docview.wss?rs=203&context=SW000&q1=GSK_ERROR_BAD_CERT%28gsk+rc+414%29&uid=swg21052188&loc=en_US&cs=utf-8&lang=en+en
THanks in Advance.

Shrihas.

Here is the IIS log:

lib_stream: openStream: Opening the stream
Mon Apr 19 09:19:33 2004 00001570 00001548 - TRACE: lib_stream:
openStream: Stream is SSL
Mon Apr 19 09:19:33 2004 00001570 00001548 - ERROR: lib_stream:
openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc =
414)
Mon Apr 19 09:19:33 2004 00001570 00001548 - TRACE: lib_stream:
destroyStream: Destroying the stream
Updated on 2011-05-20T15:44:23Z at 2011-05-20T15:44:23Z by BitBandit
  • SystemAdmin
    SystemAdmin
    1215 Posts
    ACCEPTED ANSWER

    Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

    ‏2004-08-20T19:24:57Z  in response to SystemAdmin
    I've stumbled across the same error message today and after trying many things I'found a solution/workaround.
    My configuration is a WAS 5.0 install on Windows. Originally we were using the IBM http server, this was working fine. Unfortunately we needed a module to authenticate securid user which is only available for IIS.
    After switching over to IIS http was working fine, but https was not (r_gsk_secure_soc_init message in plugin.log). The solution we found was to delete the https port on the appserver we were using (port 9443 on server1).
    It look to me like the iis plugin wants to use ssl to forward requests to the appserver when the incoming connection is ssl. As we did not set up ssl between the plugin and the appserver this failed (although with a unhelpful error message). The http server plugin seems to be more intelligent and to fall back to plain http when ssl is not configured.
    Markus
    • SystemAdmin
      SystemAdmin
      1215 Posts
      ACCEPTED ANSWER

      Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

      ‏2004-10-31T13:14:41Z  in response to SystemAdmin
      I had the same problem and the solution is what the previous person posted. In our case we were running WebSphere Portal 5.0.2 on Solaris 9 using an external Sun Java Web Server 6.0 SP 5 (fka iPlanet). When we upgraded to Portal 5.0.2.2 we had this problem. We have two app svrs in a cluster.
      Sat Oct 30 14:13:24 2004 0000337a 00000038 - ERROR: ESI: getResponse: failed to get response: rc = 4
      Sat Oct 30 14:13:24 2004 0000337a 00000038 - ERROR: ws_common: websphereHandleRequest: Failed to handle request
      Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_server_group: serverGroupNextRoundRobinServer: Failed to
      find a server; all could be down or have reached the maximimum connections limit
      Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_common: websphereFindServer: Failed to find a server
      Sat Oct 30 14:13:25 2004 0000337a 00000038 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find
      a server

      The solution was to go to the depl. mgr Under Application Servers > WebSphere_Portal > Web Container >HTTP Transport
      deleted port 9091 ssl enabled = false, deleted 9444 ssl enabled = true, deleted 9044 ssl enabled = true (only kept 9081 ssl enabled = false)

      So I just kept http transport port 9081 (we don't use SSL between our web and app svrs).
      I did this, regenerated the plugin and if worked like a champ. For some reason having the extra http transport ports was not a problem prior to the Portal upgrade to 5.0.2.2. So Prior we had WAS 5.0.2 and after the upgrade we had WAS 5.0.2.6 which when we experienced this problem.

      I hope this help, James Stroud
      • SystemAdmin
        SystemAdmin
        1215 Posts
        ACCEPTED ANSWER

        Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

        ‏2005-02-03T23:03:37Z  in response to SystemAdmin
        I had the same problem has above and the fix described in the proceding posts fixed the problem except that I had to manualy edit my plugin-cfg.xml file.
        I'm running WPS5.1 and IBM HTTP 2.0.47.1

        Excellent fix guys, thank you
        • SystemAdmin
          SystemAdmin
          1215 Posts
          ACCEPTED ANSWER

          Re: Same problem with portal 6.0

          ‏2007-02-11T03:09:41Z  in response to SystemAdmin
          Hi all!
          Same problem here.
          I am using Websphere Portal 6.0, Websphere Application Server 6.0.2.15

          What I did though was I removed the "WCInboundDefaultSecure" chain under:
          Servers -> Application Servers -> <server name(Websphere Portal in my case)> -> Web container settings -> Web container Transport chains.
          I then regenerated the plugin under the servers -> webserver menu and everything worked like a charm!

          Difficult problem though because before you could see the fault, trace logging had to be enabled in the plugin.

          Peter Grape
          Strand Interconnect AB
          • SystemAdmin
            SystemAdmin
            1215 Posts
            ACCEPTED ANSWER

            Re: Same problem with portal 6.0

            ‏2007-12-24T19:14:33Z  in response to SystemAdmin
            Thanks a lot Peter, it worked, we are on WAS 6.1.0.9

            Regards
            Meer Salimani
            FMR
      • BitBandit
        BitBandit
        1 Post
        ACCEPTED ANSWER

        Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

        ‏2011-05-20T15:44:23Z  in response to SystemAdmin
        This solution worked awesome for me - I was having a lot of problem and disabling the SSL between the webserver and the application servers worked.

        Cheers!

        Paul
        SysGeeks.com: Remote System Administration and Monitoring
    • SystemAdmin
      SystemAdmin
      1215 Posts
      ACCEPTED ANSWER

      Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

      ‏2008-02-21T10:07:56Z  in response to SystemAdmin
      Hi,
      but what to do if I want to have SSL connection from client to IIS , and SSL connection from IIS to Application Server? I 'm actually receiving GSL_ERROR_BAD_CERT ..
      Thanks.
      • SystemAdmin
        SystemAdmin
        1215 Posts
        ACCEPTED ANSWER

        Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

        ‏2009-06-29T10:33:31Z  in response to SystemAdmin
        Hi FED , Thats what I am workin on ..
      • sunny.sunny
        sunny.sunny
        1 Post
        ACCEPTED ANSWER

        Re: With SSL I get GSK_ERROR_BAD_CERT 414 Error with IIS WebServer- WAS5.0.2.3 AppServer.

        ‏2009-09-11T18:41:45Z  in response to SystemAdmin
        In WebSphere Application Server 6.1, each profile is created with its unique self signed certificates. All profiles have their own node level key and trust stores. For ND, there is also a cell level key store, CellDefaultKeyStore, and a cell level trust store, CellDefaultTrustStore, which are pointed out by all nodes in default cell settings. To establish a proper SSL configuration in which all nodes (including the dmgr node) can communicate with each other, their default certificates are added to the cell level trust store as signer certificates.

        In addition, for SSL to be properly configured between a web server and WebSphere Application Server 6.1, its plugin-key.kdb must include all nodes' default certificates as signer certificates, and web server node's default certificate must exist in the CellDefaultTrustStore considering that a web server also works in a node.

        The above is extract from
        Link: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg21264477