IBM Support

IT32948: HTTP LISTENERS UNABLE TO USE KEYSTORE PASSWORD CREDENTIAL TO ACCESS KEYSTORE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The keystore properties to be used by the embedded HTTP
    listener can be defined in the HTTPSConnector and JVM sections
    of the server.conf.yaml file, or at the node level in the
    BrokerRegistry section of the node.conf.yaml file. Rather than
    storing the keystore password in plain text in the
    configuration files, a password 'alias' or security identity
    can be defined using the mqsisetdbparms command or a credential
    can be defined using the mqsicredentials command. The
    integration server will look up this alias at runtime to
    retrieve the keystore password to use to open the keystore.
    
    If
    a keystore credential is used, as defined with the
    mqsicredentials command, the password lookup by the integration
    server fails and the following error is reported to the system
    log on startup:
    
    BIP9329E Message Flow
    ''myHTTPWebServiceFlow'', ''myHTTPWebServiceApplication''
    encountered a failure and could not start.
    
    BIP3135E An
    exception occurred while starting the servlet engine connector.
    Exception text is 'Unable to load keystore "mykeystore.jks"'
    

Local fix

  • Define a security identity for the keystore password using the
    mqsisetdbparms command.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    All users of IBM App Connect Enterprise v11 using a 'keystore'
    credential for the HTTP listener keystore password.
    
    
    Platforms affected:
    z/OS, MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When configuring the keystore properties to be used by either
    the Integration Node HTTP listener or the Integration Server
    embedded HTTP listener, rather than storing the keystore
    password in plain text in the configuration yaml files, a
    password 'alias' can be used. This 'alias' can be a security
    identity defined using the mqsisetdbparms command or a
    credential defined using the mqsicredentials command. The
    listener will look up this alias at runtime to retrieve the
    keystore password to use to open the keystore.
    
    If a 'keystore' credential is used, as defined with the
    mqsicredentials command, the password lookup by the listener
    fails. When using the integration server embedded HTTP listener,
     the following error is reported to the system log on startup:
    
    BIP9329E Message Flow ''myHTTPWebServiceFlow'',
    ''myHTTPWebServiceApplication'' encountered a failure and could
    not start.
    
    BIP3135E An exception occurred while starting the servlet engine
    connector. Exception text is 'Unable to load keystore
    "mykeystore.jks"'
    

Problem conclusion

  • The HTTP listeners now correctly retrieve keystore passwords
    that have been defined as 'keystore' credentials and stored in a
    vault.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v11.0      11.0.0.9
    
    The latest available maintenance can be obtained from:
    http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041
    
    If the maintenance level is not yet available,information on
    its planned availability can be found on:
    http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT32948

  • Reported component name

    APP CONNECT ENT

  • Reported component ID

    5724J0550

  • Reported release

    B00

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-05-21

  • Closed date

    2020-05-29

  • Last modified date

    2020-05-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    APP CONNECT ENT

  • Fixed component ID

    5724J0550

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
30 May 2020