Fixes are available
APAR status
Closed as program error.
Error description
Certificate chaining errors occurring in BPM due to a runtime switch to the CACerts truststore when the NetUtils class is loaded in a runtime server. This prevents all SSL communication with the affected server until a restart is performed. The NetUtils class is not always used but would be involved mainly with blueworks live connections and some of the BPM Standard webservices functions. Cause - When a specific class (NetUtils) is loaded, the static initializer code causes the IBM JRE default trust store to be used, rather than the web container's (i.e. WebSphere Application Server) Symptom - The SSL errors will be intermittent and a server restart will resolve the SSL problems. Once the issue is triggered all communications requiring SSL will fail until the restart of the server. The root cause of the connection failures should be traceable to this SSL error: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=***, OU=***, O=**, C=** is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: CN=***, OU=***, O=**, C=** will appear have different values for the asterisks in logged error messages. The SSL errors are not always shown to the user without SSL=all tracing enabled. You may instead see communication errors similar to these and other communication failures: 1. This shows a failure connecting with the deployment manager: Caused by: java.lang.RuntimeException: Failed to initialize ConfigService and Admin Client at com.ibm.bpm.fds.core.deploy.CmdExecutor.init (CmdExecutor.java:100) ... Caused by: com.ibm.websphere.management.exception. ConnectorNotAvailableException at com.ibm.ws.management.discovery.ServerInfo.getAdminClient (ServerInfo.java:221) 2. This is a failure using Process Inspector: BPMInspectorR E Error communicating with server com.ibm.processinspector.rest.ProcessAdminRestException: Error communicating with server These more generic errors can also be caused by other issues like a down server or network problems so you would need to confirm the SSL error is also occurring.
Local fix
The user must add their internal certificate to the IBM JRE default cacert trust store (i.e. in addition to the same certificate being added to the Default Trust Store in WAS).
Problem summary
**************************************************************** * USERS AFFECTED: Users of Web Inspector, outbound web * * services, or any feature where the WAS * * instance that BPM runs on needs to * * establish an outbound secure (SSL/TLS) * * connection. * **************************************************************** * PROBLEM DESCRIPTION: An intermittent problem occurs that * * causes all SSL handshakes to fail * * until the server is restarted. * **************************************************************** * RECOMMENDATION: * **************************************************************** When a specific class (NetUtils) is loaded, the static initializer code causes the IBM JRE default trust store to be used, rather than the web container's (i.e. WebSphere Application Server). The underlying cause is the use of Security.setProperty to set a global property (changing the SSL socket factory provider).
Problem conclusion
The code has been changed to avoid calling Security.setProperty, so that the default WAS trust store is used (instead of the IBM JRE trust store). The installation instruction is available in Fix Central and can be downloaded with JR46822 iFix file.
Temporary fix
Comments
APAR Information
APAR number
JR46822
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
751
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-06-03
Closed date
2013-07-16
Last modified date
2013-07-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R750 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
08 January 2022