IBM Support

JR46822: Certificate chaining errors occurring in BPM due to a runtime switch to the CACerts truststore when NetUtils is loaded

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Certificate chaining errors occurring in BPM due to a runtime
    switch to the CACerts truststore when the NetUtils class is
    loaded in a runtime server. This prevents all SSL communication
    with the affected server until a restart is performed. The
    NetUtils class is not always used but would be involved mainly
    with blueworks live connections and some of the BPM Standard
    webservices functions.
    
    Cause - When a specific class (NetUtils) is loaded, the static
    initializer code causes the IBM JRE default trust store to be
    used, rather than the web container's (i.e. WebSphere
    Application Server)
    
    Symptom - The SSL errors will be intermittent and a server
    restart will resolve the SSL problems. Once the issue is
    triggered all communications requiring SSL will fail until the
    restart of the server.
    
    The root cause of the connection failures should be traceable to
    this SSL error:
    
    javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g:
    PKIX path building failed:
    java.security.cert.CertPathBuilderException:
    PKIXCertPathBuilderImpl could not build a valid CertPath.;
    internal cause is:
     java.security.cert.CertPathValidatorException:
    The certificate issued by CN=***, OU=***, O=**, C=**
    is not trusted; internal cause is:
     java.security.cert.CertPathValidatorException:
    Certificate chaining error;
    targetException=java.lang.IllegalArgumentException:
    Error opening socket: javax.net.ssl.SSLHandshakeException:
    com.ibm.jsse2.util.g: PKIX path building failed:
    java.security.cert.CertPathBuilderException:
    PKIXCertPathBuilderImpl could not build a valid CertPath.;
    internal cause is:
    
    CN=***, OU=***, O=**, C=** will appear have different values
    for the asterisks in logged error messages.
    
    The SSL errors are not always shown to the user without SSL=all
    tracing enabled. You may instead see communication errors
    similar to these and other communication failures:
    1. This shows a failure connecting with the deployment manager:
    Caused by: java.lang.RuntimeException:
    Failed to initialize ConfigService and Admin Client
            at
    com.ibm.bpm.fds.core.deploy.CmdExecutor.init
      (CmdExecutor.java:100)
    ...
    Caused by:
    com.ibm.websphere.management.exception.
    ConnectorNotAvailableException
            at
    com.ibm.ws.management.discovery.ServerInfo.getAdminClient
      (ServerInfo.java:221)
    
    2. This is a failure using Process Inspector:
    BPMInspectorR E   Error communicating with server
    com.ibm.processinspector.rest.ProcessAdminRestException:
    Error communicating with server
    
    These more generic errors can also be caused by other issues
    like a down server or network problems so you would need to
    confirm the SSL error is also occurring.
    

Local fix

  • The user must add their internal certificate to the
    IBM JRE default cacert trust store (i.e. in addition to the same
    certificate being added to the Default Trust Store in WAS).
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of Web Inspector, outbound web        *
    *                  services, or any feature where the WAS      *
    *                  instance that BPM runs on needs to          *
    *                  establish an outbound secure (SSL/TLS)      *
    *                  connection.                                 *
    ****************************************************************
    * PROBLEM DESCRIPTION: An intermittent problem occurs that     *
    *                      causes all SSL handshakes to fail       *
    *                      until the server is restarted.          *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When a specific class (NetUtils) is loaded, the static
    initializer code causes the IBM JRE default trust
    store to be used, rather than the web container's (i.e.
    WebSphere Application Server). The underlying cause is the use
    of Security.setProperty to set a global property (changing the
    SSL socket factory provider).
    

Problem conclusion

  • The code has been changed to avoid calling
    Security.setProperty, so that the default WAS trust store is
    used (instead of the IBM JRE trust store).
    
    The installation instruction is available in Fix Central and
    can be downloaded with JR46822 iFix file.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR46822

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    751

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-06-03

  • Closed date

    2013-07-16

  • Last modified date

    2013-07-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R750 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.1","Edition":""}]

Document Information

Modified date:
16 July 2013