IBM Support

JR48872: SSLEXCEPTION IN BPMCONFIG COMMAND - HOSTNAME IN CERTIFICATE DIDN'T MATCH

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When a user tries to access WAS directly (without load
    balancer and IHS), the following exception is thrown:
    HttpMethodDir I org.apache.commons.httpclient.HttpMethodDirector
    executeWithRetry I/O exception (javax.net.ssl.SSLException)
    caught when processing
    request:
    hostname in certificate didn't match: <hostName1> != <localhost>
    The problem is caused by an issue in configNode, which is a tool
    of BPMConfig. It is hard coded that it will set the personal
    certificate to "cn=localhost" in
    NodeDefaultKeyStore, which should be set to "cn=Nodehostname".
    BPM Pattern used this tool to config BPM env in 8010. But it
    work well in 8010 because no function touch here. In 8011 BPM
    enabled hostname certification, then the problem occured.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM Business Process Manager V8.1.1.1       *
    *                  Advanced, Standard, and Express             *
    ****************************************************************
    * PROBLEM DESCRIPTION: When you try to access the WebSphere    *
    *                      Application Server web container        *
    *                      directly without a load balancer or     *
    *                      IHS, the following exception is         *
    *                      thrown:                                 *
    *                      [11/4/13 17:16:54:694 CET] 00000036     *
    *                      HttpMethodDir                           *
    *                      Iorg.apache.commons.httpclient.HttpMeth *
    *                      odDirector executeWithRetry             *
    *                      I/Oexception                            *
    *                      (javax.net.ssl.SSLException) caught     *
    *                      when processing request:hostname in     *
    *                      certificate didn't match:               *
    *                      <acme.com>!= <localhost.localdomain>    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    This problem is caused by the configureNode, which sets a
    hard-coded personal certificate "cn=localhost.localdomain" in
    the NodeDefaultKeyStore. However, configureNode should be set
    to "cn=Nodehostname" to pass the host name verification that
    was added in IBM BPM V8.0.1 fix pack 1.
    IS A WORKAROUND AVAILABLE? (Y/N) IF Y: EXPLAIN IT.
    ==> Yes. In the log files, one of the certificates shows
    "localhost", but the incoming request applies to the full host
    name. The certificate might not have been set up properly. To
    workaround this problem, in a node (not in a cell) create a
    new SSL certificate to replace the existing one in a node, and
    then restart the BPM application cluster.
    For more information, see  ¢â‚¬ “Creating a new SSL certificate
    replace an existing one in a node ¢â‚¬  ½ at
    http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/topic/com.ibm.web
    sphere.nd.multiplatform.doc/info/ae/ae/tsec_sslreplacenode.html.
    

Problem conclusion

  • A fix is available that fixes the hard-coded host name and
    domain name in the certificate so that it passes hostname
    validation.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR48872:
    
     1. Select the product group, product, installed version, and
    platform, and click Continue.
     2. Select APAR or SPR, enter JR48872, and click Continue.
    
    When downloading fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR48872

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    801

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-12-18

  • Closed date

    2014-02-25

  • Last modified date

    2014-11-20

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
20 November 2014