IBM Support

PH35227: THE CERTIFICATE MONITOR DIDN'T RENEW THE DEFAULT CERTIFICATE ON WAS V8.5.5.17 USING JDK1.7

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • APAR PH10457 Where it is overwriting an existing certificate to
    deleting the certificate then setting a new one.
    In JDK 1.7,
    It seems a problem when the certificate monitor executes. We
    open that PKCS12 keystore file under workspace and delete the
    old certificate and replace the new certificate.
    During this
    process, we are getting the following error in ffdc logs and
    WAS unable to renew the existing default certificate
    
     FFDC
    Exception:com.ibm.websphere.crypto.KeyException
    SourceId:com.ibm.ws.ssl.config.WSKeyStore.invokeKeyStoreCommand
    ProbeId:460 Reporter:com.ibm.ws.ssl.config.WSKeyStoreHelper@c209
    2466
    com.ibm.websphere.crypto.KeyException: Error in storing
    the key store: No data to encode.
    	at com.ibm.ws.ssl.config.WSKe
    yStore.invokeKeyStoreCommand(WSKeyStore.java:2298)
    	at com.ibm.w
    s.ssl.config.WSKeyStoreRemotable.invokeKeyStoreCommand(WSKeyStor
    eRemotable.java:268)
    
    Caused by: java.io.IOException: Error in
    storing the key store: No data to encode.
    	at
    com.ibm.crypto.provider.PKCS12KeyStore.engineStore(Unknown
    Source)
    	at
    java.security.KeyStore.store(KeyStore.java:1170)
    	at
    com.ibm.ws.ssl.config.WSKeyStore.store(WSKeyStore.java:1031)
    

Local fix

  • Manually renew the certificate under each personal certificate.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: When the certificate monitor tried to   *
    *                      replace a certificate the keystore file *
    *                      would empty causing the next write to   *
    *                      fail.                                   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    PKCS12 keystore files in java 7 can not be empty.  The monitor
    was
    removing a cert before adding the new one rather then
    overwriting
    the new one.
    

Problem conclusion

  • Make the monitor overwrites certificates when replacing rather
    then removing them first.
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.20 and 9.0.5.8. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH35227

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-03-10

  • Closed date

    2021-04-15

  • Last modified date

    2021-04-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850"}]

Document Information

Modified date:
16 April 2021