APAR status
Closed as program error.
Error description
APAR PH10457 Where it is overwriting an existing certificate to deleting the certificate then setting a new one. In JDK 1.7, It seems a problem when the certificate monitor executes. We open that PKCS12 keystore file under workspace and delete the old certificate and replace the new certificate. During this process, we are getting the following error in ffdc logs and WAS unable to renew the existing default certificate FFDC Exception:com.ibm.websphere.crypto.KeyException SourceId:com.ibm.ws.ssl.config.WSKeyStore.invokeKeyStoreCommand ProbeId:460 Reporter:com.ibm.ws.ssl.config.WSKeyStoreHelper@c209 2466 com.ibm.websphere.crypto.KeyException: Error in storing the key store: No data to encode. at com.ibm.ws.ssl.config.WSKe yStore.invokeKeyStoreCommand(WSKeyStore.java:2298) at com.ibm.w s.ssl.config.WSKeyStoreRemotable.invokeKeyStoreCommand(WSKeyStor eRemotable.java:268) Caused by: java.io.IOException: Error in storing the key store: No data to encode. at com.ibm.crypto.provider.PKCS12KeyStore.engineStore(Unknown Source) at java.security.KeyStore.store(KeyStore.java:1170) at com.ibm.ws.ssl.config.WSKeyStore.store(WSKeyStore.java:1031)
Local fix
Manually renew the certificate under each personal certificate.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: When the certificate monitor tried to * * replace a certificate the keystore file * * would empty causing the next write to * * fail. * **************************************************************** * RECOMMENDATION: * **************************************************************** PKCS12 keystore files in java 7 can not be empty. The monitor was removing a cert before adding the new one rather then overwriting the new one.
Problem conclusion
Make the monitor overwrites certificates when replacing rather then removing them first. The fix for this APAR is targeted for inclusion in fix pack 8.5.5.20 and 9.0.5.8. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH35227
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-03-10
Closed date
2021-04-15
Last modified date
2021-04-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R850 PSY
UP
R900 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
02 November 2021