APAR status
Closed as program error.
Error description
http plugin log file issues the following error when attempting to read the plugin-key.kdb generated from WebSphere at 8.5.5.24 on z/OS ERROR: lib_security: logSSLError: str_security (gsk error 202): Error detected while opening the certificate database Attempting to open the plugin-key.kdb with gskkyman surfaces error Unable to open plugin-key.kdb Status 0x0335300a - Database is not valid.
Local fix
Generate a new plugin-key.kdb using gskkyman and import the signer certificates from WebSphere.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * * V8.5 and V9.0 webserver plugins. * **************************************************************** * PROBLEM DESCRIPTION: WebServer Plugin fails to * * open plugin-key.kdb created with Java * * 8 SR8 and later. * **************************************************************** * RECOMMENDATION: * **************************************************************** After CMSProvider is updated to version 2.65 or above, gskkeyman.cmd is no longer able to open plugin-key.kdb created by the WebSphere. The issue is observed on Z/OS platform, IBM i platform or when the WebSphere plugin has FIPS enabled. To check the CMS provider version, run the following command > ikeycmd -DADD_CMS_SERVICE_PROVIDER_ENABLED=true -version
Problem conclusion
On zOS platform and IBMi platform, the code has been updated to change the way plugin-key.kdb created. On non-zOS platform, the following custom property should be set to false if FIPS is enabled on WebSphere plugin. Custom property: com.ibm.websphere.security.cms.usepqc Default value: true The fix for this APAR is targeted for inclusion in fix pack 8.5.5.25 and 9.0.5.19. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH57998
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-11-03
Closed date
2023-12-19
Last modified date
2023-12-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
20 December 2023