IBM Support

PH57998: ERROR DETECTED WHILE OPENING THE CERTIFICATE DATABASE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • http plugin log file issues the following error when attempting
    to read the plugin-key.kdb generated from WebSphere at 8.5.5.24
    on z/OS
    
    ERROR: lib_security: logSSLError: str_security (gsk error 202):
    Error detected while opening the certificate database
    
    Attempting to open the plugin-key.kdb with gskkyman surfaces
    error
    
    Unable to open plugin-key.kdb
    
    Status 0x0335300a - Database is not valid.
    

Local fix

  • Generate a new plugin-key.kdb using gskkyman and import the
    signer certificates from WebSphere.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  V8.5 and V9.0 webserver plugins.            *
    ****************************************************************
    * PROBLEM DESCRIPTION: WebServer Plugin fails to               *
    *                      open plugin-key.kdb created with Java   *
    *                      8 SR8 and later.                        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    After CMSProvider is updated to version 2.65 or above,
    gskkeyman.cmd is no longer able to open plugin-key.kdb created
    by the WebSphere.
    The issue is observed on Z/OS platform, IBM i platform or when
    the WebSphere plugin has FIPS enabled.
    To check the CMS provider version, run the following command
    > ikeycmd -DADD_CMS_SERVICE_PROVIDER_ENABLED=true -version
    

Problem conclusion

  • On zOS platform and IBMi platform, the code has been updated to
    change the way plugin-key.kdb created.
    
    On non-zOS platform, the following custom property should be set
    to false if FIPS is enabled on WebSphere plugin.
    
    Custom property: com.ibm.websphere.security.cms.usepqc
    Default value: true
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.25 and 9.0.5.19. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH57998

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2023-11-03

  • Closed date

    2023-12-19

  • Last modified date

    2023-12-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
20 December 2023