IBM Support

PH60850: WSADMIN ADMINTASK.CREATEKEYSTORE CAUSES NULLPOINTEREXCEPTION CREATING KDB KEYSTORE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When running the wsadmin AdminTask.createKeyStore command to
    create a KDB keystore, it fails with the error:
    Exception loading the CMS keystore.
                                    java.lang.NullPointerException
    	at com.ibm.ws.ssl.config.CMSKeyStoreUtility.usePQCForCMSKeysto
    re(CMSKeyStoreUtility.java:227)
    	at com.ibm.ws.ssl.config.CMSKeyStoreUtility.loadCMSKeyStore(CM
    SKeyStoreUtility.java:183)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcc
    essorImpl.java:90)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingM
    ethodAccessorImpl.java:55)
    	at java.lang.reflect.Method.invoke(Method.java:508)
    	at com.ibm.ws.ssl.config.WSKeyStore.loadKeyStoreWithCMSKeyStor
    eUtility(WSKeyStore.java:981)
    

Local fix

  • Running command in interactive mode will still work
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    *                  who creates CMS keystore using wsadmin      *
    *                  command                                     *
    ****************************************************************
    * PROBLEM DESCRIPTION: wsadmin AdminTask.createKeyStore        *
    *                      command                                 *
    *                      to create a KDB keystore fails with     *
    *                      NullPointerException.                   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    This issue is a side effect of the changes implemented in
    PH57998,
    which introduced a n with the Java updates under specific
    conditions.
    A NullPointerException (NPE) was triggered when attempting to
    fetch the server configuration via wsadmin command.
    

Problem conclusion

  • After CMSProvider is updated to version 2.65 or above,
    gskkeyman.cmd is no longer able to open plugin-key.kdb created
    by the WebSphere.
    
    The issue is observed on Z/OS platform, IBM i platform or when
    the WebSphere plugin has FIPS enabled.
    
    To check the CMS provider version, execute ikeyman.bat/sh -
    DADD_CMS_SERVICE_PROVIDER_ENABLED=true in the {profile_dir}/bin
    directory. Then, in ikeyman, select 'Help' > 'About ikeyman' to
    view the version.
    
    On zOS platform and IBMi platform, the code has been updated to
    change the way plugin-key.kdb created.
    On non-zOS or IBM i platform, the following custom property
    should be set to false if FIPS is enabled on WebSphere plugin.
    
    From the adminconsole, click Security > Global security > Custom
    properties. Then click New to add a new custom property and its
    associated value.
    Custom property: com.ibm.websphere.security.cms.usepqc
    Default value: true (false if FIPS is enabled on WebSphere
    plugin)
    
    To create a plugin-key.kdb from the wsadmin command line, pass
    the above custom property as a JVM property.
    For example,
    > wsadmin.bat -javaoption "-
    Dcom.ibm.websphere.security.cms.usepqc=false" -conntype NONE -
    lang jython -f testCMS.py
    
    -- Sample testCMS.py --
    result=AdminTask.createKeyStore('[-keyStoreName
    myCMSKeyStoreTest -keyStoreType CMSKS -keyStoreLocation
    c:\\temp\\myCMSKeyStore.kdb -keyStorePassword ***** -
    keyStorePasswordVerify ***** -keyStoreStashFile true ]')
    print result
    AdminConfig.save()
    -------------------
    
    The fix for this APAR is targeted for inclusion in fix pack
    8.5.5.26 and 9.0.5.21. For more information, see 'Recommended
    Updates for WebSphere Application Server':
    https://www.ibm.com/support/pages/node/715553
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH60850

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    900

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2024-04-11

  • Closed date

    2024-05-07

  • Last modified date

    2024-06-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]

Document Information

Modified date:
20 June 2024