IBM Support

PI50599: SSL CSR BEING SENT TO SSL CLIENTS AFTER RESTARTING WEBSPHERE APPLICATION SERVER INSTEAD OF EXPECTED CERTIFICATE

Fixes are available

8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
9.0.0.1: WebSphere Application Server traditional V9.0 Fix Pack 1
9.0.0.2: WebSphere Application Server traditional V9.0 Fix Pack 2
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
9.0.0.3: WebSphere Application Server traditional V9.0 Fix Pack 3
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
7.0.0.43: WebSphere Application Server V7.0 Fix Pack 43
9.0.0.4: WebSphere Application Server traditional V9.0 Fix Pack 4
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
9.0.0.5: WebSphere Application Server traditional V9.0 Fix Pack 5
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
9.0.0.6: WebSphere Application Server traditional V9.0 Fix Pack 6
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
7.0.0.45: WebSphere Application Server V7.0 Fix Pack 45
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
7.0.0.45: Java SDK 1.6 SR16 FP60 Cumulative Fix for WebSphere Application Server
7.0.0.43: Java SDK 1.6 SR16 FP41 Cumulative Fix for WebSphere Application Server
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
9.0.5.6: WebSphere Application Server traditional Version 9.0.5 Fix Pack 6

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When you use the WebSphere Application Server administrative
    console to create a certificate signing request (CSR)in
    your active keystore to send to your CA and then restart your
    Application Server incoming SSL clients could receive the
    "place holder" CSR certificate instead of the certificate that
    was in use before the CSR was created.
    

Local fix

  • Create a new keystore that will only be used to create the CSR
    from and then when you get the response from your CA you can do
    the receive from Certificate Authority there and not impact
    your system even if you do multiple restarts... then when you
    have a maintenance window you can import into your active
    keystore the certificate you received from your CA.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: If keystore has multiple keys the       *
    *                      JSSE could pick a key that is not       *
    *                      intended.                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    If keystore has multiple keys the JSSE could pick a key that
    is not intended.
    

Problem conclusion

  • Added a warning when multiple keys are in a keystore to let
    users know they should specify which key is to be used by the
    SSL configuration.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.43, 8.0.0.13, 8.5.5.10.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI50599

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-10-14

  • Closed date

    2016-06-07

  • Last modified date

    2016-06-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 October 2021