IBM Support

PI98604: CWPKI0666E: CERTIFICATE "CERTIFICATEALIAS " IS NOT A PERSONAL CERTIFICATE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CWPKI0666E: Certificate "certificatealias" is not a personal
    certificate Where certificate alias include white space at the
    end of alias name
    
    
    certificate alias include white space at the end example
    "certificatealias "
    
    Scenario :
    
    Ensure no whitespace gets in when creating Certificate and
    Certificate Request
    
    
    
    Unable to replace or Deleted the CA certificate.
    
    
    com.ibm.websphere.management.cmdframework.CommandValidationExcep
    tion: CWPKI0666E: Certificate "certificatealias" is not a
    personal certificate.
        at
    com.ibm.ws.ssl.commands.personalCertificates.ReplaceCertificate.
    personalCertificateReplace(ReplaceCertificate.java:293)
        at
    com.ibm.ws.ssl.commands.personalCertificates.ReplaceCertificate.
    afterStepsExecuted(ReplaceCertificate.java:178)
        at
    com.ibm.websphere.management.cmdframework.provider.AbstractTaskC
    ommand.executeReal(AbstractTaskCommand.java:855)
        at
    com.ibm.websphere.management.cmdframework.provider.AbstractTaskC
    ommand.execute(AbstractTaskCommand.java:807)
    

Local fix

  • Workaround:
    
    Rename the existing alias using keytool command example
    
    keytool -changealias -alias "certificatealias " -destalias
    "certificatealias1" -keypass WebAS -keystore key.p12
    -storepass WebAS -storetype PKCS12
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: After updating to Java8, certificate    *
    *                      operations on a certain certificate     *
    *                      alias fails.                            *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Starting from Java 8, certificate alias "abc" (without space)
    and "abc  " (with space) are treated differently.
    On earlier version of Java, they are treated the same. For
    example, even when certificate operation specifies alias "abc"
    where there was actually "abc  " in the keystore, the operation
    was performed successfully.  After the Java upgrade, the
    operation fails as Java cannot find "abc" because it thinks
    alias "abc  " is different from "abc".
    

Problem conclusion

  • It is not a good practice to use certificate alias with
    whitespace  This APAR will print following warning in
    SystemOut.log.
    
    CWPKI0053W: The WebSphere Application server detected
    certificate alias [mytest ] with whitespace
    
    with user action suggesting customer to use alias
    without whitespace.
    
    Due to performance reason, this alias check is only
    performed when SSL=all is enabled.
    
    WebSphere's certificate/certificate request creation code has
    been updated to ensure there is no extra space in the alias
    name.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 8.5.5.15 and 9.0.0.11.  Please refer to the
    Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

  • 1. Using WebSphere's function, create a certificate with alias
    that does not include whitespace and replace with it.
    
    2. Following Java keytool command may be worth a try.
    
    On both Java7 and Java8, we have seen this command found
    alias with whitespace, and converted it to alias without
    whitespace.
    
    keytool -changealias -alias "abc" -destalias "abc" -keypass
    WebAS -keystore newkey.p12 é á-storepass WebAS -storetype PKCS12
    

Comments

APAR Information

  • APAR number

    PI98604

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-05-31

  • Closed date

    2018-11-19

  • Last modified date

    2018-11-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R850 PSY

       UP

  • R900 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 October 2021