IBM Support

PK48659: CERTIFICATE MONITOR IS NOT PROPERLY REMOVING THE EXPIRED CERTIFICATE FROM THE KEYSTORE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When WebSphere Application Server's Certificate Monitor function
    in v6.1 is active, the automatic replacement of expired
    certificates is not being handled properly. In particular, the
    function is not deleting the expired certificate from the
    keystore. This can cause problems with cell synchronization,
    among others, because the default SSL repertoires do not specify
    an alias. This forces the JSSE code to randomly choose a
    certificate - and in some cases it chooses the expired
    certificate.
    

Local fix

  • disable WebSphere's automatic certificate renewal function.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of IBM WebSphere Application       *
    *                 Server version 6.1 automatic certificate     *
    *                 expiration monitor and replace functionality *
    ****************************************************************
    * PROBLEM DESCRIPTION: WebSphere Application Server was not    *
    *                      correctly removing the expired          *
    *                      certificates from the keystores.        *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When automatic certificate expiration replacment has been
    enabled, expired certificates are not properly removed from
    the keystore. This can cause any number of problems including
    synchronization problems, ssl handshake errors, or a failure
    to initialize.
    

Problem conclusion

  • WebSphere Application Server has been modified to properly
    remove the expired certificates from the keystore.
    
    The fix for this APAR is currently targeted for inclusion
    in fix pack 6.1.0.15.
    Please refer to the recommended updates page for delivery
    information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK48659

  • Reported component name

    WEBSPH APP SERV

  • Reported component ID

    5724J0800

  • Reported release

    61W

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-07-10

  • Closed date

    2007-11-09

  • Last modified date

    2007-11-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • SECURITY
    

Fix information

  • Fixed component name

    WEBSPH APP SERV

  • Fixed component ID

    5724J0800

Applicable component levels

  • R61A PSY

       UP

  • R61H PSY

       UP

  • R61S PSY

       UP

  • R61W PSY

       UP

  • R61Z PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021