PM11111: CLEANUPNODE SCRIPT FAILS WITH ADMINISTRATIVE SECURITY ENABLED

6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server

APAR status

• Closed as program error.

Error description

• Client runs cleanupnode on 6.1.0.27 with Security enabled. The
  following errors are reported :
  &#65528;3/10/10 13:19:51:435 CET&#65525; 0000000a WSKeyStore    <
  openKeyStore Exit
  &#65528;3/10/10 13:19:51:485 CET&#65525; 0000000a WSKeyStore    3   Cannot
  open
  keystore URL:
  /opt/WebSphere61/AppServer/profiles/CCITstLK7DmgrProfile/config/
  cells/CC
  ITstLK7Cell001/CCIWASLK7ClientTrustFile.jks
                                   java.io.IOException:
  DerInputStream.getLength(): lengthTag=127, too big.
   at
  com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
  va:715)
   at
  com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
  va:689)
   at com.ibm.security.util.DerValue.<init>(DerValue.java:253)
   at
  com.ibm.security.util.DerInputStream.getDerValue(DerInputStream.
  java:490
  )
   at
  com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
  a:258)
   at com.ibm.security.pkcs12.PFX.<init>(PFX.java:134)
   at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown
  Source)
   at java.security.KeyStore.load(KeyStore.java:1173)
   at com.ibm.ws.ssl.config.WSKeyStore$1.run(WSKeyStore.java:488)
   at
  com.ibm.ws.security.util.AccessController.doPrivileged(AccessCon
  troller.
  java:118)
   at
  com.ibm.ws.ssl.config.WSKeyStore.getKeyStore(WSKeyStore.java:410
  )
  ...
  ...
  &#65528;3/10/10 13:19:51:544 CET&#65525; 0000000a WSKeyStore    E
  CWPKI0033E: The
  keystore located at
  "/opt/WebSphere61/AppServer/profiles/CCITstLK7DmgrProfile/config
  /cells/C
  CITstLK7Cell001/CCIWASLK7ClientTrustFile.jks" failed to load due
  to the
  following error: DerInputStream.getLength(): lengthTag=127, too
  big..
  &#65528;3/10/10 13:19:51:545 CET&#65525; 0000000a AbstractJSSEP 3   Exception
  caught
  during init, java.io.IOException: DerInputStream.getLength():
  lengthTag=127, too big.
  &#65528;3/10/10 13:19:51:553 CET&#65525; 0000000a JSSEHelper    <  The
  following
  exception occurred in getSSLSocketFactory(). Exit
                                   java.io.IOException:
  DerInputStream.getLength(): lengthTag=127, too big.
   at
  com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
  va:715)
   at
  com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
  va:689)
   at com.ibm.security.util.DerValue.<init>(DerValue.java:253)
   at
  com.ibm.security.util.DerInputStream.getDerValue(DerInputStream.
  java:490
  

Local fix

• Temporarily disable Administrative Security before running
  cleanupNode.sh
  * or *
  Modify the /AppServer/bin/cleanupNode.sh script and change these
  values
  D_ARGS=""$D_ARGS" $DELIM
  -Djavax.net.ssl.trustStore="$USER_INSTALL_
  ROOT"/etc/trust.p12"
  D_ARGS=""$D_ARGS" $DELIM
  -Djavax.net.ssl.keyStore="$USER_INSTALL_
  ROOT"/etc/key.p12"
  and
  Modify the setupCmdLine.sh file in the DMgr's profile and change
  STDINCLIENTSAS=-Dcom.ibm.CORBA.ConfigURL=file:"$USER_INSTALL_
  ROOT"/properties/sas.stdclient.props
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:  All users of IBM WebSphere Application      *
  *                  Server Network Deployment edition, V6.1     *
  ****************************************************************
  * PROBLEM DESCRIPTION: APAR PK56643 is ineffective and is      *
  *                      being removed.                          *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  The original problem was that cleanupNode.sh would fail with
  security errors when security was enabled. APAR PK56643 was
  opened to make a change in cleanupNode.sh via a config action
  and resolve the problem. However, PK56643 was implemented
  incorrectly and as a result, the config action never runs.
  When a fixpack containing PK56643 is installed (fixpacks
  6.1.0.17 through 6.1.0.33) , the config action is not found
  and a message like the following is displayed in the
  updateconfig.log, indicating that the install process cannot
  locate the specified .ant file:
  
  Removing absent action
  C:\was61\properties\version\nif\update\config\install\80updateCl
  eanUpNode.ant from action list.
  
  The .ant script named above is installed, but under a slightly
  different subdirectory and is therefore not found by the
  install process. Furthermore, the .ant script is incorrect and
  will not produce the desired result.
  

Problem conclusion

• The config action and .ant script introduced in APAR PK56643
  have been removed from the fixpack update process.
  
  If cleanupNode.sh is failing with security or permissions
  errors, the recommend solution is to do the following:
  
  Temporarily disable Administrative Security before running
  cleanupNode.sh
  
  OR
  
  Edit WAS_HOME/bin/cleanupNode.sh as follows:
  
  1. Change STDINCLIENTSAS to CLIENTSAS
  
  2. The following lines should be deleted from cleanupNode.sh,
  because the files DummyClientTrustFile.jks and
  DummyClientKeyFile.jks no longer exist in WebSphere Application
  Server V6.1. If not deleted, the values in these lines will
  override the values in the sas.client.props and
  ssl.client.props file:
  
  D_ARGS=""$D_ARGS" $DELIM
  -Djavax.net.ssl.trustStore="$WAS_HOME"/etc/DummyClientTrustFile.
  jks"
  D_ARGS=""$D_ARGS" $DELIM
  -Djavax.net.ssl.keyStore="$WAS_HOME"/etc/DummyClientKeyFile.jks"
  D_ARGS=""$D_ARGS" $DELIM
  -Djavax.net.ssl.trustStorePassword=WebAS"
  D_ARGS=""$D_ARGS" $DELIM -Djavax.net.ssl.keyStorePassword=WebAS"
  
  Alternatively, the values specified in these lines could be
  changed to contain valid values for your environment. However,
  the recommended approach is to delete these lines and then
  provide the correct key and trust store information for this
  script by updating the sas.client.props and ssl.client.props
  files.
  
  The fix for this APAR is currently targeted for inclusion in
  fix pack 6.1.0.35.  Please refer to the Recommended Updates
  page for delivery information:
  http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  WEBSPHERE APP S

• Fixed component ID

  5724J0800

Applicable component levels

• R61A PSY

     UP

• R61H PSY

     UP

• R61I PSY

     UP

• R61P PSY

     UP

• R61S PSY

     UP

• R61W PSY

     UP

• R61Z PSY

     UP