IBM Support

A "CWPKI0428I: The signer might need to be added to the local trust store" error causes a server communication failure for WebSphere Lombardi Edition

Troubleshooting


Problem

Communication between the Process Center and a process server breaks due to a missing or incorrect certificate.

Symptom

In the log files, you see the following connection message:
com.lombardisoftware.core.TeamWorksException: Connection refused

These messages match up with the following messages that you see in the SystemOut.log file:
CWPKI0022E: SSL HANDSHAKE FAILURE:
CWPKI0428I: The signer might need to be added to the local trust store

Cause

These errors occur because the certificates are not present in the cacerts file. Some Java development kit (JDK) updates overwrite the cacerts file.

Resolving The Problem

To resolve the problem, you can use the Retrieve from port option in the WebSphere Application Server Administrative Console to retrieve the certificate and resolve the problem. If you determine that the request is trusted, complete the following steps:

  1. Log into the WebSphere Application Server Administrative Console.

  2. Expand Security and click SSL certificate and key management.

  3. Under Configuration settings, click Manage endpoint security configurations.

  4. Select the appropriate outbound configuration to get to the (cell):LombardiCell01 management scope.

  5. Under Related Items, click Key stores and certificates.

  6. Click the DefaultSystemProperties_trust key store.

  7. Under Additional Properties, click Signer certificates > Retrieve From Port.

  8. In the Host field, enter the IP_address value in the host name field, the port_number value in the Port field, and the IP_address value in the Alias field.

  9. Click Retrieve Signer Information.

  10. Verify that the certificate information is for a certificate that you can trust.

  11. Click Apply and Save.


These steps do not entirely resolve the issue. You need to look at the associated CWPKI0022E error as shown in the following text:

CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN <server_information> was sent from target host:port "<IP_address>:<Port>".  The signer may need to be added to local trust store "<install_dir>/Lombardi7/AppServer/java/jre/lib/security/cacerts" located in SSL configuration alias "DefaultSystemProperties" loaded from SSL configuration file "System Properties".  The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by <server information> is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error".

To resolve this error, complete the following steps:
  1. Extract the certificate and save it as "Binary DER data."

  2. Use ikeyman to add the extracted certificate to the install_dir/Lombardi7/AppServer/java/jre/lib/security/cacerts directory. The iKeyman tool is available in the install_dir/AppServer/bin directory. However, you can use another certificate management tool to accomplish this task. The default password is "changeit."
    Note: The cacerts keystore type is JKS.

  3. Restart the server.

[{"Product":{"code":"SSFPRP","label":"WebSphere Lombardi Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.2;7.1","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

WLE;Lombardi

Document Information

Modified date:
15 June 2018

UID

swg21650234

Page Feedback