IBM Support

HTTP 500 Internal Server Error is Received with an Apache HTTP Server Configured For SSL and IBM WebSphere Application Server v8.5 on the IBM i

Troubleshooting


Problem

If your IBM i Apache HTTP Server is configured for SSL and is associated with an IBM WebSphere Application Server v8.5 or later profile, an HTTP 500 Internal Server Error might occur when you access your web application.

Symptom

HTTP 500 Internal Server Error received in your web browser when accessing your web application URL

AND

The following errors appear in the plugins_root/logs/web_server_name/http_plugin.log file.


ERROR: ws_common: websphereFindTransport: Nosecure transports available
ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find a transport
ERROR: ESI: getResponse: failed to get response: rc = 4
ERROR: ws_common: websphereHandleRequest: Failed to handle request

Cause

If the WebSphere Web Server Plugin is not properly configured to accept SSL communications, beginning at IBM WebSphere Application Server v8.5.5, the WebSphere Web Server Plugin product is no longer redirecting HTTPS SSL communications to the HTTP IP transport.

Environment

IBM i; IBM WebSphere Application Server v8.5.5 and later

Diagnosing The Problem

Verify an HTTP 500 Internal Server Error is received in the web browser when the browser accesses the web application's URL. Check the plugins_root/logs/web_server_name/http_plugin.log file for errors. The http_plugin.log file is typically located in the /QIBM/UserData/WebSphere/AppServer/<version>/<edition>/profiles/<profileName>/logs/<IHS_serverName>/ directory.

Resolving The Problem

Beginning at IBM WebSphere Application Server v8.5.5, the WebSphere Web Server Plugin product is no longer redirecting HTTPS SSL communications to the HTTP IP transport if the WebSphere Web Server Plugin is not properly configured to accept SSL communications. The change causes the following errors are recorded in the plugins_root/logs/web_server_name/http_plugin.log file if the Web Server plugin is not properly configured to accept SSL communications.

The following messages indicate the Web Server plugin's key database file was not copied to the web server keystore directory. Thus, the secure HTTPS transport cannot be initialized.

ERROR: lib_security: logSSLError: str_security (gsk error 202):  Key database file was not found.
ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment. Secure transports are not possible.
ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security. Secure transports are not possible.
ERROR: ws_server: serverAddTransport: Failed to initialize security. Secure transports are not possible.
ERROR: ws_server: serverAddTransport: HTTPS Transport is skipped. IMPORTANT: If a HTTP transport is defined, it will be used for communication to the application server.
ERROR: ws_server: serverAddTransport: Plugin will continue to startup, however, SSL transport PMICI7.PNAT.COM:6003 did not initilize.  Secure communication between app server and plugin will NOT occur. To run with SSL, additional products may need to be installed: 1) OS/400 Digital Certificate Manager (5722-SS1 or 5769-SS1, option 34) 2) Cryptographic Access Provider 5769-AC1 (40-bit), 5722-AC2 or 5769-AC2 (56-bit), 5722-AC3 or 5769-AC3 (128-bit)

...


The following messages indicate no active secure HTTPS transport can be found. These errors are a direct result of the previous messages.

ERROR: ws_common: websphereFindTransport: Nosecure transports available
ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find a transport
ERROR: ESI: getResponse: failed to get response: rc = 4
ERROR: ws_common: websphereHandleRequest: Failed to handle request


To resolve your issue, IBM recommends the following steps be taken to enable the Web Server plugin to accept SSL/TLS communications.

The steps to configure the web server plugin to accept SSL communications are listed here:
NOTE:  You can ignore steps 1, 5, 6, and 8 since they are not needed on the IBM i.
https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/tsec_httpserv2.html

Once the web server plugin is properly configured for SSL, restart your Apache HTTP Server and review the http_plugin.log file to confirm the following messages no longer appear in the log.

ERROR: lib_security: logSSLError: str_security (gsk error 202):  Key database file was not found.
ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment. Secure transports are not possible.
ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security. Secure transports are not possible.
ERROR: ws_server: serverAddTransport: Failed to initialize security. Secure transports are not possible.
ERROR: ws_server: serverAddTransport: HTTPS Transport is skipped. IMPORTANT: If a HTTP transport is defined, it will be used for communication to the application server.
ERROR: ws_server: serverAddTransport: Plugin will continue to startup, however, SSL transport PMICI7.PNAT.COM:6003 did not initilize.  Secure communication between app server and plugin will NOT occur. To run with SSL, additional products may need to be installed: 1) OS/400 Digital Certificate Manager (5722-SS1 or 5769-SS1, option 34) 2) Cryptographic Access Provider 5769-AC1 (40-bit), 5722-AC2 or 5769-AC2 (56-bit), 5722-AC3 or 5769-AC3 (128-bit)


================================================================

If the Web Server plug-in key database (plugin-key.kdb) does not exist in the location specified in the plugin-cfg.xml file used by the IBM HTTP Server, then you might be able to implement the "UseInsecure=true" custom plug-in property to your web server definition to resolve your issue. In some cases when the web server is partially configured for SSL/TLS communications, the "UseInsecure=true" custom property is ignored. In this case, you would need to disable the HTTPS transport for the Application Server to use non-SSL between the plugin and the application server. IBM strongly does not recommend disabling the HTTPS transport for your application server since this change would prevent all secure HTTPS connections to your application server.

NOTE: This process allows non-secure communications between the Web Server Plug-in and the WebSphere Application Server. If you would like these communications to be secure, refer to the recommendation on how to "Configure the Web Server plugin to accept SSL/TLS communications".

=================================================================

Optional:  Implement the "UseInsecure=true" custom plug-in property for your web server definition.   Non-secure HTTP traffic would be used between web server plugin and application server.
(Not recommended by IBM.  Will only work if "Copy web server keystore" has never been ran using the instructions here: https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/tsec_httpserv2.html)

You can implement the "UseInsecure-true" custom plug-in property to allow HTTPS traffic to be redirected to the HTTP transport.  This property enables WAS (WebSphere Application Server) to function like it did at WAS v8.0 and earlier.  
Take this step to allow the Web Server plugin to create non-secure connections when secure connections are defined (the old behavior).
Create the custom property UseInsecure=true
This property is on the Servers > Web Servers > Web_server_name > Plug-in properties > Custom properties page in the IBM WebSphere Integrated Solution Console application for the failing WebSphere Profile.
Next, restart your application server and web server for the changes to take effect.

This issue is documented in the following URL: http://www-01.ibm.com/support/docview.wss?uid=swg1PM85452

- Open a session to the IBM WebSphere Integrated Solution Console for your WebSphere Profile.
- Expand Servers -> Server Types and click "Web servers".

Screen shot of the WAS ISC showing Servers -> Server Types - Web servers

- Click your HTTP Server instance name.
- Click the "Plug-in properties" link under "Additional Properties" on the right side of the screen.

Screen shot of the WAS ISC showing Plug-in properties under Additional Properties on the Web Servers page.
- Click "Custom Properties" on the right side of the screen.

Screen shot of the WAS ISC showing Custom Properties under Additional Properties on the Plug-in Properties page
- Click the "New" button to create a new custom property.
- Enter the value of "UseInsecure" for the Name field and "true" for the Value field.

Screen shot of the WAS ISC showing the fields when creating a new custom plug-in properties item
- Press OK to add the custom property.
- Click the "Save" URL link at the top of the page to save the changes to the master configuration.
- Generate and Propagate the Web Server Plug-in.
  • - Expand Servers -> Server Types and click "Web servers".
    - Check the box next to your Web Server.
    - Click the "Generate Plug-in" button.
    - Click the "Propagate Plug-in" button.
- Restart the web server and application server for the changes to take effect.

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Document Information

Modified date:
07 August 2020

UID

nas8N1019946