Troubleshooting
Problem
Java application running on IBM WebSphere Application Server v8.5 or later throwing a javax.net.ssl.SSLHandshakeException
Resolving The Problem
A deployed application making a secure connection to a website was failing. No obvious messages in the systemout/systemerr logs.
MustGather:
WebSphere security tracing enabled by:
1. Go to the WebSphere Integrated Solutions Console(ISC).
2. In the left menu, select Troubleshooting, then select Logs and Tracing.
3. Enable *all tracing for the following:
*=info:*=com.ibm.websphere.security.*=all:com.ibm.ws.ssl.*=all
4. Restart the WebSphere server, re-create the SSL connection issue, and reviewed the systemout/systemerr for exceptions.
1. Go to the WebSphere Integrated Solutions Console(ISC).
2. In the left menu, select Troubleshooting, then select Logs and Tracing.
3. Enable *all tracing for the following:
*=info:*=com.ibm.websphere.security.*=all:com.ibm.ws.ssl.*=all
4. Restart the WebSphere server, re-create the SSL connection issue, and reviewed the systemout/systemerr for exceptions.
Send in the MustGather data; WebSphere Collector
www.ecurep.ibm.com/app/upload
Sample error:
WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN, was sent from target host:port "unknown:0". The signer may need to be added to local truststore "/QIBM/UserData/WebSphere/AppServer/V85/Express/profiles/<profileName>/config/cells/<cellName>/nodes/<nodeName>/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "No trusted certificate found".
O EFSServletLogic:PerformSendPayment().e=javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
The exception eluded to the fact that there was no valid signer certificate within the WebSphere truststore. We verified this by checking the certificates in the truststore:
Here is a screen capture WebSphere console to help find this area of the configuration:
Resolution:
WebSphere (IBM i) - Adding a signer certificate to a keystore
WebSphere (IBM i) - Adding a signer certificate to a keystore
Problem CA certificates can be expired, or missing chained intermediates, or renewed CA's with new serial numbers.
There are several methods to retrieve the signers.
1) Start up the https site in question using a web browser, which then stores the certificate in the browser.
Access the certificate by clicking the lock icon. From here you can export the certificates stored, and save them off to your desktop. Transfer the saved .cer to a IFS location, and follow the above 'adding a signer' steps.
1) Start up the https site in question using a web browser, which then stores the certificate in the browser.
Access the certificate by clicking the lock icon. From here you can export the certificates stored, and save them off to your desktop. Transfer the saved .cer to a IFS location, and follow the above 'adding a signer' steps.
2) Retrieve the Digital Certificate from the remote SSL host. Qmgtools GETSSL Utility
Extract the signers. Extracting a CA Root Certificate from a Digital Certificate
Extract the signers. Extracting a CA Root Certificate from a Digital Certificate
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CIJAA2","label":"SSL TLS Communications"},{"code":"a8m0z0000001hDaAAI","label":"WebSphere Application Server->SSL TLS"}],"ARM Case Number":"TS003581184","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2;7.1;6.1.1;6.1.0;5.4.5;5.4.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]
Historical Number
524270573
Was this topic helpful?
Document Information
More support for:
IBM i
Component:
SSL TLS Communications, WebSphere Application Server->SSL TLS
Software version:
7.2, 7.1, 6.1.1, 6.1.0, 5.4.5, 5.4.0
Operating system(s):
IBM i
Document number:
634585
Modified date:
10 April 2020
UID
nas8N1012952
Manage My Notification Subscriptions