Troubleshooting
Problem
Cause
Diagnosing The Problem
[3/14/15 3:14:15:000 MST] FFDC Exception:java.lang.NullPointerException SourceId:com.ibm.ws.websvcs.transport.http.HTTPConnection.connect ProbeId:229 Reporter:com.ibm.ws.websvcs.transport.http.HTTPConnection@31415926
java.lang.NullPointerException
at com.ibm.crypto.fips.provider.RSAPSSSignature.b(Unknown Source)
at com.ibm.crypto.fips.provider.RSAPSSSignature.c(Unknown Source)
at com.ibm.crypto.fips.provider.RSAPSSSignature.engineSign(Unknown Source)
…
Index Count Time of first Occurrence Time of last Occurrence Exception SourceId ProbeId
------+------+---------------------------+---------------------------+---------------------------
0 9000 3/14/15 3:14:15:000 MST 3/14/15 6:28:00:000 MST java.lang.NullPointerException com.ibm.ws.ssl.channel.impl.SSLConnectionLink 238 /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_31415926_15.03.14_00.00.00.000000.txt
Follow the directions to apply RSAPSS, RSASSA-PSS entries to the disabledAlgorithms.
Resolving The Problem
- In standalone WebSphere Application Server environments, there's a good chance that the WebSphere Administrative Console is inaccessible when this issue occurs. To access the Administrative Console, first disable security by following the steps in this document.
- Next, obtain the current list of disabled algorithms in use from the logs. By default, WebSphere Application Server maintains an up-to-date list of algorithms that are disabled due to known vulnerabilities. To determine the current value of this list, check the SystemOut.log from the server for the CWPKI0051I message right after startup for a message like the following example:
SSLConfigMana I CWPKI0051I: The process has the java security property jdk.tls.disabledAlgorithms set to [SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL]. The WebSphere Application server is setting the java security property jdk.tls.disabledAlgorithms to [SSLv3, RC4, DH keySize < 768, MD5withRSA].
Note: The list may be different depending on the WebSphere Application Server fixpack level, the contents of the java.security file, and the value of the com.ibm.websphere.tls.disabledAlgorithms property.
- Once you have the current value of the list from the CWPKI0051I message, navigate to the Security > Global Security > Custom Properties section of the WebSphere Administrative Console.
- If there is already a property defined with the name com.ibm.websphere.tls.disabledAlgorithms click it, and add RSAPSS, RSASSA-PSS to the comma-separated list in the value field.
-- OR --
If the property is not defined, then click New... and create a property named com.ibm.websphere.tls.disabledAlgorithms with a value equal to the comma-separated list from the CWPKI0051I message, with RSAPSS, RSASSA-PSS appended to the comma-separated list. For example, looking at the CWPKI0051I documented in step (1), the new comma-separated list would be
SSLv3, RC4, DH keySize < 768, MD5withRSA, RSAPSS, RSASSA-PSS - Click "OK" and save the changes.
- If you disabled security, re-enable security from the Security > Global Security panel, then Click OK and Save again.
- Synchronize any nodes if you are running a Network Deployment environment, and then restart the environment for the changes to take effect.
Related Information
How to customize the disabledAlgorithms settings without editing the java.secur…
How to set the disabledAlgorithms in WebSphere Application Server and WebSpher…
PI54960: PROVIDE PROPERTY TO SET JAVA SECURITY ALGORITHM RELATED PROPERTIES
Security custom properties (com.ibm.websphere.tls.disabledAlgorithms)
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
29 March 2023
UID
ibm16422887