IBM Support

PI50599: SSL CSR BEING SENT TO SSL CLIENTS AFTER RESTARTING WEBSPHERE APPLICATION SERVER INSTEAD OF EXPECTED CERTIFICATE

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When you use the WebSphere Application Server administrative
    console to create a certificate signing request (CSR)in
    your active keystore to send to your CA and then restart your
    Application Server incoming SSL clients could receive the
    "place holder" CSR certificate instead of the certificate that
    was in use before the CSR was created.
    

Local fix

  • Create a new keystore that will only be used to create the CSR
    from and then when you get the response from your CA you can do
    the receive from Certificate Authority there and not impact
    your system even if you do multiple restarts... then when you
    have a maintenance window you can import into your active
    keystore the certificate you received from your CA.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: If keystore has multiple keys the       *
    *                      JSSE could pick a key that is not       *
    *                      intended.                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    If keystore has multiple keys the JSSE could pick a key that
    is not intended.
    

Problem conclusion

  • Added a warning when multiple keys are in a keystore to let
    users know they should specify which key is to be used by the
    SSL configuration.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.43, 8.0.0.13, 8.5.5.10.  Please refer to the
    Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI50599

  • Reported component name

    WEBS APP SERV N

  • Reported component ID

    5724H8800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-10-14

  • Closed date

    2016-06-07

  • Last modified date

    2016-06-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBS APP SERV N

  • Fixed component ID

    5724H8800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 7.0

Reference #: PI50599

Modified date: 07 June 2016