IBM Support

PK52557: <WAS_HOME>/APPSERVER/JAVA/LIB/SECURITY/JAVA.SECURITY NOT PICKED UP BY WSADMIN ANT TASK.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Attempting to make an outbound SSL call using the wsadmin ANT
    task to the Deployment Manager fails with SSL error:
    
    SOAPException: faultCode=SOAP-ENV:Client; msg=Error parsing HTTP
    status line &quot;
    
    following on from this in the 'fail' trace is :
                               [SOAPException:
    faultCode=SOAP-ENV:Client;
    msg=Error opening socket: javax.net.ssl.SSLHandshakeException:
    com.ibm.jsse2.util.h: PKIX path building failed:
    java.security.cert.CertPathBuilderException:
    PKIXCertPathBuilderImpl
    could not build a valid CertPath.; internal cause is:
     java.security.cert.CertPathValidatorException: The certificate
    issued by CN=CertAuth, T=Control Region,
    OU=IBM, O=IBM, L=North America, ST=NY,
    C=USA is not trusted;
    internal cause is:
    java.security.cert.CertPathValidatorException: Certificate
    chaining error;
    targetException=java.lang.IllegalArgumentException: Error
    opening
    socket: javax.net.ssl.SSLHandshakeException:
    com.ibm.jsse2.util.h: PKIX
    path building failed:
    java.security.cert.CertPathBuilderException:
    PKIXCertPathBuilderImpl could not build a valid CertPath.;
    internal cause is:
    java.security.cert.CertPathValidatorException: The certificate
    issued by CN=CertAuth, T=Control Regions,
    OU=IBM, O=IBM, L=North America, ST=NY,
    C=USA is not trusted;
    internal cause is:
    java.security.cert.CertPathValidatorException: Certificate
    chaining
    error]
    
    The problem occurs because the spawned ANT task is using a
    JAVA_HOME of the SMP/E hfs, and it loaded the java.security file
    from the SMP/E location rather than using the JAVA_HOME of
    WebSphere config hfs.
    
    The paths below illustrate the problem:
    
    ANT task uses SMP/E hfs path:
    /usr/lpp/zWebSphere/V6R1/java/J5.0
    
    Loaded java.security file from:
    /usr/lpp/zWebSphere/V6R1/java/J5.0/lib/security/java.security
    
    ANT task should be using JAVA_HOME for WebSphere
    /WebSphere/V6R1/AppServer/java
    
    Should be loading java.security file from:
    /WebSphere/V6R1/AppServer/java/lib/security/java.security
    

Local fix

  • In the wsadmin ant task specify a "properties" attribute that
    points to an hfs file.  In the hfs file code an override to
    point to the correct java.security file in your WAS_HOME.
    
    An example of the wsadmin ANT task might look like:
    
    <wsadmin wasHome="..." command="..."
    properties="/tmp/myFile.props" profile="..." ...
    failonerror="..." />
    
    In the myFile.props specify the absolute location to the
    java.security file in the <WAS_HOME> hfs.
    
    java.security.properties==/WebSphere/V6R1/AppServer/java/lib/sec
    urity/java.security
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All users of WebSphere Application Server    *
    *                 V6.1.0 for z/OS using the wsadmin ANT task   *
    ****************************************************************
    * PROBLEM DESCRIPTION: The wsadmin Ant task is unable to       *
    *                      connect to a WebSphere Application      *
    *                      Server for z/OS runtime when security   *
    *                      is enabled                              *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When running the wsadmin Ant task to connect to a v6.1
    WebSphere Application Server on the z/OS platform, the wrong
    java.security file is used and causes the wrong security
    providers to be loaded.  This results in the following error
    being displayed in the console that is invoking the Ant task:
    
    [wsadmin] WASX7023E: Error creating "SOAP" connection to host
    "localhost"; exception information:
    com.ibm.websphere.management.exception.ConnectorNotAvailable
    Exception: [SOAPException: faultCode=SOAP-ENV:Client;
    msg=Error parsing HTTP status line &quot; ????&quot;:
    java.util.NoSuchElementException;
    targetException=java.lang.IllegalArgumentException: Error
    parsing HTTP status line " ????":
    java.util.NoSuchElementException]
    [wsadmin] WASX7213I: This scripting client is not connected to
    a server process; please refer to the log file
    /USRS/was61/<cell>/<node>/dmgr/profiles/default/logs/wsadmin.
    traceout for additional information.
    [wsadmin] WASX8011W: AdminTask object is not available.
    [wsadmin] WASX7303I: The following options are passed to the
    scripting environment and are available as arguments that are
    stored in the argv variable:
    "[${adamRoot}zz_ibm/wasBatch/wasBatch-99009205-Step-1.txt]"
    [wsadmin] WASX7017E: Exception received while running file
    "helloWorld.jacl";
    exception information:
    com.ibm.ws.scripting.ScriptingException: WASX7070E: The
    configuration service is not available.
    

Problem conclusion

  • The java.home system property will be set to the value of the
    JAVA_HOME system property on the JVM that invokes the wsadmin
    wsadmin Ant task to ensure that the correct java.security file
    is used.
    
    APAR PK52557 is currently targeted for inclusion in Service
    Level (Fix Pack) 6.1.0.17 of WebSphere Application Server V6.1
    for z/OS.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK52557

  • Reported component name

    WEBSPHERE FOR Z

  • Reported component ID

    5655I3500

  • Reported release

    610

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-09-10

  • Closed date

    2008-02-01

  • Last modified date

    2008-07-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE FOR Z

  • Fixed component ID

    5655I3500

Applicable component levels

  • R610 PSY UK36750

       UP08/06/10 P F806

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: WebSphere Application Server for z/OS
General

Software version: 6.1

Reference #: PK52557

Modified date: 02 July 2008


Translate this page: