IBM Support

HTTP 500 Internal Server Error is Received with an Apache HTTP Server Configured For SSL and IBM WebSphere Application Server v8.5 on the IBM i

Technote (troubleshooting)


Problem(Abstract)

If you have an IBM i Apache HTTP Server configured for SSL that is associated with an IBM WebSphere Application Server v8.5 or later profile, an HTTP 500 Internal Server Error might occur when accessing your web application.

Symptom

HTTP 500 Internal Server Error received in your web browser when accessing your web application URL

AND

The following errors appear in the plugins_root/logs/web_server_name/http_plugin.log file.


ERROR: ws_common: websphereFindTransport: Nosecure transports available
ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find a transport
ERROR: ESI: getResponse: failed to get response: rc = 4
ERROR: ws_common: websphereHandleRequest: Failed to handle request


Cause

Beginning at IBM WebSphere Application Server v8.5.5, the WebSphere Web Server Plugin product is no longer redirecting HTTPS SSL communications to the HTTP IP transport if the WebSphere Web Server Plugin is not properly configured to accept SSL communications.


Environment

IBM i; IBM WebSphere Application Server v8.5.5 and later

Diagnosing the problem

Verify a HTTP 500 Internal Server Error is received in the web browser when accessing the web application's URL. Check the plugins_root/logs/web_server_name/http_plugin.log file for errors. The http_plugin.log file is typically located in the /QIBM/UserData/WebSphere/AppServer/<version>/<edition>/profiles/<profileName>/logs/<IHS_serverName>/ directory.

Resolving the problem

Beginning at IBM WebSphere Application Server v8.5.5, the WebSphere Web Server Plugin product is no longer redirecting HTTPS SSL communications to the HTTP IP transport if the WebSphere Web Server Plugin is not properly configured to accept SSL communications.  Because of this, you will receive the following errors in the plugins_root/logs/web_server_name/http_plugin.log file if the Web Server plugin is not properly configured to accept SSL communications.


The following messages indicate the Web Server plugin's key database file has not been copied to the web server keystore directory. Thus, the secure HTTPS transport cannot be initialized.

ERROR: lib_security: logSSLError: str_security (gsk error 202):  Key database file was not found.
ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment. Secure transports are not possible.
ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security. Secure transports are not possible.
ERROR: ws_server: serverAddTransport: Failed to initialize security. Secure transports are not possible.
ERROR: ws_server: serverAddTransport: HTTPS Transport is skipped. IMPORTANT: If a HTTP transport is defined, it will be used for communication to the application server.
ERROR: ws_server: serverAddTransport: Plugin will continue to startup, however, SSL transport PMICI7.PNAT.COM:6003 did not initilize.  Secure communication between app server and plugin will NOT occur. To run with SSL, additional products may need to be installed: 1) OS/400 Digital Certificate Manager (5722-SS1 or 5769-SS1, option 34) 2) Cryptographic Access Provider 5769-AC1 (40-bit), 5722-AC2 or 5769-AC2 (56-bit), 5722-AC3 or 5769-AC3 (128-bit)
...


The following messages indicate no active secure HTTPS transport can be found. This is a direct result of the previous messages.

ERROR: ws_common: websphereFindTransport: Nosecure transports available
ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find a transport
ERROR: ESI: getResponse: failed to get response: rc = 4
ERROR: ws_common: websphereHandleRequest: Failed to handle request


To resolve your issue, you will need to either...
1) Configure the Web Server plugin to accept SSL communications

The steps to configure the web server plugin to accept SSL communications are listed here:
NOTE:  You can ignore step 1 since it is not needed on the IBM i.
http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/topic/com.ibm.websphere.express.doc/ae/tsec_httpserv2.html

Once the web server plugin is properly configured for SSL, restart your Apache HTTP Server and review the http_plugin.log file to confirm the following messages no longer appear in the log.

ERROR: lib_security: logSSLError: str_security (gsk error 202):  Key database file was not found.
ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment. Secure transports are not possible.
ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security. Secure transports are not possible.
ERROR: ws_server: serverAddTransport: Failed to initialize security. Secure transports are not possible.
ERROR: ws_server: serverAddTransport: HTTPS Transport is skipped. IMPORTANT: If a HTTP transport is defined, it will be used for communication to the application server.
ERROR: ws_server: serverAddTransport: Plugin will continue to startup, however, SSL transport PMICI7.PNAT.COM:6003 did not initilize.  Secure communication between app server and plugin will NOT occur. To run with SSL, additional products may need to be installed: 1) OS/400 Digital Certificate Manager (5722-SS1 or 5769-SS1, option 34) 2) Cryptographic Access Provider 5769-AC1 (40-bit), 5722-AC2 or 5769-AC2 (56-bit), 5722-AC3 or 5769-AC3 (128-bit)


OR

2) Implement the "UseInsecure=true" custom plug-in property for your web server definition.

You can implement the "UseInsecure-true" custom plug-in property to allow HTTPS traffic to be redirected to the HTTP transport.  This enables WAS to function like it did at WAS v8.0 and earlier.  If you want to allow the Web Server plugin to create non-secure connections when secure connections are defined (the old behavior), you will need to create the custom property UseInsecure=true on the Servers > Web Servers > Web_server_name > Plug-in properties > Custom properties page in the IBM WebSphere Integrated Solution Console application for the failing WebSphere Profile.  Then, restart your application server and web server for the changes to take affect.

This issue is documented in the following URL: http://www-01.ibm.com/support/docview.wss?uid=swg1PM85452

- Open a session to the IBM WebSphere Integrated Solution Console for your WebSphere Profile.
- Expand Servers -> Server Types and click on "Web servers".

Screen shot of the WAS ISC showing Servers -> Server Types - Web servers

- Click on your HTTP Server instance name.
- Click on the "Plug-in properties" link under "Additional Properties" on the right-hand side of the screen.

Screen shot of the WAS ISC showing Plug-in properties under Additional Properties on the Web Servers page.
- Click on "Custom Properties" on the right-hand side of the screen.

Screen shot of the WAS ISC showing Custom Properties under Additional Properties on the Plug-in Properties page
- Click on the "New" button to create a new custom property.
- Enter the value of "UseInsecure" for the Name field and "true" for the Value field.

Screen shot of the WAS ISC showing the fields when creating a new custom plug-in properties item
- Press OK to add the custom property.
- Click on the "Save" URL link at the top of the page to save the changes to the master configuration.
- Generate and Propagate the Web Server Plug-in.

    - Expand Servers -> Server Types and click on "Web servers".
    - Check the box next to your Web Server.
    - Click the " Generate Plug-in" button.
    - Click the " Propagate Plug-in" button.
- Restart the web server and application server for the changes to take affect.


Cross reference information
Segment Product Component Platform Version Edition
Operating System IBM i 7.2
Operating System IBM i 7.1
Operating System IBM i 6.1
Operating System IBM i 7.3

Document information

More support for: IBM i
WebSphere Application Server

Software version: 6.1.0, 6.1.1, 7.1, 7.2, 7.3

Operating system(s): IBM i

Software edition: All Editions, WAS v8.5.5, WAS v9.0

Reference #: N1019946

Modified date: 10 January 2017


Translate this page: