PK36869: AFTER AUTOMATIC CERT RENEWAL DMGR CANNOT TALK TO NODEAGENTS. "JSSL0080E SSL HANDSHAKE EXECPTION"

Fixes are available

APAR status

Closed as program error.

Error description

In WAS 6.1 the default certificate expires in one year. Just
before the expiration, the cert is renewed automatically.  After
this automatic cert renewal, dmgr cannot talk to nodeagents,
resulting in "JSSL0080E SSL HandShake Execption".

 If the renewal is done while WAS is up and running, the user
has to update dmgr/trust.p12 and appsrv/trust.p12 when  prompted
during the next WAS shutdown.  This does not work
   if WAS is running as a service on Windows platforms.

If the cert is expired while WAS is NOT running, WAS has to be
started with expired cert.  Automatic renewal runs during the
next start-up of dmgr.  The user has to run sync node.

As a work around, the user currently has to add manually the
renewed certs to the trust stores.
Add the cert of Cell to Node, and the other one of Node to Cell.

 The error is produced as a direct result of automatice cert
renewal.  the renewed cert should be added to Cell and Node
trust stores automatically.

Additionally, the certificate expiration monitor has been
modified to properly handle this condition; this fix has been
shipped in APAR PK48659.

Local fix

As a work around, the user currently has to add manually the
renewed certs to the trust stores.
Add the cert of Cell to Node, and the other one of Node to Cell.

Problem summary

****************************************************************
* USERS AFFECTED: All users who utilize IBM WebSphere          *
*                 Application Server version 6.1's automatic   *
*                 expired certificate renewal function.        *
****************************************************************
* PROBLEM DESCRIPTION: When Application Server attempts to     *
*                      renew expired certificates, it is       *
*                      unable to do so - a node                *
*                      synchronization error may occur.        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Application Server was incorrectly processing the sequence of
events that need to complete before the certificates are
renewed and exchanged between the Deployment Manager and the
Node Agent.

Problem conclusion

Application Server has been modified to, at cell profile
creation time, create separate signer certificates in each
keystore so that proper exchange can take place at certificate
expiration amd renewal time. NOTE: this APAR does not handle
profiles that have already been created. To address certificate
expiration and renewal in Application Server with existing
profiles, please reference the WebSphere Application Server
flash "Possible client outage for WebSphere Application Server
V6.1 if using default self-signed certificate expiration"
and/or install WebSphere maintenance fixpack 6.1.0.7.

The fix for this APAR is currently targeted for inclusion
in fixpack 6.1.0.11.
Please refer to the recommended updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PK36869
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
61I
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-01-03
Closed date
2007-04-16
Last modified date
2007-11-15

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Modules/Macros

```
SECURITY
```

Fix information

Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800

Applicable component levels

R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 December 2021

Tips

PK36869: AFTER AUTOMATIC CERT RENEWAL DMGR CANNOT TALK TO NODEAGENTS. "JSSL0080E SSL HANDSHAKE EXECPTION"

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R61A PSY

R61H PSY

R61I PSY

R61P PSY

R61S PSY

R61W PSY

R61Z PSY

Document Information

Share your feedback

Need support?