Fixes are available
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR8 Cumulative Fix for WebSphere Application Server
Java SDK 1.5 SR10 Cumulative Fix for WebSphere Application Server
6.1.0.31: Java SDK 1.5 SR11 FP1 Cumulative Fix for WebSphere Application Server
6.1.0.33: Java SDK 1.5 SR12 FP1 Cumulative Fix for WebSphere
6.1.0.29: Java SDK 1.5 SR11 Cumulative Fix for WebSphere Application Server
6.1.0.35: Java SDK 1.5 SR12 FP2 Cumulative Fix for WebSphere
6.1.0.37: Java SDK 1.5 SR12 FP3 Cumulative Fix for WebSphere
6.1.0.39: Java SDK 1.5 SR12 FP4 Cumulative Fix for WebSphere Application Server
6.1.0.41: Java SDK 1.5 SR12 FP5 Cumulative Fix for WebSphere Application Server
6.1.0.43: Java SDK 1.5 SR13 Cumulative Fix for WebSphere Application Server
6.1.0.45: Java SDK 1.5 SR14 Cumulative Fix for WebSphere Application Server
6.1.0.47: WebSphere Application Server V6.1 Fix Pack 47
6.1.0.47: Java SDK 1.5 SR16 Cumulative Fix for WebSphere Application Server
6.1.0.9: WebSphere Application Server V6.1 Fix Pack 9 for Solaris
APAR status
Closed as program error.
Error description
In WAS 6.1 the default certificate expires in one year. Just before the expiration, the cert is renewed automatically. After this automatic cert renewal, dmgr cannot talk to nodeagents, resulting in "JSSL0080E SSL HandShake Execption". If the renewal is done while WAS is up and running, the user has to update dmgr/trust.p12 and appsrv/trust.p12 when prompted during the next WAS shutdown. This does not work if WAS is running as a service on Windows platforms. If the cert is expired while WAS is NOT running, WAS has to be started with expired cert. Automatic renewal runs during the next start-up of dmgr. The user has to run sync node. As a work around, the user currently has to add manually the renewed certs to the trust stores. Add the cert of Cell to Node, and the other one of Node to Cell. The error is produced as a direct result of automatice cert renewal. the renewed cert should be added to Cell and Node trust stores automatically. Additionally, the certificate expiration monitor has been modified to properly handle this condition; this fix has been shipped in APAR PK48659.
Local fix
As a work around, the user currently has to add manually the renewed certs to the trust stores. Add the cert of Cell to Node, and the other one of Node to Cell.
Problem summary
**************************************************************** * USERS AFFECTED: All users who utilize IBM WebSphere * * Application Server version 6.1's automatic * * expired certificate renewal function. * **************************************************************** * PROBLEM DESCRIPTION: When Application Server attempts to * * renew expired certificates, it is * * unable to do so - a node * * synchronization error may occur. * **************************************************************** * RECOMMENDATION: * **************************************************************** Application Server was incorrectly processing the sequence of events that need to complete before the certificates are renewed and exchanged between the Deployment Manager and the Node Agent.
Problem conclusion
Application Server has been modified to, at cell profile creation time, create separate signer certificates in each keystore so that proper exchange can take place at certificate expiration amd renewal time. NOTE: this APAR does not handle profiles that have already been created. To address certificate expiration and renewal in Application Server with existing profiles, please reference the WebSphere Application Server flash "Possible client outage for WebSphere Application Server V6.1 if using default self-signed certificate expiration" and/or install WebSphere maintenance fixpack 6.1.0.7. The fix for this APAR is currently targeted for inclusion in fixpack 6.1.0.11. Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PK36869
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
61I
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2007-01-03
Closed date
2007-04-16
Last modified date
2007-11-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
SECURITY
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R61A PSY
UP
R61H PSY
UP
R61I PSY
UP
R61P PSY
UP
R61S PSY
UP
R61W PSY
UP
R61Z PSY
UP
Document Information
Modified date:
28 December 2021