PM76686: A SECURE WEBSPHERE APPLICATION SERVER INTERMITTENTLY STOPS DUE TO SSL HANDSHAKE ERROR CAUSED BY BAD CERTIFICATE LENGTH

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Abstract:
    
    Attempts to add a second (or more) certificate to the products
    trust store results in SSLHandShakeError when the # of
    characters of the certificate in the form of 'cn=__________' is
    equal 29
    
    Problem:
    
    When I add the first secure Server to the list of the products
    trusted server there is no issue; however, When I add the second
    secure Server to the list of the products trusted server, an
    SSLHandShake occurs and causes the server to intermittently
    stop.
    The issue occurs when the # of characters of the certificate in
    the form of 'cn=__________' is equal 29.
    The certificate name is based on the distinguishing names.
    WebSphere Application Server will do a truncation if the name is
    > 32 characters so that the resulting name is 31 characters. The
    result is something like 'cn= ____, '. The trailing space is
    causing an issue. The issue occurs only when adding a second (or
    more) certificate to the trust store.
    
    Local fix:
    
    Suggested workaround is to manually add a few characters when
    creating a new profile. When creating a new WAS profile, go in
    advance profile creation and you will be able to manually change
    the certificate name. changing 'certificatename' to
    'certificatenameEXTRACHARACTERS' will be sufficient to resolve
    the Certificate Chaining Error.
    

Local fix

Problem summary

  • The status of the server may intermittently change from Started
    to Stopped due to a certificate chaining. This problem is caused
     both the following conditions are present:
    1. Connecting to two or more secure servers
    2. The certificate in the form of "cn=__________" is exactly 29
    characters
    

Problem conclusion

  • Additional logic was made to handle the trailing space in the
    certificate name to ensure the certificate names in the trust
    store would be unique and added correctly.
    
    The fix for this APAR is included in Rational Application
    Developer v8.0.4.3.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM76686

  • Reported component name

    SW ARCHITECT WI

  • Reported component ID

    5724I7001

  • Reported release

    804

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-11-07

  • Closed date

    2013-10-28

  • Last modified date

    2013-10-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    RATL APP DEV WI

  • Fixed component ID

    5724J1901

Applicable component levels

  • R804 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Rational Application Developer for WebSphere Software

Software version:

8.0.4

Reference #:

PM76686

Modified date:

2013-10-28

Translate my page

Machine Translation

Content navigation