PM76686: A SECURE WEBSPHERE APPLICATION SERVER INTERMITTENTLY STOPS DUE TO SSL HANDSHAKE ERROR CAUSED BY BAD CERTIFICATE LENGTH
Fixes are available
Rational Application Developer for WebSphere Software 9.0
Rational Software Architect 9.0
Rational Software Architect for WebSphere Software 9.0
Rational Application Developer for WebSphere Software Fix Pack 3 (188.8.131.52) for 8.0.4
Rational Application Developer Standard Edition Fix Pack 3 (184.108.40.206) for 8.0.4
Closed as program error.
Abstract: Attempts to add a second (or more) certificate to the products trust store results in SSLHandShakeError when the # of characters of the certificate in the form of 'cn=__________' is equal 29 Problem: When I add the first secure Server to the list of the products trusted server there is no issue; however, When I add the second secure Server to the list of the products trusted server, an SSLHandShake occurs and causes the server to intermittently stop. The issue occurs when the # of characters of the certificate in the form of 'cn=__________' is equal 29. The certificate name is based on the distinguishing names. WebSphere Application Server will do a truncation if the name is > 32 characters so that the resulting name is 31 characters. The result is something like 'cn= ____, '. The trailing space is causing an issue. The issue occurs only when adding a second (or more) certificate to the trust store. Local fix: Suggested workaround is to manually add a few characters when creating a new profile. When creating a new WAS profile, go in advance profile creation and you will be able to manually change the certificate name. changing 'certificatename' to 'certificatenameEXTRACHARACTERS' will be sufficient to resolve the Certificate Chaining Error.
The status of the server may intermittently change from Started to Stopped due to a certificate chaining. This problem is caused both the following conditions are present: 1. Connecting to two or more secure servers 2. The certificate in the form of "cn=__________" is exactly 29 characters
Additional logic was made to handle the trailing space in the certificate name to ensure the certificate names in the trust store would be unique and added correctly. The fix for this APAR is included in Rational Application Developer v220.127.116.11.
Reported component name
SW ARCHITECT WI
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
RATL APP DEV WI
Fixed component ID
Applicable component levels