Synchronization fails with SSLHandshakeException "No trusted certificate found"

Technote (troubleshooting)


Problem(Abstract)

Synchronization between the nodeagents and deployment manager fails with this error in the IBM® WebSphere® Application Server logs SystemOut.log and/or SystemErr.log:

Symptom

You cannot synchronize the nodes with the deployment manager. Messages such as "synchronization failed" appear in the administrative console or when running the syncNode script located in <install_root>/profiles/<profile_name>/bin directory.

[10/1/07 14:34:09:542 MDT] 00000040 ORBRas        E                  
 com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl            
 createSSLSocket Pr ocessDiscovery : 0 JSSL0080E:                    
 javax.net.ssl.SSLHandshakeException - The client and server could  
 not negotiate the desired leve l of security.  Reason:              
 com.ibm.jsse2.util.h: No trusted certificate found                  
 javax.net.ssl.SSLHandshakeException: com.ibm.jsse2. util.h: No      
 trusted certificate found



Cause

One or both of the following:

1. The personal certificate has not been added to the truststore file(s).
2. The truststore file containing the correct certificate has not been copied throughout the cell.


Environment

WebSphere deployment manager with one or more federated nodes. Global security is enabled on the deployment manager.

Resolving the problem

  1. Add the personal certificate to the signer section of the trustfile (trust.p12). For default configurations, you can extract the personal certificate from the key.p12 file and add it to the signer section of trust.p12. For more information see the Information Center topics Certificate management or Certificate management using iKeyman.
  2. Place a copy of the trustfile with the correct certificate in these three directories on the deployment manager (dmgr):
    <install_root>/profiles/dmgr/etc
    <install_root>/profiles/dmgr/config/cells/< your cellname>
    <install_root>/profiles/dmgr/config/cells/<your cellname>/nodes/<your nodename>

    It is a good idea to make sure the key.p12 file also matches in these directories.
  3. Once the *.p12 files are correct on the dmgr, use the synchronization process to push them down to the nodes. Do the following:
    1. Ensure that all processes are stopped: dmgr, nodeagents and servers.
    2. Start the dmgr only. Do not start the nodeagents.
    3. Run the syncNode script from the node's bin directory (not the dmgr's bin directory): <install_root>/profiles/<node_profile_name>/bin

      ./syncNode.sh <dmgr hostname> <SOAP port of dmgr> for UNIX® platforms
      syncNode.bat <dmgr hostname> <SOAP port of dmgr> for Windows® platforms

      *Note: The default SOAP port of the deployment manager is 8879.

      You can find the value inside the serverindex.xml file for the deployment manager. This is located in <install_root>/profiles/<dmgr_profile>/config/cells/<your cellname>/nodes/<dmgr_nodename> directory. It is the port number associated with the SOAP_CONNECTOR_ADDRESS.

      Running syncNode will push the *.p12 files from the dmgr directories to the node's directories. Run syncNode on each of the nodes in your cell.
    4. After synchronization, you still need to manually copy the *.p12 files into the node's etc directories, profiles/<your profile name>/etc. Do this for every node in your cell.
    5. Start the nodes and servers.

If the problem remains, contact IBM support, and follow the instructions in MustGather for JSSE, SSL, or JCE problems

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server

Software version:

6.1, 7.0

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition:

Network Deployment

Reference #:

1279327

Modified date:

2008-07-17

Translate my page

Machine Translation

Content navigation