IBM Support

Starting SSL-enabled sessions in Rational Host On-Demand clients results in COM 662: Server presented a certificate that is not trusted

Troubleshooting


Problem

When VeriSign or any well-known Certificate Authority signs certificates with a new root certificate, Host On-Demand clients might receive an error when trying to start SSL-enabled sessions: COM 662 server presented a certificate that is not trusted.

Symptom

When using new certificates signed by VeriSign or any well-known Certificate Authority, the Host On-Demand clients are receiving the error, COM 662 'server presented a certificate that is not trusted' when trying to start SSL-enabled sessions.

Cause

VeriSign or other well-known Certificate Authoriy has new root and interim certificates used to sign certificate requests. These root certificates are not in the WellKnownTrustedCAs.p12 shipped with Host On-Demand. When the client receives the certificate from the server, it does not recognize it as trusted and presents the COM 662, 'server presented a certificate that is not trusted'.

Resolving The Problem

To resolve the problem, use the IBM Certificate Management utility provided with the Host On-Demand for Windows or Linux to add the root certificates to the CustomizedCAs.p12 file. You need to have the root certificate from the Certificate Authority, normally a .cer file.

    1. Start the IBM Certificate Management utility.
      • On a Windows machine. Start > Programs > IBM WebSphere Host On-Demand > Administration > Certificate Management
      • On Linux, navigate to /opt/IBM/HostOnDemand/bin and enter the command ./CertificateManagement

    2. Select Key Database File > Open from the Menu bar.

      Note:       Select New if you do not have a CustomizedCAs.p12 file.

      You will be presented with a pop up window to Open a database.

    3. Select PKCS12 for Key database type.

    4. Click on the browse button and go to
      • Windows: C:\Program Files\IBM\HostOnDemand\HOD\CustomizedCAs.p12
      • Linux:  /opt/IBM/HostOnDemand/HOD/CustomizedCAs.p12

    5. Click OK

      The next pop up is a window prompting for the password.

    6. Enter the password and click OK.

      The password for CustomizedCAs.p12 must be hod

    7. List the Signer Certificates under Key database content.

    8. Click Add to add the certificate.

    9. Click on Browse and find the .cer file you received from VeriSign

    10. Click Open then OK.

    11. Enter a label for this certificate that is meaningful to you that describes what this root certificate is, then click OK.

      You should then see the certificate listed under Signer Certificates.

    12. Close the database by selecting Key database file > Close.

If your Host On-Demand server is on a platform other than Windows or Linux, you can FTP, in binary mode, the updated CustomizedCAs.p12 file to your server to the publish directory, ../hostondemand/HOD.

You can access the Host On-Demand server to download the updated file. The client will then be able to recognize the certificate.

Development will add these certificates to the WellKnownTrustedCAs.p12 for any new root and intermediate certificates.

[{"Product":{"code":"SSS9FA","label":"IBM Host On-Demand"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Documentation","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"}],"Version":"11.0","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
02 August 2018

UID

swg21395269

Page Feedback