Tivoli Access Manager for e-Business WebSEAL instances that have been properly running stop responding to HTTPS (SSL) requests.
The WebSEAL message log contains errors similar to,
2011-08-27-07:42:31.390+00:00I----- 0x38AD54BA webseald WARNING wiv ssl WsSslListener.cpp 919 0x00005657
DPWIV1210W Function call, gsk_secure_soc_init, failed error: 00000191 GSK_ERROR_BAD_DATE.
End users report access to Website via HTTPS does not respond.
The certificate presented for front facing HTTPS access has expired.
This can be verified as follows:
1) Locate the following properties in webseald-instance.conf,
webseal-cert-keyfile = /var/pdweb/www-default/certs/pdsrv.kdb
webseal-cert-keyfile-label = WebSEAL-Test-Only
2) Display the details of the certificate,
/opt/PolicyDirector/sbin/dispkdb -f pdsrv.kdb
label: WebSEAL-Test-Only <=== Label from conf file ===>
is default: no
key size: 1024
serial number: 3b8d2986
issuer DN: CN=Test-Only,OU=Tivoli Systems,O=IBM,C=US
subject DN: CN=Test-Only,OU=Tivoli Systems,O=IBM,C=US
issued on: Tue Aug 28 12:42:30 2001
expires on: Sat Aug 27 12:42:30 2011 <=== Note Expiration Date ===>
Resolving the problem
Update the webseal-cert-keyfile-label property with the label of a valid cert.
While waiting for a new certificate, the following commands may be used to create
a self-signed certificate in order to restart service.
cp pdsrv.kdb pdsrv.kdb.org
cp pdsrv.sth pdsrv.sth.org
## Ensure the CN value in the command correctly matches how the Website is accessed.
## Set the -expire option as required. The command below creates a cert good for 10 years.
## The default password for pdsrv.kdb is pdsrv.
gsk7capicmd -cert -create -db pdsrv.kdb -pw pdsrv -size 1024 \
Edit /opt/pdweb/etc/webseald-default.conf and change the following
webseal-cert-keyfile-label = hostname
This will need to be done on all system using the WebSEAL-Test-Only (Expired) cert.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.