Certificate for HTTPS is expired.

Flash (Alert)


Abstract

Tivoli Access Manager for e-Business WebSEAL instances that have been properly running stop responding to HTTPS (SSL) requests.

The WebSEAL message log contains errors similar to,

2011-08-27-07:42:31.390+00:00I----- 0x38AD54BA webseald WARNING wiv ssl WsSslListener.cpp 919 0x00005657

DPWIV1210W Function call, gsk_secure_soc_init, failed error: 00000191 GSK_ERROR_BAD_DATE.

Content

Symptom

    End users report access to Website via HTTPS does not respond.


Cause
    The certificate presented for front facing HTTPS access has expired.
    This can be verified as follows:
      1) Locate the following properties in webseald-instance.conf,
        [ssl]
        webseal-cert-keyfile = /var/pdweb/www-default/certs/pdsrv.kdb
        webseal-cert-keyfile-label = WebSEAL-Test-Only
      2) Display the details of the certificate,
        cd /var/pdweb/www-default/certs
        /opt/PolicyDirector/sbin/dispkdb -f pdsrv.kdb
        Certificate data:
        label: WebSEAL-Test-Only <=== Label from conf file ===>
        is default: no
        key size: 1024
        serial number: 3b8d2986
        issuer DN: CN=Test-Only,OU=Tivoli Systems,O=IBM,C=US
        subject DN: CN=Test-Only,OU=Tivoli Systems,O=IBM,C=US
        issued on: Tue Aug 28 12:42:30 2001
        expires on: Sat Aug 27 12:42:30 2011 <=== Note Expiration Date ===>
.
.
Resolving the problem
    Update the webseal-cert-keyfile-label property with the label of a valid cert.
    While waiting for a new certificate, the following commands may be used to create
    a self-signed certificate in order to restart service.
      cd /var/pdweb/www-default/certs
      cp pdsrv.kdb pdsrv.kdb.org
      cp pdsrv.sth pdsrv.sth.org
      ##
      ## Ensure the CN value in the command correctly matches how the Website is accessed.
      ## Set the -expire option as required. The command below creates a cert good for 10 years.
      ## The default password for pdsrv.kdb is pdsrv.
      ##
      gsk7capicmd -cert -create -db pdsrv.kdb -pw pdsrv -size 1024 \
-dn "CN=hostname.domain.com,O=domain,C=US" -label hostname -expire 3650
      Edit /opt/pdweb/etc/webseald-default.conf and change the following
      [ssl]
      webseal-cert-keyfile-label = hostname
      Restart WebSEAL.
      This will need to be done on all system using the WebSEAL-Test-Only (Expired) cert.

Product Alias/Synonym

TAM WebSeal

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security Access Manager for Web
WebSEAL

Software version:

5.1, 6.0, 6.1, 6.1.1

Operating system(s):

All Platforms

Reference #:

1512494

Modified date:

2012-08-22

Translate my page

Machine Translation

Content navigation