IBM Support

HTTP plug-in log records "gsk error 408 (GSK_ERROR_BAD_KEYFILE_PASSWORD)"

Troubleshooting


Problem

When starting the IBM HTTP Server, the following error is recorded in the WebSphere Application Server http_plugin.log "gsk error 408 (GSK_ERROR_BAD_KEYFILE_PASSWORD)"

Cause

This error occurs if the plugin-key.sth file for the HTTPS transport in the plugin-cfg.xml file does not exist, is corrupted, or does not correspond with the existing plugin-key.kdb file. Also, the user account which the web server is running under must have read/execute permission on the plugin-key.sth .

For example:
 

WebSphere Plugin v7.0

<Transport Hostname="hostname" Port="9443" Protocol="https">
<Property name="keyring" value="/IBM/HTTPServer/Plugins/webserver1/plugin-key.kdb"/>
<Property name="stashfile" value="/IBM/HTTPServer/Plugins/webserver1/plugin-key.sth"/>
</Transport>

WebSphere Plugin v8.x

<Transport Hostname="hostname" Port="9443" Protocol="https">
<Property name="keyring" value="/IBM/WebSphere/Plugins/webseerver1/plugin-key.kdb"/>
<Property name="stashfile" value="/IBM/WebSphere/Plugins/webserver1/plugin-key.sth"/>
</Transport>

WebSphere Plugin v9.x

<Transport Hostname="hostname" Port="9443" Protocol="https">
<Property name="keyring" value="/IBM/WebSphere/Plugins/webseerver1/plugin-key.kdb"/>
<Property name="stashfile" value="/IBM/WebSphere/Plugins/webserver1/plugin-key.sth"/>
</Transport>

Resolving The Problem

To correct the problem, perform the following steps:

  1. Use the iKeyman GUI included with the IBM HTTP Server to open the plugin-key.kdb file. The password to open this file by default is WebAS (case sensitive).
     
  2. After you have the plugin-key.kdb file open, from the menu select: Key Database file > stash password . This creates a new plugin-key.sth file.
     
Note: The IBM HTTP Server must be restarted after making either of the preceding changes.
 
  1. Make sure the plugin-key.sth file exists in the actual directory listed in the preceding example. By default this plugin-key.sth file is created when SSL is enabled within WebSphere Application Server. If the Web server is remote, this file and the plugin-key.kdb file must be copied from the Application Server machine to the remote Web server machine in the directory specified in the preceding example.
     
  2. If the file does exist, make sure the user account which the Web server is running under has read/execute permission to the plugin-key.sth . Also, it is possible that the plugin-key.sth file is corrupt or does not correspond with the existing plugin-key.kdb file. As a result, you must create a new plugin-key.sth file from the existing plugin-key.kdb file.
  3. It is ESSENTIAL !!!! if there is an RDB (for example, plugin-key.rdb ) and CRL (for example, plugin-key.crl ) in the same directory as the plugin-key.kdb and plugin-key.sth file, remove these files from the directory.


If this problem occurs after generating.. a new key store with Java 8.0 FP3 SR20, take one of the following actions:

1) Upgrade the Web Server Plug-in to 8.0.0.13, 8.5.5.11, or 9.0.0.2

OR

2) If using IBM HTTP Server, obtain an interim fix for PI66931 which updates GSKit to a level that understands the updated stash file format.

OR

3) If using another webserver, re-stash the password using the native command-line tools provided by the Web Server Plug-in.

From the Web Server Plug-in installation root:

Linux (and Solaris/HP-UX)
LD_LIBRARY_PATH=gsk8/gsk8_64 gsk8/gsk8_64/bin/gsk8capicmd_64 -keydb -stashpw -db IBM/WebSphere/webserver1/conf/plugin-key.kdb -pw WebAS

AIX:
LIBPATH=gsk8/gsk8_64/lib64/gsk8/gsk8_64/bin/gsk8capicmd_64 -keydb -stashpw -db IBM/WebSphere/webserver1/conf/plugin-key.kdb -pw WebAS

Windows:
set PATH=%PATH%;gsk8\gsk8_32\lib;gsk8\gsk8_32\bin\gsk8capicmd -keydb -stashpw -db IBM\WebSphere\webserver1\conf\plugin-key.kdb -pw WebAS

The command reference to the default plugin-key.kdb key file path location IBM\WebSphere\config\webserver1\.

NOTE: The gsk8capicmd syntax command, it a work-around solution. Therefore, to reduce the problem from reoccurring download and apply Web Server Plug-in to 8.0.0.13, 8.5.5.11, or 9.0.0.2 fix pack. This will upgrade the gskit 8 version bundle with Web Server plugin to recognize the new stashfile v2 encryption.  

Cross reference information
Product Component Platform Version Edition
WebSphere Application Server Plug-in AIX, HP-UX, Linux, Solaris, Windows 9.0.0.1, 8.5.5, 8.5, 8.0, 7.0 Base, Network Deployment

Document information

More support for: IBM HTTP Server

Software version: 7.0, 8.0, 8.5, 8.5.5, 9.0.0.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: Base, Network Deployment

Reference #: 1177702

Modified date: 16 August 2018


Translate this page: