SSL handshake failure in the node agent

-

Problem(Abstract)

When you use security that is enabled out-of-the-box and select the 2. Use WebSphere Application Server registry option in the Customization dialogs for a WebSphere® Application Server for z/OS® installation, an error message similar to the following information is logged in the job log of the node agent:


Trace: 2006/05/10 16:04:37.551 01 t=6B7E78 c=UNK key=S2 (13007002)
ThreadId: 00000018
FunctionName: com.ibm.ws.channel.framework.impl.WSChannelFrameworkImpl
SourceId: com.ibm.ws.channel.framework.impl.WSChannelFrameworkImpl
Category: AUDIT
ExtendedMessage: BBOO0222I: CHFW0019I: The Transport Channel Service has started chain IIOP_SECURE_OUT_9366c15e.
CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=WEBS37.PDL.POK.IBM.COM, OU=S37MCSB1, O=IBM" was sent from target
host:port "WEBS37.pdl.pok.ibm.com:16211".


For example, you might need to add the signer to the /WebSphere/V6R1M0B/AppServer1/profiles
/default/config/cells/S37MCLB1/trust.p12 local trust store, which is located in NodeDefaultSSLSettings Secure Sockets Layer (SSL) configuration alias and is loaded from the security.xml SSL configuration file.

The extended error message from the SSL handshake exception is: "No trusted certificate found".

Cause

When you use security that is enabled out-of-the-box, a Resource Access Control Facility (RACF) key ring is created for the user ID of the daemon. However, the certificates from this key ring are not automatically added to the key rings for WebSphere Application Server. Because the certificates in the RACF key ring are not trusted by WebSphere Application Server, error messages result.

Resolving the problem

If you use security that is enabled out-of-the-box, follow these steps to add the signer certificate of the daemon to the trust store of the cell:


  1. Obtain the SSL port and host name of the daemon.
    a. Log in to the administrative console.
    b. Click System Administration > Node Groups > DefaultNodeGroup > z/OS location service.
    c. Make a note of the SSL port and the host name.

  2. Add the signer certificate to the trust store.
    a. Log in to the administrative console.
    b. Click Security > SSL certificate and key management.
    c. Under Related items, click Key stores and certificates.
    d. Click CellDefaultTrustStore > Signer Certificates > Retrieve from port.
    e. Enter the SSL port and host name of the daemon and any name for the alias.
    f. Click Retrieve signer information.
    g. Click OK.

  3. Synchronize the nodes.
    a. Stop all of the node agents in the cell.
    b. From a telnet session, run the following command:

    syncNode.sh deployment_manager_host_name deployment_manager_port_number -user user_name -password password


  4. Restart all of the processes in the cell.





Popular posts from this blog

Shrink you container size up to 95%.

-
BLAFS is a bloat-aware filesystem for container debloating. The design principles of BLAFS are effective, efficient, and easy to use. It detects the files used by the container, and then debloats the container by removing the unused files. The debloated containers are still functional and can run the same workload as the original containers, but with a much smaller size and faster deployment. https://github.com/negativa-ai/BLAFS?tab=readme-ov-file
Read more

alma linux: dnf Module yaml error: Unexpected key in data

-
While applying recent updates to a server running Rocky Linux 8, an error presented itself. Module yaml error: Unexpected key in data: static_context [line 9 col 3] Module yaml error: Unexpected key in data: static_context [line 9 col 3] The solution turned out to be a simple one. Update the libmodulemd first to correct the problem then perform the dnf updates as usual. dnf update libmodulemd For a detailed explanation as to the cause of this problem.
Read more