Saturday, October 23, 2021

Websphere Dummy certificate expired - DummyServerKeyFile.jks , DummyServerTrustFile.jks


If you faced issue with ibm provided dummy certificate expired just like us and looking for the solution.  This blog is for you.  You can reach out if you are looking for guidance and I will try to help as time permits. 

Exception in Log - 

Exception stack trace: javax.naming.NamingException: Error during resolve. Root exception is org.omg.CORBA.COMM_FAILURE: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: javax.net.ssl.SSLHandshakeException - The client a

nd server could not negotiate the desired level of security. Reason: certificate expired vmcid: 0x49421000 minor code: 70 completed: No

at com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl.createSSLSocket(WSSSLClientSocketFactoryImpl.java:1143)

[10/14/21 10:14:06:262 EDT]  cec6923 SASRas        A JSAS0001I: Security configuration initialized.

[10/14/21 10:14:06:995 EDT]  cec6923 SASRas        E JSAS0455E: ERROR in sasOutboundSSLConfig:  The certificate with alias websphere dummy server from keyStore /usr/WebSphere/AppServer/etc/DummyServerKeyFile.jks is expired.

[10/14/21 10:14:07:163 EDT]  cec6923 SASRas        E JSAS0455E: ERROR in sasInboundSSLConfig:  The certificate with alias websphere dummy server from keyStore /usr/WebSphere/AppServer/etc/DummyServerKeyFile.jks is expired.

[10/14/21 10:14:07:183 EDT]  cec6923 SASRas        E JSAS0455E: ERROR in csiOutboundSSLConfig:  The certificate with alias websphere dummy server from keyStore /usr/WebSphere/AppServer/etc/DummyServerKeyFile.jks is expired.

[10/14/21 10:14:07:201 EDT]  cec6923 SASRas        E JSAS0455E: ERROR in csiInboundSSLConfig:  The certificate with alias websphere dummy server from keyStore /usr/WebSphere/AppServer/etc/DummyServerKeyFile.jks is expired.



IBM did provide the details on how to generate certificates but that didn't work for us. 

https://www.ibm.com/support/pages/node/6495431

We have older version of Websphere (WAS 5.0) which don't not have "SSL Certificates and Key Management" menu in WebSphere console.  

We opted for new version of Websphere in our Organization but we couldn't find  Create > Chained certificate for below dummy certificates as newer version of IBM uses P12 certificate for key and trust files. 


DummyServerKeyFile.jks - server key file

DummyServerTrustFile.jks - server trust file

DummyClientKeyFile.jks - client key file

DummyClientTrustFile.jks - client trust file


High level

Step 1: You need to disable security

This may not apply to you if your application is internet facing. This is for back-office application which is used within the intra-net. 

SSL and FormLogin is configured for web application in the global security settings. disable them first. 

/usr/WebSphere/DeploymentManager/config/cells/<host>/security.xml


<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" 
xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi" 
xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" 
xmi:id="Security_1121098131908" useLocalSecurityServer="true" 
useDomainQualifiedUserNames="false" 
enabled="true" 
cacheTimeout="5400" issuePermissionWarning="true" activeProtocol="BOTH" enforceJava2Security="false" 
activeAuthMechanism="LTPA_1121098131909" activeUserRegistry="LDAPUserRegistry_1121098131910" 
defaultSSLSettings="SSLConfig_1121098131909">


<singleSignon xmi:id="SingleSignon_1" requiresSSL="false" domainName="" enabled="true"/>

change enabled from true to false

<security:Security xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" 
xmlns:orb.securityprotocol="http://www.ibm.com/websphere/appserver/schemas/5.0/orb.securityprotocol.xmi" 
xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" 
xmi:id="Security_1121098131908" useLocalSecurityServer="true" 
useDomainQualifiedUserNames="false" 
enabled="false" 
cacheTimeout="5400" issuePermissionWarning="true" activeProtocol="BOTH" enforceJava2Security="false" 
activeAuthMechanism="LTPA_1121098131909" activeUserRegistry="LDAPUserRegistry_1121098131910" 
defaultSSLSettings="SSLConfig_1121098131909">

<singleSignon xmi:id="SingleSignon_1" requiresSSL="false" domainName="" enabled="false"/>

 
Step 2 :  Restart Deployment manager.. 

This is a temporary solution until deploy your certficate. 


Now the next step is to create ssl certificate. 


We did try many other options but the one which helped us was IKEYMAN.

1. deploying certificate from other app servers like jboss/Weblogic
2. resetting server clock and hardware clock.
date 0928195220
hwclock --systohc
3. disabled security (Steps above)
4. ikeyman --> success!(you may want to install WebSphere on your local machine if ikeyman didn't work on linux/Unix)

here is how it looks.  (Reach out if you cant get it to work and I will try to help)




IBM did provide a guide - https://www.cgisecurity.com/lib/sg246573.pdf then see 10.9 Demo keyfile pg 261 but use it as reference as we found that some of the steps are missing.  I still recommend to go through the guide to understand the concept. 







Please make sure that you create certificate as below.  The signer (client and server) steps are missing in the guide and that didn't work for us in a first try.  

added -> steps are additional configuration in certificate once you finish steps from the guide.  



DummyServerKeyFile ->  signer - client and server
personal certificate - websphere dummy server 

WASV5ServerKeyFile.jks -> personal certificate - websphere dummy server
added -> signer - client and server


DummyServerTrustFile ->  signer - websphere dummy client and websphere dummy server
 
WASV5ServerTrustFile.jks -> signer - websphere dummy client 
added -> signer - websphere dummy server

DummyClientKeyFile.jks ->  signer - client and server
personal certificate - websphere dummy client

WASV5ClientKeyFile.jks -> personal certificate -  websphere dummy client
added -> signer - client and server
DummyClientTrustFile.jks -> signer -> websphere dummy client and websphere dummy server

WASV5ClientTrustFile.jks -> signer -> websphere dummy server
added -> signer - websphere dummy client





Deploy the certificate as below for Deployment Manager and appServer




Remember to enable security - follow above steps just replace false -> true this time


Stop -> Application -> NodeAgent -> Deployment Manager
Start -> Deployment Manager->NodeAgent-> Application

I only created a new certificate for one year and deploy it but I will go back and recreate them for next 5 years. 







No comments:

Post a Comment

Websphere Dummy certificate expired - DummyServerKeyFile.jks , DummyServerTrustFile.jks

If you faced issue with ibm provided dummy certificate expired just like us and looking for the solution.  This blog is for you.  You can re...