PH57998: ERROR DETECTED WHILE OPENING THE CERTIFICATE DATABASE

APAR status

Closed as program error.

Error description

http plugin log file issues the following error when attempting
to read the plugin-key.kdb generated from WebSphere at 8.5.5.24
on z/OS

ERROR: lib_security: logSSLError: str_security (gsk error 202):
Error detected while opening the certificate database

Attempting to open the plugin-key.kdb with gskkyman surfaces
error

Unable to open plugin-key.kdb

Status 0x0335300a - Database is not valid.

Local fix

Generate a new plugin-key.kdb using gskkyman and import the
signer certificates from WebSphere.

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
*                  V8.5 and V9.0 webserver plugins.            *
****************************************************************
* PROBLEM DESCRIPTION: WebServer Plugin fails to               *
*                      open plugin-key.kdb created with Java   *
*                      8 SR8 and later.                        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
After CMSProvider is updated to version 2.65 or above,
gskkeyman.cmd is no longer able to open plugin-key.kdb created
by the WebSphere.
The issue is observed on Z/OS platform, IBM i platform or when
the WebSphere plugin has FIPS enabled.
To check the CMS provider version, run the following command
> ikeycmd -DADD_CMS_SERVICE_PROVIDER_ENABLED=true -version

Problem conclusion

On zOS platform and IBMi platform, the code has been updated to
change the way plugin-key.kdb created.

On non-zOS platform, the following custom property should be set
to false if FIPS is enabled on WebSphere plugin.

Custom property: com.ibm.websphere.security.cms.usepqc
Default value: true

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.25 and 9.0.5.19. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

Temporary fix

Comments

APAR Information

APAR number
PH57998
Reported component name
WEBSPHERE FOR Z
Reported component ID
5655I3500
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-11-03
Closed date
2023-12-19
Last modified date
2023-12-19

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE FOR Z
Fixed component ID
5655I3500

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
20 December 2023

Tips

PH57998: ERROR DETECTED WHILE OPENING THE CERTIFICATE DATABASE

Subscribe to this APAR

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

Document Information

Share your feedback

Need support?