Troubleshooting
Problem
The default certificates shipped in WebSphere 4.0, 5.0, 5.1, and 6.0 will expire on October 13 2021. At this time, the certificates will not be usable.
Note: These default certificates are not intended for use in production environments. They are shared between all WebSphere 4, 5, and 6.0 installations, constructed using a small key size, and signed using an algorithm which is no longer secure.
Environment
The problem affects environments that were originally running on WebSphere 4.0, 5.0, 5.1, or 6.0 using the default (not recommended) certificate configuration. These releases are all out of support and the instructions in this document do not apply to these releases. Please note that IBM Support cannot assist with cases opened for products which are out of support.
There is a small chance that this problem may also affect some newer WebSphere environments which were migrated from WebSphere 4.0, 5.0, 5.1, or 6.0, depending on the steps that were taken during the migration. The steps in this document apply to such migrated environments.
Most environments will not be affected by this issue. To confirm whether an environment is affected:
- In the WebSphere Administrative Console, navigate to Security > SSL Certificates and Key Management > Keystores and Certificates
- If there are no keystores called "DummyServerKeyFile", the environment is not affected by this issue.
Stop here, no further action needed.
- If there are no keystores called "DummyServerKeyFile", the environment is not affected by this issue.
- In the SystemOut.log, look for the CWPKI0051I message.
- If the message includes MD5withRSA, the environment is not affected by this issue.
Stop here, no further action needed.
- If the message includes MD5withRSA, the environment is not affected by this issue.
- In the WebSphere Administrative Console, navigate to Security > SSL Certificates and Key Management > SSL Configurations
- For each configuration listed on this page, click the configuration name, then check the Trust Store Name and Key Store Name.
- If the Key Store Name field includes a keystore called "DummyServerKeyFile"
- Click on Keystores and certificates, then click on DummyServerKeyFile, then click on Personal Certificates.
- If any of the certificates on this panel have an expiration date of October 13 2021, the environment is affected.
Continue on to the Resolving the Problem section.
- If the Key Store Name field includes a keystore called "DummyServerKeyFile"
- If none of the certificates in any of the keystores has an expiration date of October 13 2021, the environment is not affected.
Stop here, no further action is needed.
- For each configuration listed on this page, click the configuration name, then check the Trust Store Name and Key Store Name.
Resolving The Problem
If the WebSphere Administrative Console is not accessible, follow these instructions to disable security and access the Administrative Console using the unencrypted (http) port:
https://www.youtube.com/watch?v=LXnSsbu17PE (video version)
https://www.ibm.com/support/pages/node/127659 (text version)
https://www.youtube.com/watch?v=LXnSsbu17PE (video version)
https://www.ibm.com/support/pages/node/127659 (text version)
- In the WebSphere Administrative Console, navigate to Security > SSL Certificate and Key Management > Keystores and Certificates
- For each keystore named "DummyServerKeyFile", click the keystore name and then use the Create > Chained certificate... button to create a new certificate signed by the WebSphere internal certificate authority.
- Save the changes and (if needed) re-enable security.
- If the environment is a Network Deployment, copy the DummyServerKeyFile.jks file from the PROFILE_ROOT/etc/ directory on the Deployment Manager machine to the PROFILE_ROOT/etc/ directory on the node profile(s). The file is not automatically synchronized because it is outside of the WAS config directory, so it must be manually copied.
- If you needed to re-enable security, restart the server for that change to take effect. The certificate changes will take effect immediately as they are made.
If the environment is configured with a webserver that uses the WebSphere webserver plugin, follow these instructions to import the signer for the new certificate into the plugin truststore:
https://www.youtube.com/watch?v=jPOrYE5tAhM (video version)
https://www.ibm.com/support/pages/node/136873 (text version)
https://www.youtube.com/watch?v=jPOrYE5tAhM (video version)
https://www.ibm.com/support/pages/node/136873 (text version)
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSAW57","label":"WebSphere Application Server Network Deployment"},"ARM Category":[{"code":"a8m50000000CcxZAAS","label":"WebSphere Application Server traditional-All Platforms->Security->Web Services Security->SSL \/ transport security configuration issue"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"ARM Category":[{"code":"a8m50000000CcxZAAS","label":"WebSphere Application Server traditional-All Platforms->Security->Web Services Security->SSL \/ transport security configuration issue"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CcxZAAS","label":"WebSphere Application Server traditional-All Platforms->Security->Web Services Security->SSL \/ transport security configuration issue"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7JFU","label":"WebSphere Application Server - Express"},"ARM Category":[{"code":"a8m50000000CcxZAAS","label":"WebSphere Application Server traditional-All Platforms->Security->Web Services Security->SSL \/ transport security configuration issue"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
14 October 2021
UID
ibm16495431