IBM Support

How to fix this error javax.net.ssl.SSLHandshakeException TrustAnchor with subject "CN=pdca, O=Policy Director, C=US"

Troubleshooting


Problem

After installed the fix pack 8.5.5.17 with JDK 1.8 sr6 f5 or JDK 1.8 sr6 f6 in our websphere application server ND, the communication between the WebSphere and ISAM lost.

Symptom

I noticed the following error in ISAM logs and WAS logs.
 
 
ISAM logs shows the following error
2020.04.06 22:50:31.514 ----- PROGRAM ERROR null null com.tivoli.pd.jts.RemoteConnection sendIt server.startup : 0
HPDJA0116E   Cannot contact server.
  javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path validation failed: com.ibm.jsse2.util.h: TrustAnchor with subject "CN=pdca, O=Policy Director, C=US" is not a CA certificate
    at com.ibm.jsse2.k.a(k.java:41)
    at com.ibm.jsse2.av.a(av.java:147)
    at com.ibm.jsse2.D.a(D.java:103)

    at com.ibm.jsse2.D.a(D.java:432)
    at com.ibm.jsse2.E.a(E.java:248)

    
    
WAs Systemout.log shows the following error
[4/6/20 18:50:31:513 EDT] 0000008c SystemOut     O   server.startup : 0, handling exception: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path validation failed: com.ibm.jsse2.util.h: TrustAnchor with subject "CN=pdca, O=Policy Director, C=US" is not a CA certificate
java -version
java version "1.8.0_241"
Java(TM) SE Runtime Environment (build 8.0.6.6 - pxa6480sr6fp6ifix-20200317_01(SR6 FP6+IJ22800+IJ23014+IJ23018))
IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20200124_438197 (JIT enabled, AOT enabled)
OpenJ9 - 6754bf2
OMR    - dca2cde
IBM    - 5cc5f54)
JCL - 20200303_01 based on Oracle jdk8u241-b07

Cause

IBM Java 8 is behaving as expected and it is consistent with Oracle JDK 8's behavior. The code change, to check and throw the exception, was added to IBM Java8S6FP5 due to a required Oracle Security Bulletin Fix "Oracle Security-in-Depth Fix 8230318: Better trust store usage". The problem report associated with this OSB is 142585.
======"Oracle Security-in-Depth Fix 8230318=======
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
A new system property named jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.
The default value of this property, if not set, is "false".
Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).
This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.
=================================

Resolving The Problem

WorkAround: IBM Java 8 to override this check, then you can set a system property allowNonCaAnchor to true. This can be done either programmatically using the API System.setProperty(“jdk.security.allowNonCaAnchor”, “true” ) or can be set at as a command line parameter to the JVM using -Djdk.security.allowNonCaAnchor=true.
Steps to defined JVM argument as follows
Application Server
In the Administration Console select Servers
Expand Server Type and select WebSphere application servers
Click on the name of your server
Expand Java and Process Management and select Process Definition.
Under the Additional Properties section, click Java Virtual Machine.
Scroll down and locate the textbox for Generic JVM arguments.
-Djdk.security.allowNonCaAnchor=true
Click ok and save the changes
Restart the Application server.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdL1AAK","label":"Security->SSL->SSL - Certificates"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
19 May 2020

UID

ibm16207110