Technical Blog Post
Abstract
ITM6: problem with LDAP certificates
Body
It may happen that LDAP server's certificates are changed but after their activation, a similar error message may occur in TEPS log file:
SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: The revocation status of the certificate with subject (CN=xxxx, O=yyyyy, L=zzzzz, ST=wwwwwww, C=AA) could not be determined.]' naming exception occurred during processing.
[8/3/17 14:10:51:568 CEST] 0000002b exception E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E The 'javax.naming.CommunicationException: simple bind failed: a.b.c.d:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j:PKIX path validation failed: java.security.cert.CertPathValidatorException: The revocation status of the certificate with subject (CN=xxxx, O=yyyyy, L=zzzzz, ST=wwwwwww, C=AA) could not be determined.]' naming exception occurred during processing.
com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.CommunicationException: simple bind failed: a.b.c.d:636 [Root exception is javax.net.ssl.
In this case you may want to check the revocation setting in eWAS.
This property configures revocation checking for the Java Virtual Machine (JVM).
Open <ITMHOME>/<arch>/iw/profiles/ITMProfile/config/cells/ITMCell/security.xml
Check if it has:
"com.ibm.jsse2.checkRevocation" value="false"
You can disable it from console:
1. http://<hostname>:15205/ibm/console
2. go to SSL certificate and key management > Trust managers > IbmPKIX > Custom properties
3. click on com.ibm.jsse2.checkRevocation and change the value to false
4. click on apply + OK
5. and click on save (above of the page)
Alternatively you can directly edit <ITMHOME>/<arch>/iw/profiles/ITMProfile/config/cells/ITMCell/security.xml and change line:
name="com.ibm.jsse2.checkRevocation" value="true"
to:
name="com.ibm.jsse2.checkRevocation" value="false"
Restart TEPS (and so the eWAS) is needed in both cases.
Subscribe and follow us for all the latest information directly on your social feeds:
|
|
|
Check out all our other posts and updates: | |
Academy Blogs: | https://goo.gl/U7cYYY |
Academy Videos: | https://goo.gl/TLfMoF |
Academy Google+: | https://goo.gl/HnTs0w |
Academy Twitter : | https://goo.gl/AhR8CL |
UID
ibm11085307