Troubleshooting
Problem
We configured LDAP for the TDWC. When we select "Require SSL communctions" we received an error.
Symptom
CWWIM5020E Could not connect to the ldaps://test.ian.intranet:636 repository using properties:[port=636],[primary_host=test.ian.intranet],[bindDN=uid=tws_bind_t,ou=TWS,ou=operations,ou=Services,o=ibm],[certificateMapMode=exactdn],[sslConfiguration=],[sslEnabled=true],[connectTimeout=0],[id=IANRepository],[ldapServerType=SUNONE],[host=test.ian.intranet],[referal=ignore],[certificateFilter=],[bindPassword=****],[authentication=simple]
Cause
If the signer was already added to the local trust store then it is a likely problem with the revocation
setting. This property configures revocation checking for the Java Virtual Machine (JVM). This property is set to false by default because the default WebSphere certificates used for SSL communication do not contain certificate revocation list (CRL) distribution points or Online Certificate Status Protocol (OCSP) information.
When this setting is enabled, the JVM will attempt to check whether the certificate being used is revoked. The revocation status can be determined in a few different ways. If the status can not be determined
the certificate can't be used.
Diagnosing The Problem
You need to check that the eWAS is correctly set to false, as should be the SSL properties file :-
<TWA_Home>/eWAS/profiles/ITMProfile/properties/ssl.client.props
com.ibm.jsse2.checkRevocation=false
com.ibm.security.enableCRLDP=false
<TWA_Home>/eWAS/profiles/TIPProfile/config/cells/TIPCell/security.xml
name="com.ibm.jsse2.checkRevocation" value="false" required="false"
By default, this should be disabled.
Resolving The Problem
If the setting is true please change to false in this way :-
1. Stop eWAS
2. Back up ./eWAS/profiles/TIPProfile/config/cells/TIPCell/security.xml
3. Edit ./eWAS/profiles/TIPProfile/config/cells/TIPCell/security.xml
Change line :-
name="com.ibm.jsse2.checkRevocation" value="true"
to :-
name="com.ibm.jsse2.checkRevocation" value="false"
4. Restart eWAS
5. Test LDAP SSL
The setting can also be found / change in the admin console at :-
SSL certificate and key management > Trust managers > IbmPKIX > Custom properties
Further details about this are available on the link to our Websphere documentation.
Related Information
Was this topic helpful?
Document Information
Modified date:
29 September 2018
UID
swg21625248