Question & Answer
Question
How do I fix the SSL exception CWPKI0022E "KeyUsage does not allow digital signatures" in WebSphere Application Server?
WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=LDAP.ibm.com, OU=websphere, O=ibm.com" was sent from target host:port " ldap://LDAP.IBM.COM:636 The signer may need to be added to local trust store "/opt/was80/AppServer/etc/LDAPServerTrustFile.jks" located in SSL configuration alias "LDAPCERT" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "KeyUsage does not allow digital signatures".
Answer
The exception "KeyUsage does not allow digital signatures" means that the certificate sent by the server does not have "DigitalSignature" in the KeyUsage extensions field.
To determine enabled SSL traces in websphere more detail see the following link:
IBM MustGather: Java Secure Socket Extension (JSSE), Secure Sockets Layer (SSL) or Java Cryptography Extensions (JCE) problems
https://www.ibm.com/support/pages/mustgather-ssl-problems-websphere-traditional
How to review the traces as follows
WebSphere is acting as SSL Client
LDAP server " ldap://LDAP.IBM.COM:636 " is acting as SSL Server
From the SSL traces ( following example traces) you can see WebSphere sent the following cipher suites to the SSL server:
---
SystemOut O *** ClientHello, TLSv1
[SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
---
The SSL server chose the below EC cipher suite:
SystemOut O %% Initialized: [Session-8, SSL_ECDHE_RSA_WITH_RC4_128_SHA]
SystemOut O ** SSL_ECDHE_RSA_WITH_RC4_128_SHA
The digital signature check will only be performed if the cipher suite belongs to "DHE_DSS", "DHE_RSA", "ECDHE_ECDSA", "ECDHE_RSA", "RSA_EXPORT" or "UNKNOWN".
TrustManager will check that extension whenever you use those ciphers If you look at the certificate sent by the SSL server you will see that they KeyUsage is only Key_Encipherment:
We throw the below exception because the SSL connection is using the ECDHE_RSA cipher suite and the certificate presented by the server does not have "DigitalSignature" in the keyUsage extension:
[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [ Key_Encipherment ]
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: KeyUsage does not allow digital signatures
Solution:
-
For a workaround solution, you can configure WebSphere to not send the cipher suites listed above.
OR
They need to fix the Server certificate to add Digital Signature in the Key Usage extension.
Was this topic helpful?
Document Information
Modified date:
15 April 2020
UID
ibm13380067