Troubleshooting
Problem
When adding remote cell where global security disabled, certificate will not be imported even though "Import certificates" checkbox is checked.
Symptom
When clicking "Add" button in Remote Cells in Web servers > <webServerName> > Intelligent Management, you can configure the remote cell with the following parameters:
Enable enable intelligent management capability
Host remote cell dmgr's host name or address
Port SOAP port of remote cell dmgr's host name or address
Cell identifier Cell name
User ID When remote cell global security is enabled, specify admin user
Password When remote cell global security is enabled, specify admin password
* Import certificates check to import remote cell's certificate. (default checked)
As you can see, "Import certificates" is checked as default. When you try to add remote cell in which global security is disabled, adding remote cell will be completed without any error message but certificate will not be imported even though "Import certificates" checkbox is checked.
Due to the certificate import failure, the https requests to remote cell's application will fail with 500 Internal Server Error.
Cause
When global security is enabled, dmgr's SOAP port can handle with SSL handshake.
"Import certificates" make use of SSL handshake. So the certificate can be imported from remote cell when its global security setting is on.
But when global security is disabled, its SOAP port will not respond to SSL request thus failing to import its certificate.
Diagnosing The Problem
The following error would be logged in FFDC.
[YY/MM/DD HH:MM:SS:sss EST] FFDC Exception:javax.management.MBeanException SourceId:com.ibm.ws.management.AdminServiceImpl.invoke ProbeId:679 Reporter:com.ibm.ws.management.AdminServiceImpl$1@9132d147
javax.management.MBeanException: Exception thrown in RequiredModelMBean while trying to invoke operation retrieveSignerFromPort
at javax.management.modelmbean.RequiredModelMBean.invokeMethod(RequiredModelMBean.java:1191)
at javax.management.modelmbean.RequiredModelMBean.invoke(RequiredModelMBean.java:995)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:847)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:783)
at com.ibm.ws.management.AdminServiceImpl$1.run(AdminServiceImpl.java:1335)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
:
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.ibm.jsse2.b.c(b.java:70)
at com.ibm.jsse2.b.a(b.java:227)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:536)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81)
Resolving The Problem
You can manually import the certificate of remote cell using the following steps:
1. From Administrative Console, drill down Security -> SSL certificate and key management.
2. Click "Key stores and certificates" in Related Items.
3. Click "CMSKeyStore"
4. Click "Signer certificates" in Additional Properties.
5. Click "Retrieve from port" button
6. Specify remote cells Host, Port and Alias:
Host remote cell dmgr's host name or address
Port remote cell dmgr's "WC_adminhost_secure" port which can handle SSL
Alias alias name which can identify the alias. For example <Host>:<Port>
7. Click "Retrieve signer information"
8. After you confirm Retrieved signer information, click OK and save it.
9. Restart the web server.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21671177