Troubleshooting
Problem
After an upgrade of the underlying IBM SDK to version 8.0.6.0, there might be an issue starting your application server instance due to a null pointer exception related to the existing keystores in use.
Symptom
At startup, it might be observed that problems arise with starting the application server, and the log file can show messages that might appear unrelated, but the thread stacks reference NullPointerException messages related to certificate and key identifier components.
Examples:
- ORBX0390E: Cannot create listener thread. Exception=[ org.omg.CORBA.INTERNAL: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_SERVER_SOCKET, Exception=com.ibm.websphere.ssl.SSLException: java.lang.NullPointerException vmcid: 0x49421000 minor code: 77 completed: No - received while attempting to open server socket on port 31416 ].
-
Caused by: java.lang.NullPointerException
at com.ibm.security.x509.X509CertImpl.getIssuerKeyIdentifier(X509CertImpl.java:2950)
at com.ibm.crypto.provider.PKCS12KeyStoreOracle.a(Unknown Source)
at com.ibm.crypto.provider.PKCS12KeyStoreOracle.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1456)
In addition, there might be FFDC files generated due to specific SSL/TLS components or Listeners. More information can be seen in the FFDC file itself.
- FFDC1003I: FFDC Incident emitted on <<FFDC_FILE_PATH>> com.ibm.ws.orbimpl.transport.WSTransport.startListening
- FFDC1003I: FFDC Incident emitted on <<FFDC FILE PATH>> com.ibm.ws.orbimpl.transport.WSTransport.createListener
- FFDC1003I: FFDC Incident emitted on <<FFDC FILE PATH>> com.ibm.ws.ssl.provider.AbstractJSSEProvider
If the appserver did not start, the startup thread will display this message in the SystemOut.log:
- WSVR0009E: Error occurred during startup
Cause
Due to changes in how the SDK is interpreting the keystore's certificate chains, the NullPointerExceptions occur.
Specifically, loading the certificates in the keystore, the Authority Key Identifier (AKI) cannot be determined precisely, usually due to a different type of key identifier in use than what is expected, and fails with the previously mentioned error. These key identifiers are used to help form the complete chain for a certificate (see RFC5280 section 4.2.1.1, which describes the certificate extension "AuthorityKeyIdentifier").
Resolving The Problem
A fix for this issue was introduced into the IBM SDK in APAR IJ23018. The fix alters how the SDK interprets the Key Identifiers in the keystore.
The recommendation is to upgrade to SDK version 8.0.6.10 or later to obtain the fix.
You can apply these interim fixes to your installation of WebSphere Application Server.
IBM SDK 8.0.6.6 Interim Fix
These fixes are from a targeted build that includes the SDK version 8.0.6.6 with not only IJ23018, but two additional fixes related to keystores, IJ22800 and IJ23014.
- WebSphere Application Server 8.5.5
- PH23297: Ship JDK IJ22800, IJ23014, IJ23018 as an iFix for WAS 8.5.x.x - bundled Java 8 SR6 FP6
https://www.ibm.com/support/pages/node/5737551 - PH23520: Ship JDK IJ22800, IJ23014, IJ23018 as an iFix for WAS 8.5.x.x - extension offering Java 8 SR6 FP6
https://www.ibm.com/support/pages/node/6113926
- PH23297: Ship JDK IJ22800, IJ23014, IJ23018 as an iFix for WAS 8.5.x.x - bundled Java 8 SR6 FP6
- WebSphere Application Server 9.0.5
- PH23523: Ship JDK IJ22800, IJ23014, IJ23018 as an iFix for WAS 9.0.x.x on Java 8 SR6 FP6
https://www.ibm.com/support/pages/node/6116644
- PH23523: Ship JDK IJ22800, IJ23014, IJ23018 as an iFix for WAS 9.0.x.x on Java 8 SR6 FP6
IBM SDK 8.0.6.10 Interim Fix
- WebSphere Application Server 8.5.5
- PH24911: Ship Java 8 SR6 FP10 for WebSphere Application Server traditional bundled Java 8 (bundled offering)
https://www.ibm.com/support/pages/node/6205922 - PH24910: Ship Java 8 SR6 FP10 for WebSphere Application Server traditional and Liberty (extension offering)
https://www.ibm.com/support/pages/node/6205943
- PH24911: Ship Java 8 SR6 FP10 for WebSphere Application Server traditional bundled Java 8 (bundled offering)
- WebSphere Application Server 9.0.5
-
IBM SDK Java Technology Edition Version 8.0 for WebSphere Application Server using Installation Manager
https://www.ibm.com/support/pages/node/587245
-
More Information
Here's a link to the APAR in question:
- IJ23018: NullPointerException Thrown From X509CertImpl.getIssuerKeyIdentifier
https://www.ibm.com/support/pages/apar/IJ23018
And these related APARs (that were also included in the interim fix for 8.0.6.6)
- IJ22800: WebSphere fails to successfully validate a certificate chain using the Certpath security component
https://www.ibm.com/support/pages/apar/IJ22800
- IJ23014: Keytool is unable to list all the certificates in a PKCS12 keystore in certain conditions
https://www.ibm.com/support/pages/node/6101878
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CcyMAAS","label":"Security->SSL"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.5;9.0.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Product Synonym
NullPointerException
Was this topic helpful?
Document Information
Modified date:
11 June 2020
UID
ibm16216059