Troubleshooting
Problem
After you generate and import a new IBM Resilient server certificate, you might see errors in IBM Resilient or IBM Resilient Circuits logs.
Symptom
/usr/share/co3/logs/client.log
13:54:37.665 [Camel (camel-1) thread #3 - JmsConsumer[email-service.email-message-dead-letter]] ERROR o.a.c.c.j.DefaultJmsMessageListenerContainer - Could not refresh JMS Connection for destination 'email-service.email-message-dead-letter' - retrying using FixedBackOff{interval=5000, currentAttempts=86, maxAttempts=unlimited}. Cause: Could not connect to broker URL: ssl://127.0.0.1:65000?socket.verifyHostName=false&socket.enabledProtocols=TLSv1%2CTLSv1.1%2CTLSv1.2&socket.enabledCipherSuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384... .
Reason: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate issued by CN=resilient.ibm.local is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Signature does not match.
/var/log/resilient-messaging/resilient-messaging.log
13:54:22.605 [ActiveMQ BrokerService[detachedBroker] Task-3] ERROR v=unknown o.a.a.broker.TransportConnector - Could not accept connection from tcp://127.0.0.1:47188 : {}
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
If you have an integration server running Resilient Circuits and use the parameter "cafile" in app.config pointing to the new certificate, you might see the following error
2019-03-27 13:55:32,849 INFO [stomp_component] Connect to Stomp...
2019-03-27 13:55:32,850 INFO [client] Connecting to resilient.domain.com:65001 ...
2019-03-27 13:55:32,982 ERROR [actions_component] Could not connect to resilient.domain.com:65001
[Could not establish connection [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)]]
Cause
Resilient v32 introduces a new service called "resilient-messaging", which runs ActiveMQ for IBM Resilient. This service is started before the "resilient" service.
If you only restart the "resilient" service after importing a new server certificate, the "resilient-messaging" service that runs ActiveMQ cannot use the new certificate.
Resolving The Problem
sudo systemctl restart resilient-messaging
The command restarts the "resilient" service meaning IBM Resilient is unavailable until it is restarted.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
19 April 2021
UID
ibm16371262