Troubleshooting
Problem
After attempting to configure TM1Web to use custom certificates, users can not access the website and see a connection refused message.
Symptom
-In the web browser, you are unable to open the web page and see a connection refused message (this may be different depending on browser)
-In the tm1_messages.log file, the following errors are present:
[3/10/21 22:40:45:628 EST] 00000083 com.ibm.ws.channel.ssl.internal.SSLHandshakeErrorTracker E CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.ibm.jsse2.D.z(D.java:518)
at com.ibm.jsse2.as.b(as.java:264)
at com.ibm.jsse2.as.c(as.java:111)
at com.ibm.jsse2.as.wrap(as.java:172)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:13)
at com.ibm.ws.channel.ssl.internal.SSLUtils.handleHandshake(SSLUtils.java:694)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInbound(SSLConnectionLink.java:564)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.ready(SSLConnectionLink.java:333)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:954)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1043)
at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:812)
[3/10/21 22:40:45:628 EST] 00000083 com.ibm.ws.channel.ssl.internal.SSLHandshakeErrorTracker E CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.ibm.jsse2.D.z(D.java:518)
at com.ibm.jsse2.as.b(as.java:264)
at com.ibm.jsse2.as.c(as.java:111)
at com.ibm.jsse2.as.wrap(as.java:172)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:13)
at com.ibm.ws.channel.ssl.internal.SSLUtils.handleHandshake(SSLUtils.java:694)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInbound(SSLConnectionLink.java:564)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.ready(SSLConnectionLink.java:333)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:954)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1043)
at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:812)
Cause
-The error above is misleading. This is not a cipher suite problem and can instead be caused by missing Personal certificates in the keystore.
Diagnosing The Problem
- Using gsk8capicmd_64, list the keystore contents. Example:
- C:\Program Files\ibm\cognos\tm1_64\bin64>gsk8capicmd_64 -cert -list -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet
- Certificates found
* default, - personal, ! trusted, # secret key
! "CN=IBM Support Intermediate CA,OU=Support,O=IBM,ST=Ontario,C=CA"
! "CN=IBM Support Root CA,OU=Support,O=IBM,L=Ottawa,ST=Ontario,C=CA"
! encryption
- Certificates found
- C:\Program Files\ibm\cognos\tm1_64\bin64>gsk8capicmd_64 -cert -list -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet
- In the above example you can see that all certificates start with ! ... indicating they are trusted certificates
- An example of expected output would include a personal certificate ( - ) for the server. Example:
- C:\Program Files\ibm\cognos\tm1_64\bin64>gsk8capicmd_64 -cert -list -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet
- Certificates found
* default, - personal, ! trusted, # secret key
! "CN=IBM Support Intermediate CA,OU=Support,O=IBM,ST=Ontario,C=CA"
! "CN=IBM Support Root CA,OU=Support,O=IBM,L=Ottawa,ST=Ontario,C=CA"
- encryption
- Certificates found
- C:\Program Files\ibm\cognos\tm1_64\bin64>gsk8capicmd_64 -cert -list -db "..\configuration\certs\CAMKeystore" -pw NoPassWordSet
Resolving The Problem
- You will need to work with the team who had provided you the certificate to be used.
- Inform them that we expect a personal certificate for the server to be included in the keystore you are using for TM1Web / PA Spreadsheet Service.
- Once a new keystore is obtained, reconfigure TM1Web for custom certificates (remove current keystore and start over with the new one)
Document Location
Worldwide
[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCTEW","label":"IBM Planning Analytics Local"},"ARM Category":[{"code":"a8m50000000KzJJAA0","label":"Installation and Configuration->TM1 Web"}],"ARM Case Number":"TS004605117","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
11 March 2021
UID
ibm16428931