HTTP plug-in log records "gsk error 408 (GSK_ERROR_BAD_KEYFILE

Troubleshooting

Problem

HTTPS requests fail with an external symptom of HTTP 500 (Internal Server Error) status and http_plugin.log shows the following error:

gsk error 408 (GSK_ERROR_BAD_KEYFILE_PASSWORD)

Cause

This error occurs if the plugin-key.sth file for the HTTPS transport in the plugin-cfg.xml file does not exist, is corrupted, does not correspond with the existing plugin-key.kdb file. or is not readable by the user that starts the web server.

The path to plugin-key.sth is visible in plugin-cfg.xml, for example:

<Transport Hostname="backend.example.com" Port="9443" Protocol="https">
  <Property name="keyring" value="/IBM/HTTPServer/Plugins/webserver1/plugin-key.kdb"/>
  <Property name="stashfile" value="/IBM/HTTPServer/Plugins/webserver1/plugin-key.sth"/>
</Transport>

Resolving The Problem

To correct the problem, perform the following steps:

Ensure the WebSphere WebServer Plugin is updated to at least 8.5.5.11 or 9.0.0.2. If IBM HTTP Server is the web server in use, make sure it is also updated to these maintenance levels.
Confirm the path listed in plugin-cfg.xml for the plugin-key.sth exists
Confirm every directory between "/" and "plugin-key.sth" is readable and executable by the user that starts the web server.
Confirm plugin-key.sth itself is readable by the user that starts the web server
Retest. If the symptom persists, continue with the following steps.

Use either iKeyman (GUI) or "gsk8capicmd" to re-stash the keystore password
iKeyman:
Key Database file > stash password (the default password is WebAS)
gsk8capicmd:

# Linux/AIX/Solaris
cd /opt/IBM/WebSphere/Plugins
if [ `uname -s` = "AIX" ]; then
  export LIBPATH=$PWD/gsk8/gsk8_64/lib64
else
  export LD_LIBRARY_PATH=$PWD/gsk8/gsk8_64/lib64
fi
gsk8/gsk8_64/bin/gsk8capicmd_64 -keydb -stashpw -db config/webserver1/plugin-key.kdb -pw WebAS 

# Windows™:
cd C:\Program Files (x86)\IBM\WebSphere\Plugins
set PATH=%PATH%;gsk8\gsk8_32\lib;
gsk8\gsk8_32\bin\gsk8capicmd -keydb -stashpw -db config\webserver1\plugin-key.kdb  -pw WebAS

If the symptom persists, and there is a plugin-key.rdb, temporarily move it out of the way and retest.

[{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"SSL","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0.0.1;8.5.5;8.5;8.0;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Plug-in","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0.0.1;8.5.5;8.5;8.0;7.0","Edition":"Base;Network deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

HTTP plug-in log records "gsk error 408 (GSK_ERROR_BAD_KEYFILE_PASSWORD)"

Troubleshooting

Problem

Cause

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?