PH60850:PH57998:WebSphere HTTP Server plugin fails to open plugin-key.kdb file

Download

Downloadable File

File link	File size	File description

Abstract

The WebSphere web server plugin cannot open the plugin-key.kdb file that is created with Java 8 SR8 and later.

Download Description

This interim fix resolves the following problems:

1) PH57998

CMS key stores created with IBM Java 8 SR8 and later are incompatible with native components on z/OS, IBM I, and distributed platforms with FIPS enabled.

ERROR DESCRIPTION:

The WebSphere HTTP Server plugin issues the following error when it attempts to read the plugin-key.kdb file that is generated on WebSphere 8.5.5.24 on z/OS.

ERROR: lib_security: logSSLError: str_security (gsk error 202): Error detected while opening the certificate database

An attempt to open the plugin-key.kdb file with gskkyman produces the following error:

Unable to open plugin-key.kdb Status 0x0335300a - Database is not valid.

PROBLEM CONCLUSION:
On the z/OS and IBM i platforms, the code is updated to change how the plugin-key.kdb file is created.

On non-z/OS and IBM i platforms, if FIPS is enabled on the WebSphere web server plugin, set the following custom property to false.

If plugin-key.kdb is created from adminconsole panel,click Security > Global security > Custom properties. Then click New to add a new custom property and its associated value.

Custom property: com.ibm.websphere.security.cms.usepqc Default value: true

If plugin-key.kdb is created using AdminTask command, start "wsadmin with the following option :

wsadmin -javaoption "-Dcom.ibm.websphere.security.cms.usepqc=false"

The issue, caused by PH57998 and fixed by PH60850, will likely appear in following symptoms on WAS 8.5.5.25, 9.0.5.19 and 9.0.5.20 systems.

Symptom A: When WCT(GUI or wctcmd.sh) attempts to create a LOCAL web server definition, it seems to be completed successfully, however plugin-key.kdb and plugin-key.sth are actually not created.

Symptom B: Create a webserver definition by wsadmin(AdminTask.createWebServerByHostName or AdminTask.createWebServer) with conntype=NONE. The command will receive AdminException/CommandException, but still the web server definition will be created.

Symptom C: During creation of an application server profile, if you enable "Create a Web server definition", the profile creation will complete successfully, however plugin-key.kdb and plugin-key.sth are actually not created.

Symptom D: Create a CMS keyfile by wsadmin(AdminTask.createKeyStore) with conntype=NONE. This command execution will fail.

If a web server definition is created in the scenario A, B or C, in administrative console, "Manage keys and certificates" and "Copy to Web server key store directory" buttons for the webserver are grayed out. As a tentative workaround, please follow the steps below.

For the scenario A,

1. Delete the webserver definition generated by WCT.
2. Create a new webserver definition with the SAME webserver name. (WebSpherePluginConfig directive in httpd.conf is already configured by WCT with the web server name. So you would need to use the same web server name).
3. Copy the key file from WAS to Plugin with "Copy to Web server key store directory" button.

For the scenario B, C and D, you can simply recreate the definition in administrative console or let wsadmin connect to a running server process.

2) PH60850

AdminTask.createKeyStore (including PCT/WCT/wctcmd) fails to create CMS key store.

Error description

When running the wsadmin AdminTask.createKeyStore command to
create a KDB keystore, it fails with the error:

Exception loading the CMS keystore. java.lang.NullPointerException 
    at com.ibm.ws.ssl.config.CMSKeyStoreUtility.usePQCForCMSKeystore(CMSKeyStoreUtility.java:227)

Prerequisites

None

Download Package

IMPORTANT NOTE:	WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table. Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages.

DOWNLOAD	RELEASE DATE	SIZE(Bytes)	URL
8.5.5.0-WS-WAS-IFPH60850	20 June 2024	303517	FC
9.0.5.0-WS-WAS-IFPH60850	20 June 2024	296667	FC

Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH57998 PH60850

Change History

May 13: Replace original fixes with IFPH60850. The original fixes introduced PH60850.
June 20: Replace fixes concurrent with 9.0.5.20 to span.

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CcxxAAC","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.5"}]

Problems (APARS) fixed
PH57998 PH60850

Was this topic helpful?

Document Information

Modified date:
21 June 2024

UID

ibm17101047

Tips