Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
The WebSphere web server plugin cannot open the plugin-key.kdb file that is created with Java 8 SR8 and later.
Download Description
This interim fix resolves the following problems:
1) PH57998
CMS key stores created with IBM Java 8 SR8 and later are incompatible with native components on z/OS, IBM I, and distributed platforms with FIPS enabled.
2) PH60850
AdminTask.createKeyStore (including PCT/WCT/wctcmd) fails to create CMS key store.
CMS key stores created with IBM Java 8 SR8 and later are incompatible with native components on z/OS, IBM I, and distributed platforms with FIPS enabled.
ERROR DESCRIPTION:
The WebSphere HTTP Server plugin issues the following error when it attempts to read the plugin-key.kdb file that is generated on WebSphere 8.5.5.24 on z/OS.
An attempt to open the plugin-key.kdb file with gskkyman produces the following error:
PROBLEM CONCLUSION:
On the z/OS and IBM i platforms, the code is updated to change how the plugin-key.kdb file is created.
On non-z/OS and IBM i platforms, if FIPS is enabled on the WebSphere web server plugin, set the following custom property to false.
The WebSphere HTTP Server plugin issues the following error when it attempts to read the plugin-key.kdb file that is generated on WebSphere 8.5.5.24 on z/OS.
ERROR: lib_security: logSSLError: str_security (gsk error 202): Error detected while opening the certificate database |
An attempt to open the plugin-key.kdb file with gskkyman produces the following error:
Unable to open plugin-key.kdb Status 0x0335300a - Database is not valid. |
PROBLEM CONCLUSION:
On the z/OS and IBM i platforms, the code is updated to change how the plugin-key.kdb file is created.
On non-z/OS and IBM i platforms, if FIPS is enabled on the WebSphere web server plugin, set the following custom property to false.
If plugin-key.kdb is created from adminconsole panel,click Security > Global security > Custom properties. Then click New to add a new custom property and its associated value.
Custom property: com.ibm.websphere.security.cms.usepqc Default value: true |
If plugin-key.kdb is created using AdminTask command, start "wsadmin with the following option :
wsadmin -javaoption "-Dcom.ibm.websphere.security.cms.usepqc=false"
|
The issue, caused by PH57998 and fixed by PH60850, will likely appear in following symptoms on WAS 8.5.5.25, 9.0.5.19 and 9.0.5.20 systems.
Symptom A: When WCT(GUI or wctcmd.sh) attempts to create a LOCAL web server definition, it seems to be completed successfully, however plugin-key.kdb and plugin-key.sth are actually not created.
Symptom B: Create a webserver definition by wsadmin(AdminTask.createWebServerByHostName or AdminTask.createWebServer) with conntype=NONE. The command will receive AdminException/CommandException, but still the web server definition will be created.
Symptom C: During creation of an application server profile, if you enable "Create a Web server definition", the profile creation will complete successfully, however plugin-key.kdb and plugin-key.sth are actually not created.
Symptom D: Create a CMS keyfile by wsadmin(AdminTask.createKeyStore) with conntype=NONE. This command execution will fail.
If a web server definition is created in the scenario A, B or C, in administrative console, "Manage keys and certificates" and "Copy to Web server key store directory" buttons for the webserver are grayed out. As a tentative workaround, please follow the steps below.
For the scenario A,
1. Delete the webserver definition generated by WCT.
2. Create a new webserver definition with the SAME webserver name. (WebSpherePluginConfig directive in httpd.conf is already configured by WCT with the web server name. So you would need to use the same web server name).
3. Copy the key file from WAS to Plugin with "Copy to Web server key store directory" button.
2. Create a new webserver definition with the SAME webserver name. (WebSpherePluginConfig directive in httpd.conf is already configured by WCT with the web server name. So you would need to use the same web server name).
3. Copy the key file from WAS to Plugin with "Copy to Web server key store directory" button.
For the scenario B, C and D, you can simply recreate the definition in administrative console or let wsadmin connect to a running server process.
2) PH60850
AdminTask.createKeyStore (including PCT/WCT/wctcmd) fails to create CMS key store.
Error description
When running the wsadmin AdminTask.createKeyStore command to create a KDB keystore, it fails with the error: Exception loading the CMS keystore. java.lang.NullPointerException at com.ibm.ws.ssl.config.CMSKeyStoreUtility.usePQCForCMSKeystore(CMSKeyStoreUtility.java:227)
Prerequisites
None
Download Package
IMPORTANT NOTE:
|
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.
Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. |
DOWNLOAD | RELEASE DATE | SIZE(Bytes) |
URL |
---|---|---|---|
8.5.5.0-WS-WAS-IFPH60850 | 20 June 2024 | 303517 | FC |
9.0.5.0-WS-WAS-IFPH60850 | 20 June 2024 | 296667 | FC |
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.
Problems Solved
PH57998 PH60850
Change History
- May 13: Replace original fixes with IFPH60850. The original fixes introduced PH60850.
- June 20: Replace fixes concurrent with 9.0.5.20 to span.
On
Technical Support
Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CcxxAAC","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;9.0.5"}]
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
21 June 2024
UID
ibm17101047