IBM Support

Renewing personal WAS certificate fails if plugin-key.kdb is unavailable

Troubleshooting


Problem

When the personal certificate in your WAS NodeDefaultKeyStore or CellDefaultKeyStore expires, you need to renew it (either manually or automatically using the expiration monitor). This might fail with an error message, that the CMSKeystore is not available.

Symptom

The expiring certificate is not renewed in the NodeDefaultKeyStore, although the ISC already shows the new personal certificate.

Steps to recreate:

  1. Login to the AdminConsole (ISC)
  2. Go to Security -> SSL Certificate and Key Management
  3. Key Stores and certificates -> NodeDefaultKeyStore -> Personal Certificates
  4. select the personal certificat that you want to renew (normally it's called "default")
  5. Press the "Renew" Button
  6. If the plugin-key.kdb cannot be accessed by the DMgr, you will an error similar to this:

    An error occurred renewing default: com.ibm.websphere.crypto.KeyException: KeyStore "C:/WebSphere/AppServer/profiles/Dmgr01/wstemp/1623776755/workspace/cells/winwas70dCell01/nodes/winwas70dNode01/servers/webserver1/plugin-key.kdb" does not exist.

    Along with a CWPKI0033E error in the DMgr's SystemOut.log, telling the same problem.
  7. Despite of the error above, the list of certificates will already show you the new certificate with the new expiration date, but this is a false notification!

If you logout and login again, you will find that there is still the old personal certificate in the NodeDefaultKeyStore!

Cause

The WebServer Plugin needs the signer certificate from the Node's personal certificate to ensure a secure Plugin-WAS connection.

If the plugin-key.kdb ist not available at the defined location of the CMSKeyStore (or not accessible due to file permission problems), then the automatic signer exchange is not possible for the Deployment Manager - hence the renewal of the certificate cannot complete and is interrupted.

Resolving The Problem

You either need to ensure, that all keystores and truststores which are defined in the cell are accessible, including the CMSKeyStore for the plugin.
If for some reason the plugin-key.kdb has been removed and is no longer required in this cell, the CMSKeyStore definition should also be deleted in the list of keystores in the ISC.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Administrative Console (all non-scripting)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5;8.0;7.0","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21619785

Page Feedback