IBM Support

"Server is not reachable or still initializing ... HANDSHAKE FAILURE ... The signer might need to be added to local trust store ... CCR WS API not initialized yet" errors in Controller Web caused by keystore file (key.jks) containing wrong information

Troubleshooting


Problem

Customer is trying to configure Controller Web to use HTTPS (via TLS, sometimes referred to as SSL).
Customer reconfigures the configuration file 'com.ibm.cognos.fcm.web.PROPERTIES' so that the setting 'ccrwsUrl' uses TLS (HTTPS), for example:
  • ccrwsUrl=https://<servername>/ibmcognos/controllerserver/ccrws.asmx
 
Users launch Controller Web. An error appears.

Symptom

When ccrwsUrl=https://<servername>/ibmcognos/controllerserver/ccrws.asmx there are several different errors seen, for example:
  • Screen:
image 3425
Server is not reachable or still initializing, please refresh the page in a few seconds 
  • messages.log (by default located: C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\logs)
[5/12/20 8:37:56:844 BST] 00000030 com.ibm.ws.ssl.core.WSX509TrustManager                       E CWPKI0823E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN [CN=teledu1.castle.fyre.ibm.com] was sent from the host [teledu1.castle.fyre.ibm.com:443].  The signer might need to be added to local trust store [C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.p12], located in SSL configuration alias [defaultSSLConfig].  The extended error message from the SSL handshake exception is: [unable to find valid certification path to requested target].
  • com.ibm.cognos.fcm.log (by default located: C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\logs)
  2020-05-12 08:53:14 |  | ERROR | [com.ibm.cognos.fcm.wmc.ccrws.DefaultCcrClientFactoryInitializer] CCR WS API not initialized yet [error=2 counts of InaccessibleWSDLException.
]. Retrying in 1000 ms...

Cause

There are several known causes for this symptom.
  • TIP: See separate IBM Technote #6210360 for more examples.
 
This Technote specifically relates to the scenario where the cause is that the JAVA keystore file (key.jks) contains wrong information about TLS certificates.
 
Example:
In one real-life example, the keystore incorrectly contained two certificates (two 'aliases') for the same server.

Diagnosing The Problem

To check what certificates are added to the java key store, launch a command prompt and run commands similar to:
cd C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\resources\security
"c:\Program Files\ibm\cognos\ccr_64\fcmweb\jre\bin\keytool" -list -v -keystore key.jks
Example:
In one real-life example, the output showed that there were (erroneously) two similar certificates (but with differerent 'alias' names) installed:
image 3430
...and:
image 3429

Resolving The Problem

Fix:
Ensure that the JAVA keystore file (key.jks) contains the correct information (about TLS certificates).
Example:
In one real-life example, the solution was to:
1. Delete the relevant file (key.jks) from all the relevant locations
By default, these are:
  • C:\Program Files\IBM\cognos\ccr_64\fcmweb\jre\bin
  • C:\Program Files\IBM\cognos\ccr_64\fcmweb\jre\lib\security
  • C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\resources\security
2. Re-create the file key.jks
  • TIP: By default, this will be created here: C:\Program Files\IBM\cognos\ccr_64\fcmweb\jre\bin
  
3. Re-import the relevant certificate (once)
For example, run this command:
4. Copy the file key.jks to both the relevant 'security' locations
By default, these are:
  • C:\Program Files\IBM\cognos\ccr_64\fcmweb\jre\lib\security
  • C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\resources\security
5. Restart both Controller Web windows services
6. Test.
 
Workaround
Modify the setting 'ccrwsUrl' inside the configuration file 'com.ibm.cognos.fcm.web.PROPERTIES': 
  • Specifically, change the value to use HTTP, for example: if ccrwsUrl=http://<servername>/ibmcognos/controllerserver/ccrws.asmx

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"ARM Category":[{"code":"a8m0z000000GnFaAAK","label":"Controller WEB"}],"ARM Case Number":"TS003637370","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
18 May 2020

UID

ibm16208609

Page Feedback