IBM Support

WebSphere Application Server does not send the full chain to clients

Troubleshooting


Problem

This issue can be seen in a number of ways. For example, a client (browser) warns of expired certificate for a valid CA certificate when using embedded Web server in IBM WebSphere Application Server.

Symptom

The warning will appear as the following in Internet Explorer:

The security certificate has expired or is not yet valid

This might also appear as the following:

Unable to verify the identity of - as a trusted site.

In some versions of Firefox, other types of clients can experience this problem also.

Cause


IBMJSSE2 sends only one certificate in its chain, the leaf (end entity) certificate. The client receives only this certificate and hence checks whether it trusts the issuer (for example, OU=www.symantec.com/CPS Incorp.....) and then checks for the corresponding certificate in the browser truststore. If the certificate is expired, or does not exist, the browser will throw a warning message.

The private key at the server end is actually associated only with the first certificate in the chain which is how it is issued by the CA. IBMJSSE2 will send only those certificates which are explicitly associated with the private key. It will not add or extend the chain further.

There are two options

  • Import the intermediate and root certificate into the client browser so that the single certificate issued is trusted. This would require all clients accessing the Web application to update their truststore.
  • Import a complete chain of certificates associated with the private key so that IBMJSSE2 will also send the complete chain to the client end.

Resolving The Problem

To send the complete chain (option 2 above) perform the following steps once your certificate is received from the CA.

This example will use a certificate from Symantec.

  1. Download the valid intermediate certificate from Symantec. The link to this should be included in the email which contained the certificate that was sent to you from Symantec.
    https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=AR1736

  2. Install the intermediate certificate in your Internet Explorer browser.

  3. Confirm that the Certification Path is now okay by opening your certificate (the one that was sent to you by Symantec) in Windows® .

  4. Install this certificate in your Internet Explorer browser.
    1. Choose Install Certificate. This will open the Certificate Export Wizard.

    2. Select Next > Next > Finish (leave all defaults).

  5. Open Internet Explorer, go to Tools > Internet Options > Content > Certificates > Other People. You should see your certificate installed here.

  6. Export this certificate as a full chain.
    1. Choose Certificate > Export this will open the Certificate Export Wizard.

    2. Click Next.

    3. Choose Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B).

    4. Select the checkbox Include all certificates in the certification path if possible.

    5. Click Next.

    6. Enter a filename (mycert.p7b) and click Next, then Finish.

  7. Move your new P7B certificate to the system where your WebSphere Application Server installation is located.

  8. Open your keystore from iKeyman and receive the original certificate that was sent to you by Symantec as you normally would. Note the name of the certificate as it is displayed under your Personal Certificates - this will be the alias_name in the next step. Close iKeyman.

  9. Use keytool to import the P7B certificate into your keystore.
    • WebSphere Application Server V6.1 ,V7.0, V8.0 and v8.5:

      • $WAS_HOME\java\jre\bin>keytool -import -trustcacerts -alias <alias_name> -file <path_to_p7b> -storetype pkcs12 -keystore <path_to_keystore> -storepass <keystore_password>

      You should get a message similar to the following, "Certificate reply was installed in keystore".

    • WebSphere Application Server V6.0:

      • $WAS_HOME\java\jre\bin>keytool -import -trustcacerts -alias <alias_name> -file <path_to_p7b> -keystore <path_to_keystore> -storepass <keystore_password>

      You should get a message similar to the following, "Certificate reply was installed in keystore".

  10. Use keytool to confirm that the full chain is installed in you keystore.

    11. $WAS_HOME\java\jre\bin>keytool -list -v -storetype pkcs12 -keystore <path_to_keystore> -storepass  <keystore_password> > keytool.out

    Note: For version 6.0, remove the -storetype pkcs12.
      1. Open keytool.out in an editor.

      2. Search for your alias_name.

      3. You should see Certificate chain length: 3 in this section just below the alias.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Java Security (JSSE\/JCE)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5;8.0;7.0;6.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Java SDK","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21231482

Page Feedback