So I saw this in my WAS logs ( for the IBM Business Monitor instance that hosts Cogos ): -
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/cognos/PCSR011.Support/logs/cogserver.log
CM-SYS-5157 Content Manager failed to notify the dispatcher "https://rhel6.uk.ibm.com:8443/p2pd/servlet/dispatch" of a running status change. CM-REQ-4128 An input/output error occurred executing an external request to the connector "CM". java.security.cert.CertificateException: CAM-CRP-1072 The certificate with the DN 'CN=rhel6.uk.ibm.com, O=ibm' issued by the Certificate Authority with the DN 'CN=rhel6.uk.ibm.com, O=ibm' is not trusted. Cause: java.security.cert.CertificateException: CAM-CRP-1072 The certificate with the DN 'CN=rhel6.uk.ibm.com, O=ibm' issued by the Certificate Authority with the DN 'CN=rhel6.uk.ibm.com, O=ibm' is not trusted. Runtime Exception stack trace: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: CAM-CRP-1072 The certificate with the DN 'CN=rhel6.uk.ibm.com, O=ibm' issued by the Certificate Authority with the DN 'CN=rhel6.uk.ibm.com, O=ibm' is not trusted. at com.ibm.jsse2.o.a(o.java:33) at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:649) at com.ibm.jsse2.kb.a(kb.java:56) at com.ibm.jsse2.kb.a(kb.java:502) at com.ibm.jsse2.lb.a(lb.java:107) at com.ibm.jsse2.lb.a(lb.java:570) at com.ibm.jsse2.kb.s(kb.java:327) at com.ibm.jsse2.kb.a(kb.java:529) at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:300) at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:403) at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:774) at com.ibm.jsse2.k.write(k.java:7) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:76) at java.io.BufferedOutputStream.write(BufferedOutputStream.java:115) at org.apache.commons.httpclient.HttpConnection.write(HttpConnection.java:975) at org.apache.commons.httpclient.HttpConnection.write(HttpConnection.java:943) at com.cognos.cm.connectors.BusPostMethod.writeRequestBody(BusPostMethod.java:117) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) at com.cognos.cm.connectors.BusConnectionPool$BusConnection.execute(BusConnectionPool.java:85) at com.cognos.cm.connectors.CMConnector.CMConnector$CMConnectorRunnable.run(CMConnector.java:469) at java.lang.Thread.run(Thread.java:772) Caused by: java.security.cert.CertificateException: CAM-CRP-1072 The certificate with the DN 'CN=rhel6.uk.ibm.com, O=ibm' issued by the Certificate Authority with the DN 'CN=rhel6.uk.ibm.com, O=ibm' is not trusted. at com.cognos.accman.jcam.crypto.misc.CAMX509TrustManager14.checkServerTrusted(CAMX509TrustManager14.java:354) at com.ibm.jsse2.lb.a(lb.java:323) ... 21 more
This led me to the JVM's CACerts store: -
Dumped out the current list of CAs in CACerts
$ /opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -list -db /opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -pw changeit -type jks > /tmp/cacerts.out
Used a simple shell script to remove these 77 CAs
for c in `cat /tmp/cacerts.out`
do
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -delete -db /opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -pw changeit -type jks -label $c
done
do
/opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -delete -db /opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -pw changeit -type jks -label $c
done
none of which are required for MY specific environment.
Used OpenSSL to retrieve the certificate from the IHS box to a file
$ openssl s_client -connect https://rhel6.uk.ibm.com:8443 > ihs.cer
Edited the file down to the certificate itself
$ vi ihs.cer
<snip>
-----BEGIN CERTIFICATE-----
MIICzjCCAbagAwIBAgIEURUitDANBgkqhkiG9w0BAQUFADApMQwwCgYDVQQKEwNp
Ym0xGTAXBgNVBAMTEHJoZWw2LnVrLmlibS5jb20wHhcNMTMwMjA4MTYwNzE2WhcN
MTQwMjA4MTYwNzE2WjApMQwwCgYDVQQKEwNpYm0xGTAXBgNVBAMTEHJoZWw2LnVr
LmlibS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCDsSbw27hU
M+1xIMapH4KJD3maj046A6k2GyUzsvKzH25OA/cmSo4LQByAHXc6O9wlFAbsRf4H
NWZemrGPtk2DqJQkLUMnTckLL5hb3Vt0RocnoBfbPJgNB8jwkUocF22aLEJ0Btqi
ppCbX2Gmkg+vFNMPSkGL89W5QGcnxeAwWASJRcITIEsxJ8JNRqZtrCz2IiUrC7li
ef1eIObt7eW/tr6xLpup8K0DFtI1FK27wMTCSb9B84yWYyIWKm30cgPlUHZqJJfQ
Rt5veMdmVfWN0vA4t6ctux5bD/HmcjMHRvXrM98vU2juq8l4JBd2HXVRZzblCRom
baAz5oqT4D6XAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAEAyzeQPW5Y88qUHg8sb
OpzzDE7pQMAudsBUlZG7hyz2hFXrao2P2h/JkOoOlvjmYm+e2A1GxO2DRVEj6tvw
V5AzjVw2XuVL0nRmaDDVOFgMsV+6LurXFj4TWG7nbFNvFNBHKGDzfbl9j4Zp8fsK
CGU1k8xQVQIykP6PptazjD5nAny4C1bWVDNNPiev7pJSR4Ki5tMuCNK5EHqeZ1PX
gO4kiBLDdS7RNgszxgkCdPF4pPvqis0tcl9zoXenzNOyEvJU9L1/Q7dhTq81uBMU
e0kh5b3OXPT92UD7xB87o8oUTlNrPfX4fKR6zTDEYLhgPTwYBGDpQJj6mD3wbnJV
a3I=
-----END CERTIFICATE-----
MIICzjCCAbagAwIBAgIEURUitDANBgkqhkiG9w0BAQUFADApMQwwCgYDVQQKEwNp
Ym0xGTAXBgNVBAMTEHJoZWw2LnVrLmlibS5jb20wHhcNMTMwMjA4MTYwNzE2WhcN
MTQwMjA4MTYwNzE2WjApMQwwCgYDVQQKEwNpYm0xGTAXBgNVBAMTEHJoZWw2LnVr
LmlibS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCDsSbw27hU
M+1xIMapH4KJD3maj046A6k2GyUzsvKzH25OA/cmSo4LQByAHXc6O9wlFAbsRf4H
NWZemrGPtk2DqJQkLUMnTckLL5hb3Vt0RocnoBfbPJgNB8jwkUocF22aLEJ0Btqi
ppCbX2Gmkg+vFNMPSkGL89W5QGcnxeAwWASJRcITIEsxJ8JNRqZtrCz2IiUrC7li
ef1eIObt7eW/tr6xLpup8K0DFtI1FK27wMTCSb9B84yWYyIWKm30cgPlUHZqJJfQ
Rt5veMdmVfWN0vA4t6ctux5bD/HmcjMHRvXrM98vU2juq8l4JBd2HXVRZzblCRom
baAz5oqT4D6XAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAEAyzeQPW5Y88qUHg8sb
OpzzDE7pQMAudsBUlZG7hyz2hFXrao2P2h/JkOoOlvjmYm+e2A1GxO2DRVEj6tvw
V5AzjVw2XuVL0nRmaDDVOFgMsV+6LurXFj4TWG7nbFNvFNBHKGDzfbl9j4Zp8fsK
CGU1k8xQVQIykP6PptazjD5nAny4C1bWVDNNPiev7pJSR4Ki5tMuCNK5EHqeZ1PX
gO4kiBLDdS7RNgszxgkCdPF4pPvqis0tcl9zoXenzNOyEvJU9L1/Q7dhTq81uBMU
e0kh5b3OXPT92UD7xB87o8oUTlNrPfX4fKR6zTDEYLhgPTwYBGDpQJj6mD3wbnJV
a3I=
-----END CERTIFICATE-----
</snip>
Imported the certificate into CACerts
$ /opt/IBM/HTTPServer/java/jre/bin/ikeycmd -cert -add -db /opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -pw changeit -type jks -file ihs.cer
Restarted my JVM ….
2 comments:
> openssl s_client -connect https://rhel6.uk.ibm.com:8443 > ihs.cer
no need https:// here/ Correct command is
openssl s_client -connect rhel6.uk.ibm.com:8443 > ihs.cer
@Dymytro
Thanks for this - well spotted, it's not necessary to specify the HTTPS protocol.
Cheers, Dave
Post a Comment