Sunday, 3 May 2015

Reminder to Self - If you see SSL0279E again

Following on from an older post: -

if I ever see: -

SSL0279E: SSL Handshake Failed due to fatal alert from client. Client sent fatal alert [level 2 (fatal), description 46 (certificate_unknown)]

in the IHS error_log file again, do NOT waste time exporting certificates from WAS cell-default trust stores and importing them into the IHS KDB.

This is, again, in the context of connecting Process Center to Process Server, albeit with the most recent level of IBM BPM, 8.5.6.

The problem ABSOLUTELY comes from the fact that the Process Server AppCluster JVM is trying to connect to the Process Center AppCluster JVM ( from port 9447 to port 9443 ), as evidenced by this: -

[03/05/15 08:11:55:320 BST] 0000013c WSX509TrustMa E   CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN ", OU=PSCell1Node1, OU=Node1, O=IBM, C=US" was sent from target host:port "".  The signer may need to be added to local trust store "/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/PCCell1/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml".  The extended error message from the SSL handshake exception is: "PKIX path building failed: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: The certificate issued by, OU=Root Certificate, OU=PSCell1, OU=Dmgr, O=IBM, C=US is not trusted; internal cause is: Certificate chaining error".

in the Process Center's AppCluster JVM SystemOut.log.

The solution is to import the signer certificate from Process Center's IHS server into the cell-default trust store for the Process Server: -

/opt/IBM/WebSphere/AppServer/profiles/Dmgr02/bin/ -lang jython -user wasadmin -password passw0rd -host `hostname` -port 8883
AdminTask.retrieveSignerFromPort('[-keyStoreName CellDefaultTrustStore -keyStoreScope (cell):'+cellID+' -host -port 8443 -certificateAlias ProcessCenter -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):'+cellID+' ]')

Once done, and all is now good :-)

No comments: