Tuesday, 12 April 2016
IBM WebSphere Plugin - GSK_ERROR_BAD_CERT and GSK_INVALID_HANDLE after an upgrade
During a recent transition from SHA1 to SHA2 signature algorithms *AND* an upgrade from WebSphere Application Server (WAS) 184.108.40.206 to 220.127.116.11, we hit an interesting challenge yesterday.
We're using IBM HTTP Server (IHS) and the WebSphere Plugin on one AIX LPAR, fronting IBM Integration Bus (IIB) on another LPAR.
We've got a set of IIB flows, all of which are being offered up via IHS through the WebSphere Plugin configuration.
Once the 18.104.22.168 upgrade ( including IHS and Plugin ) was completed, we started seeing GSK_ERROR_BAD_CERT and GSK_INVALID_HANDLE errors in the Plugin error log, relating to the downstream IIB HTTP listeners: -
We're still debugging this BUT it looks like the 22.214.171.124 introduced a security validation check, as per this: -
( Actually, this was introduced in 126.96.36.199 )
We appear to have a "problem" with one of our signer certificates, in terms of a mismatch against standards, and the Plugin is now picking up on this.
( Remember the Plugin is the client to IIB, so this is all about that connection, rather than the connection TO IHS )
Thankfully, we do have a mitigation; by setting the Config parameter AutoSecurity="false" in the Plugin configuration file, the security checking is disabled (!), meaning that we can now client from Plugin to IIB.
Now we need to go and revisit our signer certificates ….. but at least we can continue to test ( this is a NON-PRODUCTION environment )