Friday, November 21, 2014

ConfigEntine task "wp-create-ldap" failed with SOAP connector problem.

[timestamp] ssl.default.password.in.use.CWPKI0041W
[timestamp] ssl.disable.url.hostname.verification.CWPKI0027I
[timestamp] Client code attempting to load security configuration
[timestamp] ssl.certificate.end.date.invalid.CWPKI0312E
Could not access WebSphere profile using: username=wpsadmin password=PASSWORD_REMOVED portNumber=10025 hostname=myportalserver.ibm.com
com.ibm.websphere.management.exception.ConnectorException: ADMC0016E: The system cannot create a SOAP connector to connect to host myportal.mycompany.com at port 10025.
at com.ibm.websphere.management.AdminClientFactory.createAdminClientPrivileged(AdminClientFactory.java:628)
at com.ibm.websphere.management.AdminClientFactory.access$000(AdminClientFactory.java:122)
...
Caused by: java.lang.reflect.InvocationTargetException
...
Caused by: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path validation failed: java.security.cert.CertPathValidatorException: The certificate expired at Fri Aug 19 05:01:01 EDT 2011; internal cause is:
java.security.cert.CertificateExpiredException: NotAfter: Tue Oct 01 05:01:01 EDT 2014;

Using wsadmin to connect the server with type SOAP, the same exceptions prevented the correct connection.

Cause

The default chained certificate has problems.

Resolving the problem

In WebSphere Application Server (WAS) version 7, a default chained certificate was introduced as a personal certificate. This certificate was created during profile set up and should be valid for a year. It should be renewed when its validity date expires.
When running ConfigEngine, it acts as a client that connects to the server through SOAP connector. It takes the parameters configured in /properties/ssl.client.props that points to the key store file containing the default personal certificate and residing at /etc/key.p12.
To renew the certificate, take the following steps
- Log in to the Integrated Solutions Console as the primary WAS administrative user;
- Navigate to Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore> Personal certificates;
- Check the box besides "Default", and hit button "Renew". You should see the expiration date now is updated for another year.
- Restart servers.

No comments:

Post a Comment