Configuring the SSL Certificate for internal Websphere Application Server communication and admin tasksProblem: Websphere application server uses https and
SSL to communicate internally when running admin tasks such as deploying a war on portal or adding an
LDAP attribute mapping to the portal server. If the certificate if the HTTPS is not valid or is not available the admin tasks will fail with an exception like the following
Code:
[SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: Certificate expired; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: Certificate expired]
at org.apache.soap.transport.http.SOAPHTTPConnection.send(Unknown Source)
at org.apache.soap.rpc.Call.invoke(Unknown Source)
This exception indicates that the SSL certificate on the server has expired and it needs to be regenerated
Creating a new self signed certificateTo regenerate the SSL certificate you need to delete the expired certificate and create a new self signed certificate as follows
You can do this from the WAS admin console
Go to the following location
SSL certificate and key management > Manage endpoint security configurations > dwhportal1 > Key stores and certificates > NodeDefaultKeyStore > Personal certificates Then select the certificate aliased “default” and then click delete and then save
Note: take note of the details of the certificate like CN, O and C
After deleting the certificate click “
Create a self-signed Certificate” and fill the form as follows
Alias: default
Common Name: dwhportal1dev for development and dwhportal1tst for test
Organization: IBM
Country: US
Then click OK and save
Then restart the server
Creating a new signer certificate for the serverAfter doing the previous task if you try to run the administrative task again it will fail with the following exception
Code:
[SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException:
com.ibm.jsse2.util.h: No trusted certificate found; targetException=java.lang.IllegalArgumentException:
Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found]
This means that there is a valid certificate there on the server but that certificate is not added to the trusted certificates
To overcome this problem you need to add the signer certificate to the trusted “NodeDefaultTrustStore” key store
You can do this using the following steps
Login to the admin console and then following path in admin console
SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates Then click “Retrieve from Port” button
In the form enter the following fields
Host: The local server IP 10.0.13.59
Port: The HTTPS port of the WAS server 10003
Alias: default_signer
Then click “OK” and then save and restart the server1 and portal server.
You might need to delete the default_signer that was already there to avoid the duplicate Alias name.
Now when you install a war on portal it should succeed.
