Reputation: 4251
WebSphere 7 SSL error that never goes away no matter what I do?
I installed WebSphere 7.0 and RAD 7.5. Updated WAS to fix pack 11 and update RAD. 7.5.5. latest updates..etc...
- I create a server profile.
- I start the server.
- I turn on global security and use LDAP. (something I have done a billion times)
- I don't even attempt to publish an application.
- The server constantly debugs out this message every two minutes.
How do you make it stop? I have tried making new keys doesn't work, I blow away the profile and make a new one. Nothing works. Nothing. The server is running at 400 MB without an application installed. Is this supposed to be normal? 400 MB with no app published?
The server profile creation wizard forces this SSL nonsense into the config.
What's really going on here?
I would love to utilize the latest server technology IBM has to offer but it seems to be broken right out of the box, out of the gate. 5 fix packs later and it's still broken.
[8/25/10 8:12:44:896 CDT] 0000000b SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.ibm.jsse2.b.a(b.java:34)
at com.ibm.jsse2.pc.a(pc.java:155)
at com.ibm.jsse2.pc.unwrap(pc.java:104)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:17)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:531)
at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:291)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1550)
Upvotes: 9
Views: 51907
Answers (10)
Reputation: 41
Its too late but may be it helps others like me :)
Agree with Peter above, its IDE which checks status from server..
You need to add the certificate 'X' i.e. exportedCertificate.cer to JRE keystore. To do this, run this command in a Windows CMD window:
$ keytool -import -file exportedCertificate.cer -storepass changeit -keystore %JAVA_HOME%/jre/lib/security/cacerts -alias myAlias
Certificate 'X' is the default certificate in your Websphere server. You can find and export it through IBM console. Alternative is to hit HTTPS url at browser and export it from browser in DER format.
Upvotes: 4
Reputation: 61
I solve this issue by enabling security in the server screen.
Open the Servers view, double click on the server, expand security, enable "Security is enabled in this server" and provide a user ID + password. After this the problem went away.
For some reason it was disabled even though I enabled it through the admin console.
Upvotes: 6
Reputation: 232
I found that this solution worked best for me.
http://wiing.fr/websphere-application-server-ssl-error/
The way to fix it is to connect to the administration console, navigate to: Security > SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates
Select the default alias and click on renew. Restart WAS.
I recently got that error because the certificate’s beginning date was set to a date in the future, could not understand what happened to my configuration…
Upvotes: 3
Reputation: 4251
I was wrong. Creating it from either way causes the issue. (running the pmt.bat or through the rad tool).
The real issue was not copying the global security stuff as a security domain. Basically you go to Security > Security Domains > then click the Copy from Global Security option.
This is just crazy. Why not simply have the goofy wizard ask if you would like this to happen also??? IBM infuriates me.
Upvotes: 7
Reputation: 51
Modify your eclipse.ini to explicitly use the IBM JRE as follows:
-vm C:/Program Files (x86)/IBM/WebSphere/AppServer/java_1.7_64/jre/bin/javaw.exe
--launcher.appendVmargs
-vmargs
-Dosgi.requiredJavaVersion=1.7
-Xms512m
-Xmx6144m
Restart Eclipse and Restart your IBM Websphere Application Server to fix the issue.
Upvotes: 0
Reputation: 667
I also faced this issue . finally sorted out this issue. Below are the steps may helpful.
delete the profiles which you have created earlier.
- to view all profiles:
IBM/AppServer/bin/manageprofiles.bat -listProfiles - deletion of profiles:
IBM/AppServer/bin/manageprofiles.bat -delete ProfileName
- to view all profiles:
Windows-->Start-->Services find any IBM WebSphere servers are running background. try to stop them and restart the server.
Upvotes: 0
Reputation: 519
In most cases, this is due to expired SSL Certificate. Go to:
C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\XXXXXXNode01Cell\nodes\XXXXXXXXNode01
and see key.p12 and trust.p12 files. Check the created/modified date. It will typically be more than 1 year older. This means it's expired as typically above files are valid for 1 year only.
Solution
Delete entire websphere server profile (which will delete everything under
C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\AppSrv01and create a new. this will wipe outkey.p12andtrust.p12files along with other files and create a newkey.p12andtrust.p12files when you create new profile.Copy
key.p12andtrust.p12from your colleague's machine whose key files(key.p12andtrust.p12) are not expired. You can also use iKeyman tool to renewkey.p12.
Upvotes: 1
Reputation: 14413
In my case, my IDE is not run with IBM's JRE. Since it's eclipse. so i update the eclipse.ini to include
-vm
E:/IBM/WebSphere/AppServer/java/bin/javaw
Upvotes: 0
Reputation: 4599
This error may be caused by your IDE (let it be Rational Application Developer RAD, Rational Software Architect RSA or plain Eclipse), which is trying to update the server status in the "Servers View".
As somebody here already said, the IDE's call to WebSphere Application Server's console fails, because it's malformed:
Unrecognized SSL message, plaintext connection?
Since your IDE tries to update the status regularly, the server prints this error message as often.
What worked in my case, was to remove the server from the "Servers View" (Right click - delete) and add a new one (Right click - new).
Upvotes: 0
Reputation: 7716
Your app server is trying to establish a ssl connection on a port that is not ssl. An easy way to see it live is trying to access the admin console using http but using the ssl port. If you use the standard ports you can try this: http://localhost:9043/ibm/console/
Upvotes: 1
Related Questions
- certificate not trusted by Websphere
- websphere ssl handshake failure
- IBM Liberty SSL HANDSHAKE FAILURE
- Certificate chaining error in Websphere
- SSL Handshake Error with WebSphere using Java
- javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException while connecting to a secure port
- SSLHandshakeException republish error with WebSphere 8.5 using Eclipse Mars
- java.lang.SecurityException: The Jar (/opt/WebSphere/AppServer7/plugins/com.ibm.ws.security.crypto.jar) is not signed by a trusted signer
- Java/Websphere NoSuchProviderException: IBMCertPath
- SSL connection error from SQL server in Websphere