The code uses the following props -
connectProps.setProperty(AdminClient.USERNAME, userName);
connectProps.setProperty(AdminClient.PASSWORD, password);
connectProps.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED, "true");
connectProps.setProperty("javax.net.ssl.trustStore", "C:\config\DummyClientTrustFile.jks");
connectProps.setProperty("javax.net.ssl.keyStore", "C:\config\DummyClientKeyFile.jks");
connectProps.setProperty("javax.net.ssl.trustStorePassword", "WebAS");
connectProps.setProperty("javax.net.ssl.keyStorePassword", "WebAS");
It fails when I try to use this against an env which has a new certificate(manually by someone) created. May be I'm missing some thing here related to adding that in my trust file or something. Not sure how to do.
The client program fails with -
CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=HCO391MMISDA006.cns-inc.com, O=cpsi, C=US" was sent from target host:port "208.49.76.138:8881".
The signer may need to be added to local trust store "C:/cpsi_Test/jmx_examples/monitor_home/config/DummyClientTrustFile.jks" locate
d in SSL configuration alias "null" loaded from SSL configuration file "null". The extended error message from the SSL handshake exception is: "No trusted cert
ificate found".
CWPKI0040I: An SSL handshake failure occurred from a secure client. The server's SSL signer has to be added to the client's trust store. A retrieveSigners uti
lity is provided to download signers from the server but requires administrative permission. Check with your administrator to have this utility run to setup th
e secure enviroment before running the client. Alternatively, the com.ibm.ssl.enableSignerExchangePrompt can be enabled in ssl.client.props for "DefaultSSLSett
ings" in order to allow acceptance of the signer during the connection attempt.
Exception in thread "main" com.ibm.websphere.management.exception.ConnectorException: ADMC0053E: The system cannot create a SOAP connector to connect to host 20
8.49.76.138 at port 8881 with SOAP connector security enabled.
at com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:476)
at com.cpsi.jmx.websphere.DataCollector.main(DataCollector.java:89)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:67)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:521)
at com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:331)
... 1 more
Caused by: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net
ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.
net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found]
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:343)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient. (SOAPConnectorClient.java:176)
... 6 more
Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificat
e found; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certifi
cate found]
at org.apache.soap.transport.http.SOAPHTTPConnection.send(Unknown Source)
at org.apache.soap.rpc.Call.invoke(Unknown Source)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient$4.run(SOAPConnectorClient.java:308)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:301)
... 7 more
--------------------------------------
When I see the profiles//etc folder of the server, I find that trust.p12 file had later timestamp that DummyClientTrustFile.jks & DummyClientKeyFile.jks . I also see a new ARM(probably this was related to the new certificate manually created) file created there....
Can anyone help here ? How to get the client program working ?
Appreciate any help..
Regards
Niraj
Why not point the trustStore/keyStore variables to the key used by the
environment?
The default JKS file for a WAS v6.0 is the DummyServer{Trust,Key}
File.jks, for WAS v6.1 it is the {trust.p12,key.p12} inside %was_home%/
config/cells/%cellname% as far as I know, but this can all be changed.
If that isn't possible, obtain the certificate of the environment and add
it to your truststore.
Wkr,
Sven Vermeulen
Use ikeyman, open the Dummy Trust Store file. Navigate to the Signer Certificate section. Click Add, navigate to the DER file and add it - give it some label that you'll know. Click OK and it should import it into the Signer section.
With that done, restart your JVM process and try again ....
The problem is that the person who created it is not available now. I've access to the server & admin console.
Is there a way to retrieve that ?
I also serached for the .cer & .der files inside the profiles folder but could not find that file(except some sample .cet file which was probably shipped with the binary)
Thanks
Niraj
Thanks a ton.
Regards
Niraj
Yes; through the Global Security tab. Or, inside the security.xml file
inside the %was_home%/config/cells/%cellname% location. It will include
both the location of the new key/trust stores as well as their password
(which is easily decryptable - google for "websphere password decoder").
Wkr,
Sven Vermeulen