Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

AdminClient - SSL handshake failure

337 views
Skip to first unread message

niraj...@yahoo.com

unread,
Aug 26, 2008, 11:39:50 AM8/26/08
to
Hi,
I've been trying to create a soap connection using the websphere client library & got into SSL Handshake issue.
The code works fine when I use this against a WAS env which the default shipped keys/certificates.

The code uses the following props -
connectProps.setProperty(AdminClient.USERNAME, userName);
connectProps.setProperty(AdminClient.PASSWORD, password);
connectProps.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED, "true");
connectProps.setProperty("javax.net.ssl.trustStore", "C:\config\DummyClientTrustFile.jks");
connectProps.setProperty("javax.net.ssl.keyStore", "C:\config\DummyClientKeyFile.jks");
connectProps.setProperty("javax.net.ssl.trustStorePassword", "WebAS");
connectProps.setProperty("javax.net.ssl.keyStorePassword", "WebAS");

It fails when I try to use this against an env which has a new certificate(manually by someone) created. May be I'm missing some thing here related to adding that in my trust file or something. Not sure how to do.

The client program fails with -

CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=HCO391MMISDA006.cns-inc.com, O=cpsi, C=US" was sent from target host:port "208.49.76.138:8881".
The signer may need to be added to local trust store "C:/cpsi_Test/jmx_examples/monitor_home/config/DummyClientTrustFile.jks" locate
d in SSL configuration alias "null" loaded from SSL configuration file "null". The extended error message from the SSL handshake exception is: "No trusted cert
ificate found".


CWPKI0040I: An SSL handshake failure occurred from a secure client. The server's SSL signer has to be added to the client's trust store. A retrieveSigners uti
lity is provided to download signers from the server but requires administrative permission. Check with your administrator to have this utility run to setup th
e secure enviroment before running the client. Alternatively, the com.ibm.ssl.enableSignerExchangePrompt can be enabled in ssl.client.props for "DefaultSSLSett
ings" in order to allow acceptance of the signer during the connection attempt.

Exception in thread "main" com.ibm.websphere.management.exception.ConnectorException: ADMC0053E: The system cannot create a SOAP connector to connect to host 20
8.49.76.138 at port 8881 with SOAP connector security enabled.
at com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:476)
at com.cpsi.jmx.websphere.DataCollector.main(DataCollector.java:89)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:67)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:521)
at com.ibm.websphere.management.AdminClientFactory.createAdminClient(AdminClientFactory.java:331)
... 1 more
Caused by: com.ibm.websphere.management.exception.ConnectorNotAvailableException: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net
ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.
net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found]
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:343)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient. (SOAPConnectorClient.java:176)
... 6 more
Caused by: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificat
e found; targetException=java.lang.IllegalArgumentException: Error opening socket: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certifi
cate found]
at org.apache.soap.transport.http.SOAPHTTPConnection.send(Unknown Source)
at org.apache.soap.rpc.Call.invoke(Unknown Source)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient$4.run(SOAPConnectorClient.java:308)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.reconnect(SOAPConnectorClient.java:301)
... 7 more

--------------------------------------
When I see the profiles//etc folder of the server, I find that trust.p12 file had later timestamp that DummyClientTrustFile.jks & DummyClientKeyFile.jks . I also see a new ARM(probably this was related to the new certificate manually created) file created there....


Can anyone help here ? How to get the client program working ?
Appreciate any help..

Regards
Niraj

Sven Vermeulen

unread,
Aug 26, 2008, 12:14:23 PM8/26/08
to
On Tue, 26 Aug 2008 11:39:50 -0400, niraj_nath wrote:
> I've been trying to create a soap connection using the websphere
> client library & got into SSL Handshake issue.
[...]

> The code uses the following props -
> connectProps.setProperty(AdminClient.USERNAME, userName);
> connectProps.setProperty(AdminClient.PASSWORD, password);
> connectProps.setProperty(AdminClient.CONNECTOR_SECURITY_ENABLED,
> "true"); connectProps.setProperty("javax.net.ssl.trustStore",
> "C:\config\DummyClientTrustFile.jks");
> connectProps.setProperty("javax.net.ssl.keyStore",
> "C:\config\DummyClientKeyFile.jks");
> connectProps.setProperty("javax.net.ssl.trustStorePassword",
"WebAS");
> connectProps.setProperty("javax.net.ssl.keyStorePassword",
"WebAS");
>
> It fails when I try to use this against an env which has a new
> certificate(manually by someone) created.

Why not point the trustStore/keyStore variables to the key used by the
environment?

The default JKS file for a WAS v6.0 is the DummyServer{Trust,Key}
File.jks, for WAS v6.1 it is the {trust.p12,key.p12} inside %was_home%/
config/cells/%cellname% as far as I know, but this can all be changed.

If that isn't possible, obtain the certificate of the environment and add
it to your truststore.

Wkr,
Sven Vermeulen

jajo...@llbean.com

unread,
Aug 26, 2008, 1:16:13 PM8/26/08
to
Use ikeyman and open the DummyClientTrustFile.jks file (password is probably WebAS or changeit). Then have the person who created the new certificate send you the public key cert. Add that der or cer file to the Signer certificate section of the DummyClientTrustFile file. What's happening is that you are trying to connect to a server that is running an ssl cert signed by an entity that your client does not trust. You need to place the public cert from that newly created cert into your truststore for you client to trust the signer. A short way would be to have the person who created the new certificate create you a new JKS with only the public cert in the signer section, then use that new JKS as your truststore and keystore specified in your code. HTH

jajo...@llbean.com

unread,
Aug 26, 2008, 1:43:50 PM8/26/08
to
Signer Certificates. Locate the certificate with a name like CN=HCO391MMISDA006.cns-inc.com, O=cpsi, C=US. Select the box next to that certificate and click Extract. Type in a file name for it with the complete path and select DER as the file type. Copy that file to your client.

Use ikeyman, open the Dummy Trust Store file. Navigate to the Signer Certificate section. Click Add, navigate to the DER file and add it - give it some label that you'll know. Click OK and it should import it into the Signer section.

With that done, restart your JVM process and try again ....

niraj...@yahoo.com

unread,
Aug 26, 2008, 1:36:41 PM8/26/08
to
Thank for the response.

The problem is that the person who created it is not available now. I've access to the server & admin console.
Is there a way to retrieve that ?

I also serached for the .cer & .der files inside the profiles folder but could not find that file(except some sample .cet file which was probably shipped with the binary)

Thanks
Niraj

niraj...@yahoo.com

unread,
Aug 26, 2008, 2:01:19 PM8/26/08
to
Awesome..It worked ..

Thanks a ton.

Regards
Niraj

Sven Vermeulen

unread,
Aug 26, 2008, 3:36:45 PM8/26/08
to
On Tue, 26 Aug 2008 13:36:41 -0400, niraj_nath wrote:
> The problem is that the person who created it is not available now. I've
> access to the server & admin console. Is there a way to retrieve that ?

Yes; through the Global Security tab. Or, inside the security.xml file
inside the %was_home%/config/cells/%cellname% location. It will include
both the location of the new key/trust stores as well as their password
(which is easily decryptable - google for "websphere password decoder").

Wkr,
Sven Vermeulen

0 new messages