unknown certificate problem
m.yase...@gmail.com
" error while trying to configure sun j2ee policy agent 2.2 on websphere portal 5.1
The error log says:
07/03/2007 06:32:16:062 PM IST: Thread[Servlet.Engine.Transports : 1,5,main]
AmFilter: now processing: SSO Task Handler
07/03/2007 06:32:16:062 PM IST: Thread[Servlet.Engine.Transports : 1,5,main]
SSOTaskHandler: SSO Validation failed for null
07/03/2007 06:32:16:062 PM IST: Thread[Servlet.Engine.Transports : 1,5,main]
URLFailoverHelper: Checking if https://apollo.maxnewyorklife.com:443/amserver/UI/Login is available
07/03/2007 06:32:16:078 PM IST: Thread[Servlet.Engine.Transports : 1,5,main]
WARNING: URLFailoverHelper: the url https://apollo.maxnewyorklife.com:443/amserver/UI/Login is not available
javax.net.ssl.SSLHandshakeException: unknown certificate
at com.ibm.jsse.bs.a(Unknown Source)
at com.ibm.jsse.bs.startHandshake(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.b.o(Unknown Source)
at com.ibm.net.ssl.www.protocol.https.q.connect(Unknown Source)
at com.ibm.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect(Unknown Source)
at com.sun.identity.agents.common.URLFailoverHelper.isAvailable(URLFailoverHelper.java:190)
at com.sun.identity.agents.common.URLFailoverHelper.getAvailableURL(URLFailoverHelper.java:129)
at com.sun.identity.agents.filter.AmFilterRequestContext.getLoginURL(AmFilterRequestContext.java:757)
at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:285)
at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:258)
at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:363)
at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:345)
at com.sun.identity.agents.filter.SSOTaskHandler.doSSOLogin(SSOTaskHandler.java:210)
at com.sun.identity.agents.filter.SSOTaskHandler.process(SSOTaskHandler.java:98)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:189)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.websphere.AmIdentityAsserterBase.processRequest(AmIdentityAsserterBase.java:195)
at com.sun.identity.agents.websphere.AmTrustAssociationInterceptor.negotiateValidateandEstablishTrust(AmTrustAssociationInterceptor.java:91)
at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:101)
at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation(WebAuthenticator.java:191)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:928)
at com.ibm.ws.security.web.WebCollaborator.authorize(WebCollaborator.java:531)
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:262)
at com.ibm.ws.webcontainer.webapp.WebAppSecurityCollaborator.preInvoke(WebAppSecurityCollaborator.java:132)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:506)
at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:208)
at com.ibm.ws.webcontainer.srt.WebAppInvoker.doForward(WebAppInvoker.java:134)
at com.ibm.ws.webcontainer.srt.WebAppInvoker.handleInvocationHook(WebAppInvoker.java:321)
at com.ibm.ws.webcontainer.cache.invocation.CachedInvocation.handleInvocation(CachedInvocation.java:71)
at com.ibm.ws.webcontainer.srp.ServletRequestProcessor.dispatchByURI(ServletRequestProcessor.java:246)
at com.ibm.ws.webcontainer.oselistener.OSEListenerDispatcher.service(OSEListener.java:334)
at com.ibm.ws.webcontainer.http.HttpConnection.handleRequest(HttpConnection.java:56)
at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java:652)
at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:448)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:936)
From whatever analysis I have done so far, I believe this issue is related to the personal certificate for sun one webserver (on which access manager & LDAP are installed) not registered with the application server (portal server).
I am not sure about the way I go by solving the issue.
Can anybody help me out.
Thanks!
Brian S Paskin
This is from the WebSphere 5.1 Info Center:
http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1/index.jsp?topic=/com.ibm.websphere.exp.doc/info/exp/ae/rtrb_sslprobs.html
javax.net.ssl.SSLHandshakeException: unknown certificate
If you see a Java exception stack similar to the following example, it might be caused by not having the personal certificate for the server in the client truststore file:
ERROR: Could not get the initial context or unable to look up the starting context. Exiting. Exception received: javax.naming.ServiceUnavailableException: A communication failure occurred while attempting to obtain an initial context using the provider url: "corbaloc:iiop:localhost:2809". Make sure that the host and port information is correct and that the server identified by the provider url is a running name server. If no port number is specified, the default port number 2809 is used. Other possible causes include the network environment or workstation network configuration. [Root exception is org.omg.CORBA.TRANSIENT: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: javax.net.ssl.SSLHandshakeException - The client and server could not negotiate the desired level of security. Reason: unknown certificate:host=MYSERVER,port=1940 minor code: 4942F303 completed: No]
To correct this problem:
1. Check the client truststore file to determine if the signer certificate from the server personal certificate is there. For a self-signed server personal certificate, the signer certificate is the public key of the personal certificate. For a certificate authority signed server personal certificate, the signer certificate is the root CA certificate of the CA that signed the personal certificate.
2. Add the server signer certificate to the client truststore file.