lunedì 3 gennaio 2011

GSK_ERROR_BAD_CERT (gsk rc = 414)

When an HTTPS request is sent to a IBM WebSphere Application Server V6.1 server, from a web server, the web server plug-in log shows the error Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)

Cause: Not correct signer certificate in plugin...kdb file

The certificate sent by WebSphere Application Server to the plug-in cannot be authenticated by the plug-in key file. The reason is that the plug-in key file does not have the adequate signer to authenticate the certificate sent by WebSphere Application Server.

Resolving the problem

1.        In the administrative console, go to Security > SSL certificate and key management.

Before doing any changes, put select Dynamically update the runtime when changes occur on this page. This option makes sure that changes are propagated to runtime immediately after they are saved. This option requires a restart to become active after it is selected. If this option is enabled, make sure that you make SSL configuration changes when the system does not have a high burden on it to prevent performance impacts.

2.        Click the Manage endpoint security configurations link.

3.        Expand Inbound or Outbound, expand the cell name to see the list of nodes.

For all the nodes that appear in the list:

Opening an empty text file will help you through the process.

4.        Go to Key stores and certificates which is under Related Items.

5.        Click on the NodeDefaultKeyStore. Under Additional Properties, click on Personal Certificates.

6.        Note down the serial number of the default certificate. Select the box near the default certificate. Click Extract.

7.        Write the file name to be extracted with the full path, leave the data type as it is, note down the file path after the serial number. ClickOK.

If you chose to create a cell profile after your initial WebSphere Application Server installation, the cell manager node and the stand alone node you have created that time might have the same certificate with the same serial number. Do not let it confuse you.

After the previous instructions are done for all nodes, continue with the following steps.

8.        Come to the Manage endpoint security configurations page where you see the node list again (instructions 1-3).

9.        Expand the node which includes the web server.

10.        Click on the web server, then click on Key stores and certificates.

11.        Click on the CMSKeyStore.

12.        Click on the Signer certificates. You can either add here all the certificates you have extracted, or you can click on default certificates in this page, if there are any, and compare their serial numbers with the numbers that you have taken note of to determine which default certificates are missing.

For all the certificates or just the missing ones apply the instructions below.

13.        Click Add on the current page.

14.        Enter the certificate file path, an alias as you wish, and leave the data type as it is. Click OK.

When you are sure that you have the complete set of default certificates added as signer certificates, save the changes, and synchronize.

Nessun commento:

Posta un commento