CWPKI

CWPKI

CWPKI0001I: The SSL service is initializing the configuration.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0002I: SSL service initialization completed successfully.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0003I: The SSL service is starting.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0004I: The SSL service started successfully.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0005I: SSL service initialization did not succeed.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0006E: An exception occurred when trying to create or register {0} mBean. Exception: {1}

Explanation An unexpected exception occurred when trying to create or register an mBean.

Action There might be a problem with the configuration. The exception might include details.

CWPKI0007I: The SSL service did not start successfully.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0008E: An error occurred during SSL initialization. Exception: {0}

Explanation An unexpected error occurred during security initialization.

Action This is a general error. Look for previous messages related to SSL initialization or to a configuration problem. Enable SSL=all=enabled debug trace might yield additional information.

CWPKI0009E: The system cannot create the security object during initialization.

Explanation The security object cannot be created from the repository. This is an internal error. The security.xml file might be corrupted or missing.

Action Contact your service representative.

CWPKI0010E: The system cannot obtain the WebSphere Application Server process type during initialization.

Explanation This exception is unexpected. The cause is not immediately known.

Action If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ .

CWPKI0011E: Resource {0} could not be loaded from the cell. Exception: {1}

Explanation The specified resource could not be loaded due to an exception.

Action Check for a configuration problem related to the resource.

CWPKI0012I: FIPS is enabled. The server is running in FIPS mode, using the IBMJCEFIPS provider.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0013W: FIPS is enabled, but the IBMJCEFIPS provider is not active in the java.security file. This file needs to be changed to include the IBMJCEFIPS provider in the provider list before the IBMJCE provider.

Explanation When the server is running in FIPS mode, the IBMJCEFIPS provider should be listed in the java.security file, and positioned before the IBMJCE provider in the list.

Action To ensure FIPS algorithms usage for all WebSphere Application Server process types, uncomment the IBMJCEFIPS provider in the java.security file, check that it is positioned before the IBMJCE provider in the list, and renumber the provider list in sequential order.

CWPKI0014I: FFDC Diagnostic Module {0} for the SSL component registered successfully: {1}

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0015E: An error occurred while stopping the SSL component. Exception: {0}

Explanation An unexpected error occurred while stopping the SSL component.

Action This is a general error. Look for previous messages related to the error or to a configuration problem. Enable SSL=all=enabled debug trace might yield additional information.

CWPKI0016W: The certificate with alias {0} from keyStore {1} will be expired in {2} days.

Explanation A certificate is about to expire in the keystore.

Action Open the keystore and validate the expiration dates on all certificates in the keystore. Generate new certificates, if necessary.

CWPKI0017E: The certificate with alias {1} from keyStore {2} is expired.

Explanation A certificate is expired in the keystore.

Action Open the keystore and validate the expiration dates on all certificates in the keystore. Remove any expired certificates.

CWPKI0018W: The keystore type of {0} is not valid for SSL configuration alias {1}.

Explanation The type of keystore that has been configured is not valid for the specified alias.

Action Change the keystore type in the SSL configuration.

CWPKI0019E: An error occurred while parsing the SSL client configuration file {0}. Exception: {1}

Explanation There might be a problem with the syntax of the ssl.client.props file or the location of the file might not be valid.

Action Review the error returned and check the syntax and location of the ssl.client.props file.

CWPKI0020E: An error occurred while loading custom trust manager class {0}. Exception: {1}

Explanation A class loading error occurred loading the custom trust manager configured.

Action Ensure the class can be found in the environment.

CWPKI0021E: An error occurred while loading custom key manager class {0}. Exception: {1}

Explanation A class loading error occurred loading the custom key manager configured.

Action Ensure the class can be found in the environment.

CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN {0} was sent from the target host. The signer might need to be added to local trust store {1}, located in SSL configuration alias {2}. The extended error message from the SSL handshake exception is: {3}

Explanation An error occurred during the SSL handshake. It might require a signer export/import from the target host to the client TrustStore.

Action Review the extended error message from the TrustManager to determine what needs to change between the target SSL configuration and the client SSL configuration.

CWPKI0023E: The {0} certificate alias specified by the attribute clientKeyAlias is either not found in KeyStore {1} or it is invalid.

Explanation The certificate alias specified for this SSL configuration is not in the specified KeyStore or it was found to be invalid. An expired certificate is one example of an invalid certificate.

Action Either add a certificate into the KeyStore with the specified certificate alias, or replace or renew the invalid certificate with the specified certificate alias found in the client KeyStore.

CWPKI0024E: The {0} certificate alias specified by the attribute serverKeyAlias is either not found in KeyStore {1} or it is invalid.

Explanation The certificate alias specified for this SSL configuration is not in the specified KeyStore or it was found to be invalid. An expired certificate is one example of an invalid certificate.

Action Either add a certificate into the KeyStore with the specified certificate alias, or replace or renew the invalid certificate with the specified certificate alias found in the server KeyStore.

CWPKI0025E: The system could not load the https Handler class {0}. Extended error message: {1}

Explanation There was a classloading error trying to load the HTTPS URLStreamHandler class.

Action Check the SSL configuration to ensure the context provider is correct for the platform.

CWPKI0026E: An error occurred while reinitializing the SSL configuration after a change to the security.xml file. Extended error message: {0}

Explanation A change was made to the security.xml file. An error occurred when the system then tried to read the changed configuration.

Action Review the exception message text and verify the SSL configuration parameters are valid.

CWPKI0027I: Default hostname verification for HTTPS URL connections is being disabled.

Explanation JSSE URL hostname verification checks that the X509 Certificate Common Name (CN) matches the hostname it is from. This hostname verification check is being set to be disabled by default for URL connections.

Action To enable default JSSE URL hostname verification, set the com.ibm.ssl.performURLHostNameVerification property to true.

CWPKI0028E: SSL handshake protocol {0} is not valid. This protocol is specified in the SSL configuration alias {1} loaded from SSL configuration file {2}. Extended error message: {3}

Explanation The handshake protocol specified is not recognized as a valid handshake protocol.

Action Check the SSL configuration to ensure the correct handshake protocol is specified.

CWPKI0029E: SSL context provider {0} is not valid. This provider is specified in the SSL configuration alias {1} loaded from SSL configuration file {2}. Extended error message: {3}

Explanation The SSL context provider specified is not recognized as a valid context provider.

Action Check the SSL configuration to ensure the correct SSL context provider is specified.

CWPKI0030E: An error occurred while exchanging signers between cell and node. Exception: {0}

Explanation The DefaultKeyStores between cell and node will have exchange signers with corresponding DefaultTrustStores. An error occurred during this process.

Action A manual signer exchange might be required.

CWPKI0031E: An error occurred while creating a client keystore or truststore during initialization. Exception: {0}

Explanation An error occurred while creating the file-based keystore or truststore during process initialization.

Action Check that the keystore or truststore settings in the ssl.client.props are current and valid.

CWPKI0032E: An error occurred while creating a self-signed certificate. Exception: {0}

Explanation An error occurred during process startup while creating this certificate.

Action Check that the default self-signed certificate property values (com.ibm.ssl.defaultCertReq*) are valid.

CWPKI0033E: The keystore located at {0} did not load because of the following error: {1}

Explanation An error occurred while creating or opening the keystore.

Action Check the properties in the keystore configuration and ensure the keystore exists.

CWPKI0034E: Schedule {0} could not be initialized because of the following error: {1}

Explanation An error occurred while initializing the schedule.

Action Check that the properties for the scheduler are valid. Ensure the /etc directory is writable.

CWPKI0035E: Schedule {0} could not read the next scheduled date. The alarm is being initialized for the following date: {1}

Explanation An error occurred reading the date from the schedule file in /etc.

Action Ensure the /etc directory is writable and the file has not been modified.

CWPKI0036E: An error occurred while sending email to {0} using SMTP server {1}. Exception: {2}

Explanation An error occurred sending email to the specified SMTP server.

Action Ensure the SMTP server specified is valid and that your company firewall policy allows sending to SMTP ports.

CWPKI0037I: The expiration monitor reports the following information: {0}

Explanation This information concerns certificate expiration.

Action You may need to manage certificates to resolve the reported problems.

CWPKI0038E: The expiration monitor did not start. Error: {0}

Explanation A problem occurred starting the expiration monitor command task.

Action Try starting the expiration monitor directly to determine more information about the error.

CWPKI0039E: Cannot find Node connector properties for the hostname {0} in the hostlist for keystore {1}.

Explanation The hostname must be entered in the hostlist in the same canonical format as it appears in the serverindex.xml file.

Action Edit the hostlist to convert it to the required canonical format.

CWPKI0040I: An SSL handshake error occurred from a secure client. The server SSL signer has to be added to the client trust store. A retrieveSigners utility is provided to download signers from the server but requires administrative permission. Arrange with your administrator to have this utility run to setup the secure environment before running the client. Alternatively, we can enable the com.ibm.ssl.enableSignerExchangePrompt in ssl.client.props for "DefaultSSLSets" to allow acceptance of the signer during the connection attempt.

Explanation The server SSL signer has to be added to the client trust store. The signers can either be downloaded autonatically from the server, or provided manually during the connection attempt.

Action Either run the retrieveSigners utility or enable the signer exchange prompt.

CWPKI0041W: One or more key stores are using the default password.

Explanation When the server starts for the first time as a stand-alone application server or in a Network Deployment configuration, each server creates a keystore and truststore for the default Secure Sockets Layer (SSL) configuration. When the server creates these files, by default, it uses WebAS for the password.

Action Do not use the default password in production. Change the default password for the keystore and the truststore by editing the ssl.client.props file. When we change the passwords in the ssl.client.props file, use the PropFilePasswordEncoder utility to re-encode the new passwords.

CWPKI0042E: An exception occurred while storing a certificate in the issued certificates key store. Exception: {0}

Explanation After creating a chained or self-signed certificate, the corresponding signer certificate could not be stored in the issued certificates key store.

Action Check the associated error information for the cause of the problem.

CWPKI0043E: An error occurred while creating a chained certificate. Exception: {0}

Explanation An error occurred while creating a chained certificate during process startup.

Action Check that the default chained certificate property values (com.ibm.ssl.defaultCertReq*) are valid and that a valid certificate exists in the root key store.

CWPKI0044E: A PasswordEncryptException exception was generated during custom encryption. Exception: {1}

Explanation There is a configuration problem with custom encryption.

Action Review the exception and logs to identify and resolve the issue with custom encryption.

CWPKI0045E: A password was received that is encrypted with a custom algorithm that is not currently configured.

Explanation A custom encrypted password was received, but the necessary custom algorithm required to use it is not configured.

Action Configure the necessary custom algorithm.

CWPKI0046E: The system could not get the HW crypto initialization status: {1}

Explanation It was not possible to get the initilization status of the specified HW crypto provider.

Action Ensure that the HW crypto provider is functioning and configured correctly.

CWPKI0047E: The system could not get the HW crypto provider instance: {1}

Explanation It was not possible to get an instance of the specified HW crypto provider.

Action Ensure that the HW crypto provider is functioning and configured correctly.

CWPKI0048E: The system could not get the HW crypto provider instance: tokenLib: {1}, tokenSlot: {2}, exception: {3}

Explanation It was not possible to get an instance of the specified HW crypto provider for the given reasons.

Action Ensure that the HW crypto provider is functioning and configured correctly.

CWPKI0049W: UseFIPS is enabled but the SSL configuration is not using a FIPS-approved JSSE Provider. Threfore FIPS-approved cryptographic algorithms will not be used.

Explanation Although UseFIPS has been enabled, the FIPS-approved cryptographic algorithms cannot be used because the SSL configuration is not using a FIPS-approved JSSE Provider.

Action To ensure the use of FIPS-approved cryptographic algorithms, modify the SSL configuration to use a FIPS-approved JSSE Provider.

CWPKI0050W: The certificate with the {0} alias from the {1} keyStore has no subject alternative name. HostName verification is not enforced for serverIdentity collective controller, replica and member SSL communication.

Explanation The default serverIdentity certificate does not have subject alternative name in the keyStore. The hostName verification check is skipped for serverIdentity certificates

Action Open the keyStore and check the subject alternative name on all certificates in the keyStore. Use the genKey and genKeyController commands to generate new certificates to enable the hostname verification.

CWPKI0063W: Hostname verification is disabled for {0}. TLS/SSL connections do not check server identities to verify that the client is communicating with the correct server.

Explanation Hostname verification must be enabled to ensure that the hostname in the URL that the client is connecting to matches the hostname in the certificate that the server sends back during the TLS/SSL communication.

Action Enable hostname verification by setting the com.ibm.ssl.verifyHostname security custom property to true.

CWPKI0200E: An attempt to generate keys using KeySet {0} occurred when the KeySet is not configured to generate keys. Message: {1}

Explanation The KeySet either does not have a keyGenerationClass defined, or it cannot find the keyGenerationClass, or a read-only KeyStore is associated with the KeySet, or the KeyStore does not allow the writing of secret keys.

Action Modify the configuration so that a proper keyGenerationClass is configured and a KeyStore type is configured that allows the writing of secret keys.

CWPKI0201E: An error occurred while retrieving key alias {0} from KeySet {1}. Exception: {2}

Explanation An error occurred while retrieving keys from the KeyStore for the specified KeySet.

Action Check that the KeySet configuration is correct.

CWPKI0202E: An error occurred trying to instantiate the key generation class {0} configured in KeySet {1}. Message: {2}

Explanation Either the runtime could not find the key generation class configured for the KeySet or the class does not implement either com.ibm.websphere.crypto.KeyGenerator or com.ibm.websphere.crypto.KeyPairGenerator.

Action Ensure the key generation class configured is specified in a location that can be found by the application server runtime environment. Check the information center for specifying custom classes so that the runtime environment can find them.

CWPKI0203E: An attempt to import keys to KeySet {0} failed. Exception: {1}

Explanation The keys passed as input might not have been correctly formed or the keystore could not be accessed to store them.

Action Determine the cause based on the exception, then adjust the configuration accordingly.

CWPKI0204E: An error occurred during a scheduled key generation for KeySetGroup {0}. Exception: {1}

Explanation A problem occurred while a new key reference was being created for the specified KeySetGroup. After the key reference was created in the configuration, the key was generated. One of these steps did not succeed.

Action Determine the cause based on the exception, then adjust the configuration accordingly.

CWPKI0300I: Use the -listRemoteKeyStoreNames and -listLocalKeyStoreNames options to get a list of names for <remoteKeyStoreName> and <localKeyStoreName> respectively. Usage: retrieveSigners <remoteKeyStoreName> <localKeyStoreName> [options] options: [-profileName <profileName>] [-remoteAlias <aliasFromRemoteStore>] [-localAlias <storeAsAlias>] [-listRemoteKeyStoreNames] [-listLocalKeyStoreNames] [-autoAcceptBootstrapSigner] [-uploadSigners] [-host <host>] [-port <port>] [-conntype <RMI|SOAP>] [-user <user>] [-password <password>] [-trace] [-logfile <filename>] [-replacelog] [-quiet] [-help]

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0301I: Trace mode is on.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0302E: The system cannot write to the trace log file at the following location: {0}

Explanation There's a problem writing to the specified log file.

Action Change the log file path or make sure the file specified is not in use.

CWPKI0303I: Trace is being logged to the following location: {0}

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0304E: The <remoteKeyStoreName> specified as {0} was not found on the server.

Explanation The remote keystore is not found.

Action Issue -listRemoteKeyStoreNames command to get the list of names.

CWPKI0305E: The <aliasFromRemoteStore> specified as {0} was not found in truststore {1} on the server.

Explanation The alias specified was not found in the truststore.

Action Issue -listRemoteKeyStoreNames command to get the list of names.

CWPKI0306I: The following remote keystores exist on the specified server: {0}

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0307I: The following local keystores exist on the client: {0}

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0308I: The system is adding signer alias {0} to local keystore {1} with the following SHA digest: {2}

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0309I: All signers from the remote keystore already exist in the local keystore.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0310E: The <localKeyStoreName> specified as {0} was not found on the client.

Explanation The local keystore is not found.

Action Try issuing -listLocalKeyStoreNames command to get the list of names.

CWPKI0311E: The certificate with subject DN {0} has a start date {1} which is valid after the current date and time. This can happen if the client clock is set earlier than the server clock. Please verify the clocks are in sync between this client and server then retry the request.

Explanation The start date of the certificate is not valid.

Action Ensure that the client clock matches up with the server clock. Otherwise, create a certificate with the proper start date.

CWPKI0312E: The certificate with subject DN {0} has an end date {1} which is no longer valid.

Explanation The certificate has expired.

Action Replace the certificate with a valid certificate.

CWPKI0313W: The following option is not valid: {0}

Explanation Check the command line to ensure the specified option is correct.

Action Check the usage help and retry after correcting the option.

CWPKI0314E: The following error is returned from an exception: {0}

Explanation Check the command line to ensure the specified options are correct.

Action Check the usage help and retry after correcting the option.

CWPKI0315E: SSL configuration properties are null. There could be a problem parsing the SSL client configuration.

Explanation There are no SSL configuration properties set. The property 'com.ibm.SSL.ConfigURL' might not be set properly, or there might have been an error parsing the SSL client configuration.

Action Check the ssl.client.props file for errors and make sure 'com.ibm.SSL.ConfigURL' is set property.

CWPKI0401I: Trace mode is on.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0402E: The system cannot write to the trace log file at the following location: {0}

Explanation There is a problem writing to the specified log file.

Action Change the log file path to the correct log file, or make sure the file specified is not in use.

CWPKI0403I: Trace is being logged to the following location: {0}

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0404W: The following option is not valid: {0}

Explanation The specified option is not correct.

Action Check the usage help, then retry after correcting the option.

CWPKI0405E: The following error is returned from an exception: {0}

Explanation A specified option is not correct.

Action Check the usage help, then retry after correcting the option.

CWPKI0406E: The PKI client implementation class {0} could not be found.

Explanation An attempt to load the custom PKI client implementation failed because the class could not be found by the classloader.

Action Check that the custom class exists in the classes directory for your inatallation.

CWPKI0407E: The PKI client implementation class {0} is not an instance of com.ibm.ws.ssl.WSPKIClient.

Explanation An attempt to load the custom PKI client implementation did not succeed because the class is not an instance of com.ibm.ws.ssl.WSPKIClient.

Action Check that the custom class implements com.ibm.ws.ssl.WSPKIClient.

CWPKI0408E: Certificate {0} is not a personal certificate.

Explanation The certificate specified is not a personal certificate.

Action Rerun the command with a personal certificate alias name.

CWPKI0409E: Certificate alias {0} does not exist in key store {1}.

Explanation The system could not receive the certificate from the Certificate Authority (CA) because the public keys do not match.

Action Rerun the command using a certificate retrieved from a Certificate Authority (CA) that was generated with the certificate request coming form this specified alias in this keystore.

CWPKI0410E: The local keyStore specified as alias {0} was not found on the client.

Explanation The local keyStore is not found.

Action Check that the keyStore exists on the client and has an alias in ssl.client.props.

CWPKI0411E: A certificate with a public key matching the public key in the certificate from the Certificate Authority (CA) is not found in keystore {0}.

Explanation In order to receive a certificate in a keystore the public key of the certificate must match the public key of a certificate in the keystore.

Action Run the command with a certificate that has a public key that matches the public key of a certificate in the keystore.

CWPKI0412I: The certificate returned from the Certificate Authority (CA) is null. The certificate request was not processed immediately and must be obtained out-of-band using the queryCertificate command.

Explanation The certificate request was not processed immediately by the Certificate Authority (CA) and must be obtained out-of-band.

Action Run queryCertificate to check on the status of the certificate and receive it if the request has been processed.

CWPKI0413E: Supply {0} value for {1}.

Explanation The value provided is not of the correct type.

Action Check the usage help and retry after correcting the type of the value.

CWPKI0414E: The option {0} is required with a value.

Explanation A proper value was not provided on the command line.

Action Check the usage help, then retry after correcting the option.

CWPKI0415E: The following error occurred while initializing the Certificate Authority (CA) implementation: {0}

Explanation An error occurred while initializing the Certificate Authority (CA) implementation.

Action Check the associated error message.

CWPKI0416E: The following error occurred while creating a Certificate Authority (CA) signed certificate: {0}

Explanation An error occurred while attempting to create a Certificate Authority (CA) signed certificate.

Action Check the associated error message.

CWPKI0417E: The following error occurred while revoking a Certificate Authority (CA) signed certificate: {0}

Explanation An error occurred while attempting to revoke a Certificate Authority (CA)) signed certificate.

Action Check the associated error message.

CWPKI0418E: The following error occurred while querying the Certificate Authority (CA) for a signed certificate: {0}

Explanation An error occurred while attempting to query the certificate authority (CA) for a signed certificate.

Action Check the associated error message.

CWPKI0419E: The system was unable to receive the certificate because the keystore specified is read-only.

Explanation The system is trying to write a received certificate to a read-only keystore.

Action Specify a keystore that is writable.

CWPKI0420E: The certifcate request was processed by the Certificate Authority (CA) but could not be stored in the keystore specified. The certificate will be revoked and a retry of the request is necessary. Check the previous error messages and correct the issues before retrying the certificate request.

Explanation The certificate request received from the Certificate Authority (CA) could not be stored successfully in the specified keystore. The certificate has therefore been revoked and we need to retry the request to obtain a new certificate.

Action Check the previous error messages related to storing the keystore, and correct the issues arising, then retry the certificate request.

CWPKI0421I: A PKCS10 certificate request with alias {0} was successfully created. The request is stored in the following file: {1}

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0422I: The system is generating a PKCS10 certificate request.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0423E: The PKCS10 certifcate request could not be created because of the following error: {0}

Explanation The PKCS10 certifcate request could not be created becasue of the specified error.

Action Check the message logs for details.

CWPKI0424E: Certificate alias {0} already exists in key store {1}.

Explanation The system could not create the certificate request because the alias specified already exists in the keystore.

Action Specify another alias name.

CWPKI0425E: The subjectDN supplied is incorrect.

Explanation The subjectDN supplied does not conform to the X500Principal standard.

Action Check the subjectDN and ensure that it is in the correct form.

CWPKI0426W: The following options were not recognized and will be ignored: {0}

Explanation One or more provided options were not recognized and will be ignored.

Action Check the command usage and ensure the arguments supplied are correct.

CWPKI0427E: The custom attributes cannot be parsed.

Explanation The custom attributes were not entered in the proper form.

Action Check the usage help, then retry after correcting the custom attributes.

CWPKI0450E: Attribute {0} is missing or of an incorrect type. Correct type is {1}.

Explanation The attribute passed to the implementation is null or not of the correct type.

Action Ensure that the required attribute is passed to the implementation.

CWPKI0451E: The certificate request is null.

Explanation The byte array of the certificate request is null.

Action Check that a valid certificate request byte array is passed to the implementation.

CWPKI0452E: The revocation password for this request is null.

Explanation The byte array of the revocation password for this request is null.

Action Check that a valid revocation password byte array is passed to the implementation.

CWPKI0453E: The following unexpected exception has occurred: {0}

Explanation This exception is unexpected. The cause is not immediately known.

Action If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ .

CWPKI0454E: The system could not create temporary file {0}.

Explanation The temporary file could not be written to the file system.

Action Ensure the path to the temporary file exists, is writable, and has space available.

CWPKI0455I: Requesting a Certificate Authority (CA) signed certificate.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0456E: An exception occurred when requesting the certificate: {0}

Explanation The specified error occurred when requesting the certificate.

Action Check the log file for detailed error information.

CWPKI0457E: An exception occurred when revoking the certificate: {0}

Explanation The specified error occurred when revoking the certificate.

Action Check the log file for detailed error information

CWPKI0458E: An exception occurred when querying the certificate: {0}

Explanation The specified error occurred when querying the certificate.

Action Check the log file for detailed error information.

CWPKI0459E: The certificate chain is null.

Explanation No valid certificate chain is available to the implementation.

Action Check that a valid certificate chain is being passed to the implementation.

CWPKI0460I: Revoking a Certificate Authority (CA) signed certificate.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0461I: Action {0} is not supported by this implementation.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0462I: A certificate revocation request for certificate alias {0} has been initiated. Reason: {1}

Explanation A request to revoke a Certificate Authority (CA) signed certificate has been issued.

Action Verify with the external Certificate Authority (CA) that the certificate has been successfully revoked.

CWPKI0463I: Certificate received and stored in keystore {0} as alias {1}.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0800E: An internal error occurred. Exception caught adding IBMJCEFIPS provider. Exception: {0}

Explanation An error occurred adding the IBMJCEFIPS cryptographic module. Initialization of the server will continue, but SSL support may not be available.

Action If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ .

CWPKI0801E: Unable to create default SSL configuration. Exception is {0}.

Explanation An error was encountered while creating the default SSL configuration.

Action If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ .

CWPKI0802I: Create the SSL certificate. This may take a few seconds.

Explanation The SSL certificate does not exist and will be generated automatically. This may take a few seconds. Any services requiring SSL will not start until the SSL certificate has been generated and the configuration is ready.

Action No action is required.

CWPKI0803A: SSL certificate created in {0} seconds. SSL key file: {1}

Explanation The SSL certificate was generated in the amount of time specified.

Action No action is required.

CWPKI0804E: SSL certificate creation error. {0}

Explanation The SSL certificate could not be created at the specified location.

Action Ensure the location is accessible by the server process. Review the FFDC logs for additional errors that are associated with generating or loading the keys.

CWPKI0805E: A password is required for the default keystore is missing.

Explanation The keystore configuration does not specify a password for the default keystore.

Action Modify the default keystore configuration to specify a password.

CWPKI0806E: The keystore configuration is incomplete, the location and type must be specified.

Explanation The keystore configuration does not contain all the information needed.

Action Modify the keystore configuration object to contain the keystore's location and type.

CWPKI0807W: The keyStore location {0} could not be found for element with id attribute {1}.

Explanation The keystore location references a location that does not exist.

Action Change the keyStore location to a file that valid path.

CWPKI0808E: A password of at least 6 characters is required to create the default keystore. The default keystore is not created.

Explanation The keystore configuration requires a password of at least 6 characters in order to create the default keystore.

Action Modify the default keystore configuration to specify a password of at least 6 characters.

CWPKI0809W: There is a failure loading the {0} keystore. If an SSL configuration references the {1} keystore, then the SSL configuration will fail to initialize.

Explanation The keystore file does not exist or the keystore type or password is not correct so any SSL configuration that references the keystore will is not be usable.

Action Fix the problem with the keystore configuration.

CWPKI0810I: The {0} keystore is read only and the certificate will not be written to the keystore file. Trust will be accepted only for this connection.

Explanation This message is for informational purposes only.

Action No action is required.

CWPKI0811I: The keystore file {0} has been modified. The keystore file will be reloaded so the updated keystore file can be used.

Explanation The keystore file specified was modified and the runtime will start using the updated keystore file.

Action No action is required.

CWPKI0812E: Error while trying to get the [{0}] key from the [{1}] keystore. Check to make sure the entry is a key and the key password is correct. Exception returned is: [{2}].

Explanation There was an error while trying to recover the key from the keystore file. There may be a problem with the key or the key password is not correct.

Action Check the keystore to make sure the key entry exists and make sure the correct password is configured to access the key entry.

CWPKI0813E: Error while trying to initialize the keymanager for the keystore [{0}]. The private key password is not correct or the keystore has multiple private keys with different passwords. This keystore can not be used for SSL. Exception message is: [{1}].

Explanation There was an error while trying to initialize the keymanager. Unable to create an SSLContext when the private key password is not correct or when a keystore that has multiple keys with different passwords.

Action Ensure the private key password is correct and the keystore does not have multiple keys with different passwords before using the keystore for SSL connections.

CWPKI0814E: An error while initializing hardware keystore [{0}]. Check the hardware configuration {1} file to be sure the attributes are set correctly. Exception returned from the provider is {2}.

Explanation There is something wrong with the hardware configuration preventing the keystore from being useable. If there is an SSL configuration that is referencing this keystore it will not be useable.

Action Ensure that the hardware configuration file contains the required attributes, name and library. Make sure other attributes in the configuration file follow the hardware device specification.

CWPKI0815W: More than one OutboundConnection element specifies the [{0}] host and [{1}] port as a filter. The OutboundConnection element configured on the [{2}] SSL element will be used.

Explanation Conflicting OutboundConnection elements are defined in the server configuration. To determine the outbound SSL configuration, the server uses the first OutboundConnection element that it processes.

Action Review the conflicting OutboundConnection elements in the server configuration, and remove the element that we do not need.

CWPKI0816W: The outboundConnection element with an asterisk (*) as the host and port is set to the [{0}] SSL configuration. This setting is in conflict with the outboundSSLRef attribute setting. The {1} SSL configuration specified by the outboundSSLRef attribute is used.

Explanation The outboundConnection element with an asterisk (*) as the host and port is in conflict with the outboundSSLRef attribute configured. The server uses the SSL configuration specified by the outboundSSLRef attribute.

Action Review the conflicting configuration and determine which configuration to use as the default SSL configuration. Remove the configuration that we do not need.

CWPKI0817A: The default SSL configuration expects a <keyStore> element with an id value of {0}, and a password. The {0} <keyStore> element is missing, or the password is not specified. If SSL is not required, this message can be ignored. If SSL is required, either define the missing element: <keyStore id="{0}" password="yourpassword" />, or change the default SSL configuration to use an existing keystore.
See the following example: <ssl id="defaultSSLConfig" keyStoreRef="newKeyStore" />.

Explanation SSL initialization has been attempted because the ssl feature has been loaded. The initialization could not complete, because the default SSL configuration expects a keystore element with the specified id value and a password. The keyStore element is missing, or the password is not specified.

Action If SSL is not required, this message can be ignored. If SSL is required, review the configuration and either add the missing keystore, or change the default SSL configuration to use a different keystore.

CWPKI0818E: The default SSL configuration references a <keyStore> element with an id value of {0}, which does not exist in the configuration or whose definition is missing a password. Either define a keystore with id {0} or update the <ssl id="defaultSSLConfig" keyStoreRef="{0}" /> to reference an existing keystore.

Explanation The default SSL configuration expects a keystore element, which does not exist.

Action Review the configuration and either change the configuration to reference an existing keystore, or define the referenced keystore.

CWPKI0819I: The default keystore is not created because a password is not configured on the <keyStore id="defaultKeyStore"/> element, and the 'keystore_password' environment variable is not set.

Explanation The default keystore is not created because a password is not configured on the <keyStore id="defaultKeyStore"/> element, and the 'keystore_password' environment variable is not set.

Action No action is required.

CWPKI0820A: The default keystore has been created using the 'keystore_password' environment variable.

Explanation The default keystore has been created using the 'keystore_password' environment variable. This is generated into the server.env file during server creation, or overridden in the environment the server was launched from.

Action No action is required.

CWPKI0821I: The {1} default keystore with the {2} keystore type was loaded.

Explanation The default keystore at the specified location and keystore type has been loaded.

Action No action is required.

CWPKI0822W: A minimal default keystore configuration has been specified and the keystores key.jks and key.p12 both exist in the default keystore location. The key.jks will be used as the default keystore.

Explanation With a minimal default keystore configuration, and with both a key.jks file and key.p12 file defined in the default keystore location, the key.jks file will be used as the default keystore.

Action To make the key.p12 file the default keystore, either change the keystore configuration to specify the key.p12 location or remove the key.jks file from the configuration. To have the key.jks file as the default keystore, no changes are needed.

CWPKI0823E: SSL HANDSHAKE FAILURE: A signer with SubjectDN [{0}] was sent from the host [{1}]. The signer might need to be added to local trust store [{2}], located in SSL configuration alias [{3}]. The extended error message from the SSL handshake exception is: [{4}].

Explanation An error occurred during the SSL handshake. It might require a signer export/import from the target host to the client TrustStore.

Action Review the extended error message from the TrustManager to determine what needs to change between the target SSL configuration and the client SSL configuration.

CWPKI0824E: SSL HANDSHAKE FAILURE: Host name verification error while connecting to host [{0}]. The host name used to access the server does not match the server certificate''s [{1}]. The extended error message from the SSL handshake exception is: [{2}].

Explanation An error occurred during the SSL handshake. Host name verification is enabled and server's identity can not be verified. The host name used to access the server does not match the server certificate's Subject Alternative Name information or SubjectDN .

Action When host name verification is enable the server's being accessed needs to be setup with a certificate contain the proper information needed to verify the server's identity.

CWPKI0825W: The trustDefaultCerts attribute is enabled but the default truststore failed to initialize. Because the default truststore did not initialize, only the truststore configured by the {0} SSL configuration is used. The exception that is returned is: {1}.

Explanation The default truststore did not initialize because it could not be retrieved from the trust manager. The default truststore is not used for trust. Only the configured SSL configuration is used.

Action Ensure that the default truststore file exists and is accessible

CWPKI0826W: The certificate was not retrieved from the {0} environment variable. The certificate was not added to the {1} truststore. The exception that is returned is: {2}.

Explanation The certificate specified in the environment variable cannot be accessed and is not included in the truststore. This problem might be caused by the environment variable, the file name, or the certificate. A failure to add the certificate does not invalidate the SSL configuration, but it might cause problems with establishing trust for outbound connections.

Action This problem might result from various causes. Ensure that the environment variable or file is populated with a base 64-bit certificate.

CWPKI0827I: The {0} SSL configuration uses the default truststore in addition to the configured truststore.

Explanation The default truststore and the truststore configured for the SSL configuration are both used for trust.

Action No action is required.

CWPKI0828E: The trustDefaultCerts attribute is enabled but trust was not established using the default truststore. The extended error message from the SSL handshake exception is: {0}.

Explanation The default truststore is not properly configured to establish trust.

Action Review the extended error message to determine what to change in the configuration.

CWPKI0829E: SSL certificate update error. {0}

Explanation The SSL certificate could not be updated at the specified location.

Action Ensure the location is accessible by the server process. Review the FFDC logs for additional errors that are associated with generating or loading the keys.

CWPKI0830I: Certificate with the {0} SubjectDN from the {1} environment variable is being added to the {2} keystore.

Explanation A certificate was retrieved from an environment variable in the configuration and is being added to the keystore file.

Action No action is required.

CWPKI0831E: The {0} SSL/TLS protocol cannot be used. Extended error is: {1}

Explanation The protocol provided cannot be used. An error occurs on trying to get an SSLContext instance with the protocol value.

Action Ensure that the configuration uses valid SSL/TLS protocol values for this JVM.

CWPKI0832E: The {0} SSL/TLS protocol value provided cannot be used for configuring a list of SSL protocols values.

Explanation The protocol value is not valid in a protocol list grouping.

Action Ensure that the list of SSL/TLS protocols includes only values that are appropriate for a protocol list.

CWPKI0833E: The {0} SSL/TLS configuration has an error that prevents creation of the SSL/TLS configuration.

Explanation The SSL configuration attributes has an error that prevents SSLContext creation.

Action Ensure that the SSL configuration attributes are correct. Review the logs for additional errors associated with SSL configuration attributes.

CWPKI0834E: The {0} SSL/TLS configuration cannot be set as the process default SSL configuration due to an error.

Explanation The specified SSL/TLS configuration contains an error that prevented it from being set as the process default SSL configuration.

Action Ensure that the SSL configuration attributes are correct. Review the logs for errors that are associated with SSL configuration attributes.

CWPKI0835E: An SSL/TLS configuration cannot be created for the inbound connection because a key manager was not created.

Explanation An error in the configuration prevented the key manager from being created.

Action Ensure that the SSL configuration attributes are correct. Review the logs for errors that are associated with SSL configuration attributes.

CWPKI0836E: An SSL/TLS configuration cannot created because key and trust managers were not created.

Explanation An error in the configuration prevented the key and trust managers from being created.

Action Ensure that the SSL configuration attributes are correct. Review the logs for errors that are associated with SSL configuration attributes.

CWPKI2001E: The ACME certificate authority at the {0} URI responded that the authorization challenge failed for the {1} domain. The challenge status is {2}. The error is ''{3}''.

Explanation The challenge status indicated that the authorization challenge request failed and a certificate cannot be created.

Action Review the status message and error for details on the failure.

CWPKI2002E: The ACME service polling timed out while checking for a successful authorization challenge for the {0} domain from the ACME certificate authority at the {1} URI. The status is {2}. The configured timeout is {3}.

Explanation The certificate authority challenge request was not validated in the configured time and a certificate cannot be created.

Action Review the configured certificate authority URI. Verify that the URI can be successfully accessed by the calling server. Verify that the calling server can receive a response from the certificate authority. Review the status code. Some certificate authorities might require a longer timeout.

CWPKI2003E: The ACME certificate authority at the {0} URI responded that the certificate order failed for the {1} domains. The order status is {2}. The error is ''{3}''.

Explanation The order status indicated that the authorization order request failed and a certificate cannot be created.

Action Review the status message and error for details on the failure.

CWPKI2004E: The ACME service polling timed out while checking for a successful order for the {0} domain from the ACME certificate authority at the {1} URI. The status is {2}. The configured timeout is {3}.

Explanation The certificate authority domain certificate order request did not complete in the configured time and a certificate cannot be created.

Action Review the configured certificate authority URI. Verify that the URI can be successfully accessed by the calling server. Verify that the calling server can receive a response from the certificate authority. Review the status code. Some certificate authorities might require a longer timeout.

CWPKI2005E: The authorization returned from the ACME certificate authority at the {0} URI did not include a valid challenge type. Supported challenge types include {1}.

Explanation The certificate authority returned a challenge type that is currently unsupported. Verify that the certificate authority uses a type in the supported list.

Action Select a certificate authority that provides a supported challenge type.

CWPKI2006I: The ACME certificate authority at the {0} URI provided the following terms of service: {1}

Explanation The certificate authority provides terms of service.

Action Review the provided terms of service.

CWPKI2007I: The ACME service installed a certificate with the {0} serial number that is signed by the ACME certificate authority at the {1} URI. The expiration date is {2}.

Explanation The ACME service successfully retrieved and installed a certificate from the configured certificate authority.

Action No action is required.

CWPKI2008E: The ACME certificate authority directory URI must be a valid URI. The URI received was null or empty. The URI received was ''{0}''.

Explanation The certificate authority directory URI was not configured correctly.

Action Enter a valid ACME certificate authority directory URI in the configuration.

CWPKI2009E: The challenge request to the ACME certificate authority at the {0} URI failed. The error is ''{1}''.

Explanation The challenge request failed and a certificate cannot be created.

Action Review the error message for details on the failure.

CWPKI2010E: The challenge update to the ACME certificate authority at the {0} URI failed. The error is ''{1}''.

Explanation The challenge update failed and a certificate cannot be updated.

Action Review the error message for details on the failure.

CWPKI2011E: The ACME service failed to create the certificate order for the ACME certificate authority at the {0} URI. The error is ''{1}''.

Explanation The certificate order creation failed and a signed certificate cannot be requested.

Action Review the error message for details on the failure.

CWPKI2012E: The ACME service failed to sign the certificate signing request for the ACME certificate authority at the {0} URI. The error is ''{1}''.

Explanation The certificate order was created, but signing the request failed and a signed certificate cannot be requested.

Action Review the error message for details on the failure.

CWPKI2013E: The certificate signing request was created and signed, but the order request to the ACME certificate authority at the {0} URI failed. The error is ''{1}''.

Explanation The certificate order was created and signed, but ordering the certificate from the certificate authority failed.

Action Review the error message for details on the failure.

CWPKI2014E: The certificate signing request for the ACME certificate authority at the {0} URI was created and signed, but encoding the request failed. The error is ''{1}''.

Explanation Encoding the certificate signing request failed and a signed certificate cannot be created.

Action Review the error message for details on the failure.

CWPKI2015E: The ACME service certificate order status request from the ACME certificate authority at the {0} URI failed. The error is ''{1}''.

Explanation An order is completed asynchronously by the certificate authority. The ACME service received an error while checking on the status of the order. A signed certificate cannot be requested.

Action Review the error message for details on the failure.

CWPKI2016E: The ACME service request for an existing account from the ACME certificate authority at the {0} URI failed. The error is ''{1}''.

Explanation An existing account was not found or another error occurred. Changes cannot be made to the account or certificate.

Action Review the error message for details on the failure. Verify that the URI can be successfully accessed by the calling server. Verify that the calling server can receive a response from the certificate authority.

CWPKI2017E: The ACME request for the terms of service from the ACME certificate authority at the {0} URI failed. The error is ''{1}''.

Explanation The terms of service for the ACME certificate authority cannot be logged.

Action Review the error message for details on the failure. Visit the ACME certificate authority website to review the terms of service.

CWPKI2018E: The user account could not be created on the ACME certificate authority at the {0} URI. The error is ''{1}''.

Explanation The user account creation request failed.

Action Review the error message for details on the failure.

CWPKI2019I: The account URL provided by the ACME certificate authority at the {0} URI is {1}.

Explanation The account was successfully created.

Action No action is required.

CWPKI2020E: The ACME service could not read the domain key file for the ACME certificate authority domain. The file location is {0}. The error is ''{1}''.

Explanation The domain key file for the certificate authority account could not be opened. This can occur if file permissions are incorrect or if the file does not exist.

Action Review the error message for details on the failure. Verify that the file location is correct and the server has read file permissions.

CWPKI2021E: The ACME service could not read the account key file for the ACME certificate authority account. The file location is {0}. The error is ''{1}''.

Explanation The account key file for the certificate authority account could not be opened. This can occur if file permissions are incorrect or if the file does not exist.

Action Review the error message for details on the failure. Verify the file location is correct and the server has read file permissions.

CWPKI2022E: The ACME service could not write to the domain key file for the ACME certificate authority domain. The file location is {0}. The error is ''{1}''.

Explanation The domain keys could not be stored in the domain key file. This can occur if the file permissions are incorrect or the file does not exist.

Action Review the error message for details on the failure. Verify the file location is correct and the server has write file permissions.

CWPKI2023E: The ACME service could not write to the account key file for the ACME certificate authority account. The file location is {0}. The error is ''{1}''.

Explanation The account keys could not be stored in the account key file. This can occur if the file permissions are incorrect or the file does not exist.

Action Review the error message for details on the failure. Verify the file location is correct and the server has write file permissions.

CWPKI2024E: The ACME service failed to revoke the requested certificate for the ACME certificate authority at the {0} URI. The certificate is serial number {1}. The error is ''{2}''. This can occur if the directory URI has changed, and if so, it can be ignored.

Explanation A certificate revoke request failed. The certificate might not be revoked and could still be in use.

Action Review the error message for details on the failure.

CWPKI2025W: The ACME service cannot load the account key pair for the ACME certificate authority at the {0} URI.

Explanation The request failed because the account key pair could not be loaded.

Action Review the log for any earlier errors for details on the failure.

CWPKI2026W: The ACME service cannot find the account at the ACME certificate authority at the {0} URI.

Explanation The request failed because the account was not found.

Action Review the certificate authority URI.

CWPKI2027E: The {0} file path for the ACME service is null or empty. The path provided is ''{1}''.

Explanation The file path was null or empty and cannot be used for the domain and account keys.

Action Provide a valid file path in the configuration.

CWPKI2028E: The ACME service could not create a new session to connect to the ACME certificate authority at the {0} URI. The error is ''{1}''.

Explanation The certificate authority could not be contacted and a signed certificate cannot be requested.

Action Review the error message for details on the failure. Review the configured certificate authority URI. Verify that the URI can be successfully accessed by the calling server. Verify that the calling server can receive a response from the certificate authority.

CWPKI2029E: The ACME service could not access the keystore at the {0} file path to find the {1} alias certificate. The error is ''{2}''.

Explanation The keystore could not be accessed while checking for an existing certificate. The request to fetch a new certificate will not be completed because the keystore cannot be accessed.

Action Review the error message for details on the failure. Verify the file location is correct and the server has write file permissions.

CWPKI2030E: The ACME service could not install a certificate under the {0} alias into the {1} keystore. The error is ''{2}''.

Explanation The ACME service received a new certificate from the certificate authority but the certificate cannot be installed locally.

Action Review the error message for details on the failure.

CWPKI2031E: The {0} certificate subject name in the default certificate with the {1} serial number is an invalid distinguished name. The error is ''{2}''.

Explanation The certificate subject name must be formatted as a distinguished name as defined by RFC 2253, similar to a distinguished name used in an LDAP server.

Action Review the error message for details on the failure. Revoke or remove the invalid certificate.

CWPKI2032E: The certificate subject alternative names in the default certificate with the {0} serial number could not be parsed. The error is ''{1}''.

Explanation The certificate is an invalid DER-encoded certificate or contains unsupported DER features.

Action Review the error message for details on the failure. Revoke or remove the invalid certificate.

CWPKI2033E: The ACME service cannot update the {0} account for the ACME certificate authority at the {1} URI. The error is ''{2}''.

Explanation The request to update the account failed due to the specified error.

Action Review the error message for details on the failure. Verify that the account key file is for a valid account.

CWPKI2034E: The ACME service could not create a keystore instance. The error is ''{0}''.

Explanation The ACME service fetched a new certificate, but creating or initializing a keystore for storing the certificate failed.

Action Review the error message for details on the failure.

CWPKI2035E: The ACME service could not store the signed certificate in the {0} keystore. The error is ''{1}''.

Explanation The certificate was successfully retrieved from the certificate authority, but it cannot be stored locally.

Action Review the error message for details on the failure. Verify the keystore file location is correct and the server has write file permissions.

CWPKI2036W: The ACME service timed out waiting for the web authorization application to start. The application is required to complete a certificate request with an ACME certificate authority. The certificate request is attempted. The service waited for {0}.

Explanation The application used to complete a certificate request did not start in the expected time frame. If the application starts, the request proceeds. If the application does not start, the certificate request fails.

Action Review the log for earlier messages or errors. Review the log for a CWWKT0016I message that includes a web application with the ''acme-challenge'' URL to indicate that the internal application started.

CWPKI2037E: The domains for the ACME service were either null or empty.

Explanation The domains were either null or empty and cannot be used.

Action Provide at least one non-null, non-empty domain in the configuration.

CWPKI2038I: The ACME service revoked the certificate with the {0} serial number. The certificate is no longer valid.

Explanation The ACME service revoked the certificate and the certificate is no longer valid.

Action No action is required.

CWPKI2039E: The ''{0}'' distinguished name (DN) defined by subjectDN contains a ''{1}'' cn relative distinguished name (RDN) value that does not match any of the defined domains.

Explanation If the cn RDN value is included in the DN, it must match one of the defined domains.

Action Provide either a subjectDN attribute value with a cn RDN value that matches one of the defined domains or a subjectDN attribute value that does not have the cn RDN included.

CWPKI2040E: The cn relative distinguished name (RDN) was not the first RDN in the subjectDN configuration attribute.

Explanation If the cn RDN is defined, it must be the first RDN in the subjectDN configuration attribute.

Action Provide a subjectDN attribute value that either defines the cn attribute as the first RDN, or does not contain the cn attribute. If the cn attribute is not defined, the first defined domain is used as the cn RDN value.

CWPKI2041E: The ''{0}'' relative distinguished name (RDN) type in the subjectDN configuration attribute is not supported. The following RDN types are supported: cn, o, ou, c, st, l.

Explanation The subjectDN attribute value contains an RDN that is not supported.

Action Provide a subjectDN attribute value that does not contain unsupported RDN types. The following RDN types are supported: cn, o, ou, c, st, l.

CWPKI2042E: The ''{0}'' subjectDN attribute value is not a valid distinguished name. The error is ''{1}''.

Explanation The subjectDN attribute must be a valid distinguished name.

Action Provide a valid distinguished name as the subjectDN attribute value.

CWPKI2043E: The ''{0}'' value is not a valid relative distinguished name (RDN). The error is ''{1}''.

Explanation The ACME service was not able to create an RDN from the specified value.

Action Ensure the the domain included in the value is a valid RDN value.

CWPKI2044E: The certificate is not an X.509 certificate. The certificate type is {0}.

Explanation The ACME service expects all certificates in the certificate chain to be X.509 certificates.

Action Ensure that all the certificates in the certificate chain are X.509 certificates and try again.

CWPKI2045W: The certificate with {0} serial number that is signed by the ACME certificate authority at the {1} URI is not valid until {2}.

Explanation The valid period on the certificate is in the future. SSL and TLS requests fail until the current date and time are within the range specified by the valid period on the certificate.

Action Update the local time on the server if the time is incorrect.

CWPKI2046E: The certificate {0} revocation reason is invalid. Supported revocation reasons are: unspecified, key_compromise, ca_compromise, affiliation_changed, superseded, cessation_of_operations, certificate_hold, remove_from_crl, privilege_withdrawn and aa_compromise.

Explanation The specified revocation reason is not supported.

Action Retry the request with a valid revocation reason.

CWPKI2047E: Failed to register the new account key pair with the ACME certificate authority. The error is ''{0}''.

Explanation The ACME certificate authority returned an error during the account key pair renewal.

Action Ensure that the existing account key pair is valid. Review the error message for details on the failure.

CWPKI2048I: The account key pair renewal is successful. The old account key pair backed up to the {0} file.

Explanation The previous account key pair is no longer associated with the account and is backed up to a file. The new account key pair replaced the old account key pair file.

Action No action is required.

CWPKI2049E: The account key pair did not renew or restore to the existing key pair file. Manually replace the {0} account key pair file with the {1} account key pair file.

Explanation The key pair didn't renew or restore to the old key pair file.

Action Manually replace the account key pair files as directed in the message.

CWPKI2050E: The existing account key pair file did not back up during the account key pair renewal. The error is ''{0}''.

Explanation The existing account key pair file could not be backed up.

Action Ensure that the directory containing the existing account key pair file is writable. Review the error message for details on the failure.

CWPKI2051W: The renewBeforeExpiration property was set to {0} which is shorter than the minimum renew time. The renewBeforeExpiration property is reset to {1}.

Explanation The value for the renewBeforeExpiration property was below the minimum duration to request a new certificate and is reset to the minimum renew time. This could have a negative impact on server performance.

Action To avoid this warning message, set the renewBeforeExpiration property in the server configuration to a duration that is longer than the minimum renew time. To use the default setting, remove the renewBeforeExpiration property from the server configuration.

CWPKI2052I: The certificate with {0} serial number expires on {1}. The ACME service will request a new certificate from the ACME certificate authority at the {2} URI.

Explanation The ACME service requests a new certificate based on the renewBeforeExpiration property in the server configuration and the expiration date of the certificate. If the renewBeforeExpiration property is not configured, the default value is used.

Action No action is required.

CWPKI2053W: The certificate with {0} serial number expired on {1}. The ACME service is not configured to automatically request a new certificate.

Explanation The SSL and TLS requests cannot complete because the certificate expired.

Action Update the renewBeforeExpiration property in the server configuration to a value greater than 0 to automatically request a new certificate or use the ACME REST interface to request a new certificate.

CWPKI2054W: The renewBeforeExpiration property was set to {0}, which is equal to or longer than the validity period of the certificate with {1} serial number. The validity period of the certificate is {2}. The renewBeforeExpiration property is reset to {3}.

Explanation The value of the renewBeforeExpiration property was longer than the validity period of the certificate. The renewBeforeExpiration property is reset to the default value.

Action To avoid this warning message, set the renewBeforeExpiration property in the server configuration to an amount that is less than the length of the validity period of the certificate. To use the default setting, remove the renewBeforeExpiration property.

CWPKI2055W: The renewBeforeExpiration property is set to a short amount of time. The ACME service makes frequent requests for a new certificate. The renewBeforeExpiration property is {0}.

Explanation Frequent certificate requests can have a negative impact on server performance. The number of requests can also exceed the number allowed by the certificate authority.

Action To avoid this warning message, set the renewBeforeExpiration property in the server configuration to a longer duration. To use the default setting, remove the renewBeforeExpiration property from the server configuration.

CWPKI2056W: The validity period of the certificate with {0} serial number is shorter than the {1} minimum renew time. The validity period of the certification is {2}. The renewBeforeExpiration property is reset to {3}.

Explanation The validity period is shorter than the minimum renew time. The certificate expires before a new certificate is requested.

Action To avoid certificate expiration, request a certificate with a longer validity period. If the certificate authority supports a custom validity period, set the validFor property in the server configuration.

CWPKI2057E: Certificate revocation status checking did not create a Java certificate path validation tool to validate the certificate. The error is ''{0}''.

Explanation The certificate revocation checker needs to build a Java certificate path validation tool to check OCSP and CRLs revocation status.

Action Review the status message and error for details.

CWPKI2058W: Certificate revocation status checking ignored soft failures. Revocation checking might be incomplete. The failures are: ''{0}''.

Explanation Soft failures include network errors. The ACME service ignores soft errors as they might be temporary glitches.

Action If this message is encountered consistently, the cause of the failure must be resolved as it might prevent proper revocation status checking. Otherwise, this warning can be safely ignored.

CWPKI2059I: Certificate revocation status checking found that the certificate with the {0} serial number is revoked.

Explanation The ACME service found that the certificate was marked revoked by either a CRL or OSCP responder.

Action No action is required.

CWPKI2060E: The OCSP URL from the certificate with the {0} serial number was not retrieved. The error is: ''{1}''.

Explanation The OCSP URL was not retrieved.

Action Ensure that the certificate is a valid X.509 certificate. If it is not valid, request a new certificate.

CWPKI2061E: The CRL distribution points from the certificate with the {0} serial number were not retrieved. The error is ''{1}''.

Explanation The CRL distribution points were not retrieved.

Action Ensure that the certificate is a valid X.509 certificate. If it is not valid, request a new certificate.

CWPKI2062E: The {0} OCSP responder URL defined in the server configuration is not a valid URI. If defined, it must be a valid URI to override the OSCP responder URL contained in the certificate.

Explanation Certificate revocation checking requires a valid OCSP responder URL.

Action Provide a valid OCSP responder URL in the server configuration.

CWPKI2063E: The ACME certificate authority at the {0} URI updated its terms of service and now requires the user to agree to the new terms of service at the following URI before it processes any further requests: {1}

Explanation The certificate authority updated its terms of service and requires user interaction.

Action Review the provided terms of service.

CWPKI2064I: The ACME service retrieved the certificate with the {0} serial number from the {1} URI in {2} seconds.

Explanation The ACME service successfully requested a certificate.

Action No action is required.

CWPKI2065W: The ACME service failed to automatically renew the certificate with the {0} serial number. The request is scheduled to try again in {1}. The certificate expires on {2}. The renew request error is ''{3}''.

Explanation The ACME service tried to renew a certificate but encountered an error. The ACME service continues to request a new certificate until a new certificate is issued.

Action Review the error message for details on the failure.

CWPKI2066E: The ACME service failed to automatically renew the certificate with the {0} serial number. The certificate is revoked. The request is scheduled to try again in {1}. The renew request error is ''{2}''.

Explanation The ACME service tried to renew a certificate but encountered an error. The ACME service continues to request a new certificate until a new certificate is issued. SSL and TLS requests fail until a new certificate request is successful.

Action Review the error message for details on the failure.

CWPKI2067I: The certificate with the {0} serial number is revoked. The ACME service requests a new certificate from the ACME certificate authority at the {1} URI.

Explanation When the ACME service detects that the certificate is revoked, it automatically requests a new certificate.

Action No action is required.

CWPKI2068W: The ACME service automatic certificate checking failed to check if the certificate with the {0} serial number is expiring or revoked. The check is scheduled to try again in {1}. The error is ''{2}''.

Explanation The ACME service started checking if the certificate is expiring or revoked, but failed.

Action Review the error message for details on the failure. Review the certificate status using the ACME REST interface. If the certificate needs to be renewed, use the ACME REST interface to request a new certificate.

CWPKI2069I: The ACME service automatic certificate checking is disabled. Expiring or revoked certificates are not automatically renewed.

Explanation The ACME service does not check for expiring or revoked certificates on an automated schedule. If the certificate expires or is revoked, SSL and TLS requests cannot complete unless the server is restarted or the REST interface is used to renew the certificate.

Action No action is required. To enable automatic certificate checking, update the certCheckerSchedule property in the server configuration to a value greater than 0.

CWPKI2070W: The certCheckerSchedule property was set to {0}, which is shorter than the minimum schedule time. The certCheckerSchedule property is reset to {1}.

Explanation The value for the certCheckerSchedule property was below the minimum duration to check for expiring or revoked certificates and is reset to the minimum schedule time.

Action To avoid this warning message, set the certCheckerSchedule property in the server configuration to a duration that is longer than the minimum schedule time. To use the default setting, remove the certCheckerSchedule property from the server configuration.

CWPKI2071W: The certCheckerErrorSchedule property was set to {0}, which is shorter than the minimum schedule time. The certCheckerErrorSchedule property is reset to {1}.

Explanation The value for the certCheckerErrorSchedule property was below the minimum duration to check for expiring or revoked certificates and is reset to the minimum schedule time.

Action To avoid this warning message, set the certCheckerErrorSchedule property in the server configuration to a duration that is longer than the minimum schedule time. To use the default setting, remove the certCheckerErrorSchedule property from the server configuration.

CWPKI2072W: The ACME service could not read or write the historical ACME file at {0}. The error is ''{1}''.

Explanation The ACME service was unable to access the historical ACME file.

Action Ensure that the historical ACME directory has read and write permissions.

CWPKI2073W: No account contact was specified. It is recommended to set this property in server configuration. If a key is lost or the account is compromised, access to the account is lost.

Explanation The value for the accountContact property was not specified in the server configuration.

Action Set the accountContact property in server configuration.

CWPKI2074W: The ACME service timed out waiting to be signaled that the HTTP port is open. An available HTTP port is required to complete a certificate request with an ACME certificate authority. The certificate request is attempted. The service waited for {0}.

Explanation The service attempts a certificate request. If an HTTP port is open, the request proceeds. If an HTTP port is not open, the certificate request fails.

Action Review the log for earlier messages or errors. Review the log for CWWKO0219I messages, which lists available endpoints and ports.

Explanation	This message is for informational purposes only.
Action	No action is required.

Explanation	An unexpected exception occurred when trying to create or register an mBean.
Action	There might be a problem with the configuration. The exception might include details.

Explanation	An unexpected error occurred during security initialization.
Action	This is a general error. Look for previous messages related to SSL initialization or to a configuration problem. Enable SSL=all=enabled debug trace might yield additional information.

Explanation	The security object cannot be created from the repository. This is an internal error. The security.xml file might be corrupted or missing.
Action	Contact your service representative.

Explanation	This exception is unexpected. The cause is not immediately known.
Action	If the problem persists, additional information might be available if you search for the message ID on the following Web sites: WebSphere Application Server Support page: http://www.ibm.com/software/webservers/appserv/was/support/ WebSphere Application Server for z/OS Support page: http://www.ibm.com/software/webservers/appserv/zos_os390/support/ .

Explanation	The specified resource could not be loaded due to an exception.
Action	Check for a configuration problem related to the resource.

Explanation	When the server is running in FIPS mode, the IBMJCEFIPS provider should be listed in the java.security file, and positioned before the IBMJCE provider in the list.
Action	To ensure FIPS algorithms usage for all WebSphere Application Server process types, uncomment the IBMJCEFIPS provider in the java.security file, check that it is positioned before the IBMJCE provider in the list, and renumber the provider list in sequential order.

Explanation	An unexpected error occurred while stopping the SSL component.
Action	This is a general error. Look for previous messages related to the error or to a configuration problem. Enable SSL=all=enabled debug trace might yield additional information.

Explanation	A certificate is about to expire in the keystore.
Action	Open the keystore and validate the expiration dates on all certificates in the keystore. Generate new certificates, if necessary.

Explanation	A certificate is expired in the keystore.
Action	Open the keystore and validate the expiration dates on all certificates in the keystore. Remove any expired certificates.

Explanation	The type of keystore that has been configured is not valid for the specified alias.
Action	Change the keystore type in the SSL configuration.

Explanation	There might be a problem with the syntax of the ssl.client.props file or the location of the file might not be valid.
Action	Review the error returned and check the syntax and location of the ssl.client.props file.

Explanation	A class loading error occurred loading the custom trust manager configured.
Action	Ensure the class can be found in the environment.

Explanation	An error occurred during the SSL handshake. It might require a signer export/import from the target host to the client TrustStore.
Action	Review the extended error message from the TrustManager to determine what needs to change between the target SSL configuration and the client SSL configuration.

Explanation	The certificate alias specified for this SSL configuration is not in the specified KeyStore or it was found to be invalid. An expired certificate is one example of an invalid certificate.
Action	Either add a certificate into the KeyStore with the specified certificate alias, or replace or renew the invalid certificate with the specified certificate alias found in the client KeyStore.

Explanation	There was a classloading error trying to load the HTTPS URLStreamHandler class.
Action	Check the SSL configuration to ensure the context provider is correct for the platform.

Explanation	A change was made to the security.xml file. An error occurred when the system then tried to read the changed configuration.
Action	Review the exception message text and verify the SSL configuration parameters are valid.

Explanation	JSSE URL hostname verification checks that the X509 Certificate Common Name (CN) matches the hostname it is from. This hostname verification check is being set to be disabled by default for URL connections.
Action	To enable default JSSE URL hostname verification, set the com.ibm.ssl.performURLHostNameVerification property to true.

Explanation	The handshake protocol specified is not recognized as a valid handshake protocol.
Action	Check the SSL configuration to ensure the correct handshake protocol is specified.

Explanation	The SSL context provider specified is not recognized as a valid context provider.
Action	Check the SSL configuration to ensure the correct SSL context provider is specified.

Explanation	The DefaultKeyStores between cell and node will have exchange signers with corresponding DefaultTrustStores. An error occurred during this process.
Action	A manual signer exchange might be required.

Explanation	An error occurred while creating the file-based keystore or truststore during process initialization.
Action	Check that the keystore or truststore settings in the ssl.client.props are current and valid.

Explanation	An error occurred during process startup while creating this certificate.
Action	Check that the default self-signed certificate property values (com.ibm.ssl.defaultCertReq*) are valid.

Explanation	An error occurred while creating or opening the keystore.
Action	Check the properties in the keystore configuration and ensure the keystore exists.

Explanation	An error occurred while initializing the schedule.
Action	Check that the properties for the scheduler are valid. Ensure the /etc directory is writable.

Explanation	An error occurred reading the date from the schedule file in /etc.
Action	Ensure the /etc directory is writable and the file has not been modified.

Explanation	An error occurred sending email to the specified SMTP server.
Action	Ensure the SMTP server specified is valid and that your company firewall policy allows sending to SMTP ports.

Explanation	This information concerns certificate expiration.
Action	You may need to manage certificates to resolve the reported problems.

Explanation	A problem occurred starting the expiration monitor command task.
Action	Try starting the expiration monitor directly to determine more information about the error.

Explanation	The hostname must be entered in the hostlist in the same canonical format as it appears in the serverindex.xml file.
Action	Edit the hostlist to convert it to the required canonical format.