Errors configuring Secure Sockets Layer encrypted access

 

+

Search Tips   |   Advanced Search

 

 

You might have errors returned when you are trying to configure SSL for encrypted access. This article describes some of the common errors you might encounter and makes suggestions on how to fix the problems.

What kind of error are you seeing?

  1. "The Java Cryptographic Extension (JCE) files were not found." error when launching iKeyman
  2. "Unable to verify MAC." error when the wrong keystore password is used
  3. "SSL handshake failure" error when no trusted certificate is found
  4. The certificate alias cannot be found in the keystore

If you do not see a problem that resembles yours, or if the information provided does not solve your problem, contact IBM support for further assistance.

 

"The Java Cryptographic Extension (JCE) files were not found." error when launching iKeyman

You might receive the following error when you attempt to start the iKeyman tool:

"The Java Cryptographic  Extension (JCE) files were not found. 
Please check that the JCE files have been installed in the correct directory."

When you click OK, the iKeyman tool closes. To resolve this problem:

 

"Unable to verify MAC." error when the wrong keystore password is used

You might receive the following error when the keystore password is not being used correctly.

CWPKI0033E: The keystore located at "C:/WebSphere/AppServer/profiles/AppSrv01/etc/trust.p12" 
            failed to load due to the following error: Unable to verify MAC.

Change the Password field that references this keystore by using the correct password. The default password is WebAS. Never use this password in a production environment.

 

"SSL handshake failure" error when no trusted certificate is found

You might receive the following error when you attempt to add the signer to the local truststore:

CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=BIRKT40.austin.ibm.com, O=IBM, C=US" was sent from target host:port "9.65.49.131:9428".

The signer might need to be added to the local truststore...

/AppServer/profiles/Dmgr09/etc/trust.p12

...that is located in the SSL configuration alias DefaultSSLSettings. The truststore is loaded from the SSL configuration file...

/AppServer/profiles/Dmgr09/properties/ssl.client.props

The extended error message from the SSL handshake exception is:

 "No trusted certificate found."

This error indicates that the signer certificate from the specified target host and port has not been located in the specified truststore, the SSL settings, and the SSL configuration file. If this occurs in a client process, there are several things that you can do:

If this issue occurs in a server process, then complete one of the following procedures:

 

The certificate alias cannot be found in the keystore

You might receive the following error when the certificate alias is not found in the referenced keystore:

CWPKI0023E: The certificate alias "default" specified by the property 
            com.ibm.ssl.keyStoreClientAlias is not found in KeyStore 
            "c:/WebSphere/AppServer/profiles/Dmgr01/config/cells/myCell/key.p12".  

This error indicates that the certificate alias that was specified cannot be found in the referenced keystore. Either change the certificate alias or make sure that alias exists in the specified keystore.


 

Related tasks

Troubleshooting security configurations