IBM WebSphere interserver authentication: LTPA and SSL

On some applications J2EE applications deployed on WebSphere, you may have a two layer deployment: one server for the web layer and another server for the business logic layer. But for this to work you may need to enable global security and then to allow the communication between servers you need to setup LTPA between servers. On version 5.x and 6.0 just by moving the LTPA key from the business server to the application server and setting up the authentication method does the deal, and it has no need of intermediate steps to allow communication between servers.

On 6.1 version is not quite that simple, because RMI communication between servers runs now over SSL, and guess what: if an SSL session can’t be established, the communication is not possible.

The error message might be something like:  CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: javax.net.ssl.SSLHandshakeException – The client and server could not negotiate the desired level of security. Reason: com.ibm.jsse2.util.h: No trusted certificate found vmcid: IBM minor code: E07 completed: No]

The key lead here is the “No trusted certificate found”, which means that an SSL session could not be established because of a missing server certificate.

The solution: On the IBM Websphere server that needs to communicate (in this case the server running the the web layer), execute the following steps:

1) Logon into the WAS console.

2) Goto Security -> SSL and Key Management

3) Select the NodeDefaultTrustStore and then Signer Certificates

4) Define your parameters, where the main information to be given is that the host must be the server you which to connect  to and the port is 9043.

5) Just give an alias name and press the button “Retrieve Signer Certificate”

6) Press apply and OK, and you’re done.

Try connecting again. It should work now.

Advertisements

3 thoughts on “IBM WebSphere interserver authentication: LTPA and SSL

  1. hi thanks for your info

    i’m facing teh same issue now could you please let me know how to extract the signer certificate to be able to use it in web layer

  2. Hi ,i have the same problems, but i tried this solution over and over again, and it doesn’t work, is there other solution for this problem ?

    • Yes there is. Can’t quite show how it’s done, but you need to go to the protocol sections of your websphere and tell it to use normal communications and not use SSL. It’s like change from “supported” to “Not Supported”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s