IBM WebSphere interserver authentication: LTPA and SSL

On some applications J2EE applications deployed on WebSphere, you may have a two layer deployment: one server for the web layer and another server for the business logic layer. But for this to work you may need to enable global security and then to allow the communication between servers you need to setup LTPA between servers. On version 5.x and 6.0 just by moving the LTPA key from the business server to the application server and setting up the authentication method does the deal, and it has no need of intermediate steps to allow communication between servers.

On 6.1 version is not quite that simple, because RMI communication between servers runs now over SSL, and guess what: if an SSL session can’t be established, the communication is not possible.

The error message might be something like:  CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_CLIENT_SOCKET: JSSL0080E: javax.net.ssl.SSLHandshakeException – The client and server could not negotiate the desired level of security. Reason: com.ibm.jsse2.util.h: No trusted certificate found vmcid: IBM minor code: E07 completed: No]

The key lead here is the “No trusted certificate found”, which means that an SSL session could not be established because of a missing server certificate.

The solution: On the IBM Websphere server that needs to communicate (in this case the server running the the web layer), execute the following steps:

1) Logon into the WAS console.

2) Goto Security -> SSL and Key Management

3) Select the NodeDefaultTrustStore and then Signer Certificates

4) Define your parameters, where the main information to be given is that the host must be the server you which to connect  to and the port is 9043.

5) Just give an alias name and press the button “Retrieve Signer Certificate”

6) Press apply and OK, and you’re done.

Try connecting again. It should work now.