Thursday, October 30, 2014

How to deal with "Simple bind failed" exception in WebSphere application server

 Following exception will be seen in the logs, If the trust is not established between the WebSphere application server and ECD.


Exception can be thrown due to either of the following reasons :

-> Expired ECD certificate.


-> DefaultNodetruststore does not contain the renewed ECD certificate.


Exception :


javax.naming.CommunicationException: simple bind failed: <ecd hostname>:636 [Root exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:java.security.cert.CertPathValidatorException: The certificate issued by OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US is not trusted; internal cause is:


Resolution for this issue is split into two parts :

1 -> Extracting the renewed ECD certificate from remote server via console.

2 -> Exchanging the extracted signer certificate between the Node and Cell default trust stores.


Extraction of renewed ECD certificate :


Step 1 : 

Login to the Admin console of WebSphere application server and navigate to the security -> SSL Certificate and key management tab as shown in the screen shot.
 

 Step 2:  

Click on manage endpoint security configurations under configuration settings as shown in the following screen shot.

Step 3 : 

Click on the outbound -> NodeDefaultSSLSettings.

Step 4 : 

From the left hand corner navigate to key stores and certificates as shown in the following screen shot.


Step 5 :

Click on NodeDefaultTrust store.



Step 6 : 

Click on the signer certificates tab in the additional properties as shown in the following screen shot.

 

 Step 7 : 

Click on Retrieve from port button as shown.


Step 8 :

Fill all the general properties with the hostname and ssl port of ECD and click on retrieve signer information and re validate the information retrieved and click on apply button.


Completing these steps will create a signer certificate in the NodeDefaultKeyStore.

Step to exchange the signers between NodeDefaultKeyStore and NodeDefaultTrustStore will be shown in next blog.


0 comments:

Post a Comment