Two posts in one day, maybe I will become a blogger yet!
I have been using WebSphere Application Server for a reasonable amount of time (since version 3.5) and one of the things that is the most difficult to understand is the SSL configurations. Within WAS there are a number of different parts that use SSL:
- Communication between the node agent and the deployment manager
- Communication between the plugin and the application server
- Inter-communication between the application servers
There are many more, depending on your configurations, but when they go bad they are a bit of a nightmare of solve. I tend to approach this issue in following way – Find out which component is not communicating properly – and understand that it is a communication, so by definition it will be at LEAST two way. When you find this, check the key and trust stores between them. The key store contains the key that the component will present and the trust store contains the certificates to allow that side to validate the others key. If the communication is within WebSphere (i.e. the examples mentioned above) then ensure that the copies of the keys and trust stores are the same as those on the deployment manager, if they are not simply copy them across (after backing up the configuration) and see if that fixes your problem.
If you are communicating outside of WebSphere, ensure that both sides trust stores contain the relevant certificates for the keys.
Lastly, if you are using a test environment, replace WebSphere’s default keys with ones that take longer to expire. It is surprising how many WebSphere installations hit this issue about one year after they are installed!