Endevor Web Services SSL with keyring based JCECCARACFKS keystore
search cancel

Endevor Web Services SSL with keyring based JCECCARACFKS keystore

book

Article ID: 265387

calendar_today

Updated On:

Products

Endevor

Issue/Introduction

Enabled Endevor web services SSL using keyring by following CA common service document - Configure Apache Tomcat to Use SSL with Keyrings.

Here is the SSL configuration in server.xml:

<Connector port="XXXX" maxHttpHeaderSize="8192"
     maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
     enableLookups="false" disableUploadTimeout="true"
     SSLEnabled="true"
     algorithm="IbmX509"
     acceptCount="100" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS"
     sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
     keystoreType="JCERACFKS"
     keystoreFile="safkeyring://KEY_RING_OWNER/KEY_RING_NAME"
     sslImplementationName="com.ca.sslsocket.CASSLImplementation" />

 

Failed to issue REST API calls using HTTPS protocol. 

Turn on the SSL debugging in WSTOMENV JVM options (-Djavax.net.debug=ssl), reproduce the error, and the Tomcat log shows: 

javax.net.ssl|SEVERE|4A|https-jsse-nio-XXXX-exec-15|2023-05-03 17:02:44.246 GMT|Thread.java:1178|Fatal (HANDSHAKE_FAILURE): no cipher suites in common (
 "throwable" : {
   javax.net.ssl.SSLHandshakeException: no cipher suites in common
       at com.ibm.jsse2.g.a(g.java:52)
       at com.ibm.jsse2.g.a(g.java:51)
       at com.ibm.jsse2.bb.a(bb.java:89)
       at com.ibm.jsse2.bb.a(bb.java:132)

 

 

Environment

Release : 19.0

Cause

Site is using ACF2 as the mainframe security. 

Use ACF2 list keyring command to show the certificate label in the keyring. 

Then issue CHKCERT command agaist the personal certificate in the keyring and the output should show that the certificate is stored in ICSF PKDS,  which means keystore type is JCECCARACFKS and not JCERACFKS

 

 

Resolution

Update server.xml - use keystoreType="JCECCARACFKS"

<Connector port="XXXX" maxHttpHeaderSize="8192"
     maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
     enableLookups="false" disableUploadTimeout="true"
     SSLEnabled="true"
     algorithm="IbmX509"
     acceptCount="100" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS"
     sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
     keystoreType="JCECCARACFKS"
     keystoreFile="safkeyring://KEY_RING_OWNER/KEY_RING_NAME"
     sslImplementationName="com.ca.sslsocket.CASSLImplementation" />

Recycle Tomcat after the change.

Additional Information

https://www.ibm.com/docs/en/sklmfz/1.1.0?topic=considerations-which-keystore-is-right-you

 

Powered by Wolken Software