®

IBM Software Group

Common SSL configuration issues

and solutions
Ajit Jariwala, Bill Holtzhauser
(jariwala@us.ibm.com,wrh@us.ibm.com)
WebSphere Application Server – Support Team
Date: December 01, 2015

WebSphere® Support Technical Exchange

 IBM Software Group

Agenda
 SSL between Plug-in and WebSphere Application Server (WSAS)
 (Plugin --- SSL --- WSAS)
 SSL between WebSphere Application Server and LDAP
 (WSAS --- SSL---- LDAP)
 SSL between Deployment Manager (Dmgr) and Nodes profile (Node)
 (Dmgr --- SSL --- Node)
 SSL between WebSphere Application Server and Remote Server
 (WSAS --- SSL --- MQ® or Backend DB, third party server, web
server, etc)
 SSL between WebSphere Application Server client (like; stopServer,
stopManager, wsadmin, etc) --- SSL--- Remote process (like – dmgr,
nodeagent, appserver)

WebSphere ® Support Technical Exchange 2

 IBM Software Group

Topology Overview

Java™, JMX™,

WebSphere ® Support Technical Exchange 3

 IBM Software Group

SSL – What is the SSL handshake?

 Communication using SSL begins with an exchange of information between the
client and the server. This exchange of information is called the SSL handshake.
 The three main purposes of the SSL handshake are:

1.Negotiate the cipher suite

 The SSL session begins with a negotiation between the client and the server as to
which cipher suite they will use. A cipher suite is a set of cryptographic algorithms
and key sizes to encrypt data.

2.Authenticate identity
 Authenticating the server allows the client to be sure that the server represents the
entity that the client believes the server represents.

3.Establish information security by agreeing on

encryption mechanisms
 The client and server exchange information that allows them to agree on the same
secret key. For example, with RSA, the client uses the server's public key, obtained
from the public key certificate, to encrypt the secret key information.

WebSphere ® Support Technical Exchange 4

 IBM Software Group

How SSL works?

WebSphere ® Support Technical Exchange 5

 IBM Software Group

SSL protocol – process the handshake request

1. ClientHello - The client sends the server information including the
highest version of SSL it supports and a list of the cipher suites it
supports. (TLS 1.0 is indicated as SSL 3.1.) The cipher suite information
includes cryptographic algorithms and key sizes.
 If the cipher suite does not match between SSL client and server,
“SSLHandshakeException: no cipher suites in common” occurs.
2. ServerHello - The server chooses the highest version of SSL and the
best cipher suite that both the client and server support and sends this
information to the client.
3. Certificate - The server sends the client a certificate or a certificate
chain. A certificate chain typically begins with the server's public key
certificate and ends with the certificate authority's root certificate. This
message is optional, but is used whenever server authentication is
required.
 If SSL client can not trust the server (signer certificate can not be
found in the truststore of client), "SSLHandshakeException: No
trusted certificate found (certificate_unknown)“ occurs on SSL client.

WebSphere ® Support Technical Exchange 6

 IBM Software Group

SSL protocol – process the handshake request

4. CertificateRequest - If the server needs to authenticate the client, it
sends the client a certificate request. In Internet applications, this
message is rarely sent.
5. Server key exchange - The server sends the client a server key
exchange message when the public key information sent in 3) above is
not sufficient for key exchange.
6. Server hello done - The server tells the client that it is finished with its
initial negotiation messages.
7. Certificate - If the server requests a certificate from the client in Message
4, the client sends its certificate chain, just as the server did in Message
3.
8. Client key exchange - The client generates information used to create a
key to use for symmetric encryption. For RSA, the client then encrypts
this key information with the server's public key and sends it to the
server.

WebSphere ® Support Technical Exchange 7

 IBM Software Group

SSL protocol – process the handshake request

9. Certificate verify - This message is sent when a client presents a
certificate as above. Its purpose is to allow the server to complete the
process of authenticating the client. When this message is used, the
client sends information that it digitally signs using a cryptographic hash
function. When the server decrypts this information with the client's
public key, the server is able to authenticate the client.
10. Change cipher spec - The client sends a message telling the server to
change to encrypted mode.
11. Finished - The client tells the server that it is ready for secure data
communication to begin.
 If SSL server can not trust the SSL client (signer certificate can not
be found), "SSLHandshakeException: No trusted certificate found
(certificate_unknown)“ occurs on SSL server.
12. Change cipher spec - The server sends a message telling the client to
change to encrypted mode.

WebSphere ® Support Technical Exchange 8

 IBM Software Group

SSL protocol – process the handshake request

13. Finished - The server tells the client that it is ready for secure data
communication to begin. This is the end of the SSL handshake.
14. Encrypted data - The client and the server communicate using the
symmetric encryption algorithm and the cryptographic hash function
negotiated in Messages 1 and 2, and using the secret key that the client
sent to the server in Message 8.
15. Close Messages - At the end of the connection, each side will send a
close_notify message to inform the peer that the connection is closed.

WebSphere ® Support Technical Exchange 9

 IBM Software Group

Four types of SSL configuration in WSAS

 WebSphere provides four types of SSL configuration which enables to
select SSL configuration flexibility. In previous release, SSL configuration
can be referenced only by selecting the SSL configuration alias directly.
 Scope selection
 Associate an SSL configuration and its certificate alias, which is
located in the keystore associated with that SSL configuration, with a
WebSphere Application Server management scope.
 Direct selection
 Select an SSL configuration by using a specific alias, as in past
releases.
 Dynamic selection
 Associate an SSL configuration dynamically with a specific target
host, port, or outbound protocol by using a predefined selection
criteria.
 Programmatic selection
 Specify programmatically which SSL configurations to use prior to
making an outbound connection.

WebSphere ® Support Technical Exchange 10

 IBM Software Group

How to determine SSL configuration

 WebSphere Application Server SSL runtime uses the following order of
precedence for determining which SSL configuration to choose;
1. Java system properties High Priority

2. Programmatic selection

3. Dynamic selection

4. Direct selection

5. Scope selection Low Priority

WebSphere ® Support Technical Exchange 11

 IBM Software Group

SSL Topology

Inbound/Outbound
Use same
keyStore/trustStore
key.p12
trust.p12

WebSphere ® Support Technical Exchange 12

 IBM Software Group

SSL Configuration

WebSphere ® Support Technical Exchange 13

 IBM Software Group

SSL Configuration - continue

Node level
QoP
settings

Important
to keep at
Node

WebSphere ® Support Technical Exchange 14

 IBM Software Group

SSL Configuration - continue

WebSphere ® Support Technical Exchange 15

 IBM Software Group

SSL Configuration – Dynamic

Outbound

Change Custom
SSL config /
certificate alias

WebSphere ® Support Technical Exchange 16

 IBM Software Group

SSL between
Plug-in --- SSL---WebSphere
Application Server

WebSphere ® Support Technical Exchange 17

 IBM Software Group

SSL between Plug-in and

WebSphere Application Server
 HTTP Server (IBM Http Server, IIS, etc)
 (Plugin for WSAS) installation required for plugin
communication.
 By default plugin use – plugin-cfg.xml
 plugin-key.kdb
 plugin-key.sth
 AppServer
 NodeDefaultKeyStore
 NodeDefaultTrustStore
• WAS_HOME/profiles/profileName/config/cells/cellName/nodes/nodeName
• key.p12 and trust.p12

WebSphere ® Support Technical Exchange 18

 IBM Software Group

Problem Scenarios – Plug-in -----SSL-----WSAS

 Web Server SSL
 http://www.ibm.com/support/docview.wss?uid=swg21179559

SSL
SSL

Browser Plug-in

 Note: Mutual
Authentication required plugin-key.kdb
two way SSL NodeDefaultKeyStore
NodeDefaultTrustStore
 Handshake This
diagram shows only
one way SSL
Extract the certificate from AppServer keyStore and import to plugin kdb in signer section
WebSphere ® Support Technical Exchange 19
 IBM Software Group

Problem Scenarios – Plug-in -----SSL---

--WSAS
 Common error and exception noted in
plugin log
Failed in r_gsk_secure_soc_init:
GSK_ERROR_BAD_CERT(gsk rc = 414)
lib_stream: openStream: Failed in
r_gsk_secure_soc_init:
GSK_ERROR_SOCKET_CLOSED(gsk rc =
420)

WebSphere ® Support Technical Exchange 20

 IBM Software Group

Solution – Plug-in -----SSL-----WSAS

 Failed in r_gsk_secure_soc_init:
GSK_ERROR_BAD_CERT(gsk rc = 414)

 http://www.ibm.com/support/docview.wss?uid=swg21433593

 lib_stream: openStream: Failed in

r_gsk_secure_soc_init:
GSK_ERROR_SOCKET_CLOSED(gsk rc = 420)
 PI39126: MODIFY PLUGIN TO AUTOMATICALLY ACCEPT GSKIT
SECURITY UPGRADES
 http://www.ibm.com/support/docview.wss?uid=swg1PI39126

WebSphere ® Support Technical Exchange 21

 IBM Software Group

Solution: Plug-in -----SSL-----WSAS

1. First try to hit page directly with https transport port in browser, it will
prompt with the certificate info. Try to find out serial number from that
certificate.
2. Go back to WebSphere AppServer admin console and check all the
certs to find the matching serial number - once you find that - extract the
certificate into the cert.arm file.
3. If you are using a custom or default .kdb file, then open the .kdb file and
import the cert.arm in Signer Section using ikeyman tool, keytool.
4. Restart Web Server and WebSphere Application Server.

 Note:- If you open the plugin-cfg.xml file you can find which .kdb file is being used and
configured.

V7. security IBM Redbooks – Apply similar to V8 and V8.5

 5.2.3 Securing Web inbound and outbound communication
 http://www.redbooks.ibm.com/redbooks/pdfs/sg247660.pdf
 5.6.2 Securing Web inbound communication – in same v7 redbooks.

WebSphere ® Support Technical Exchange 22

 IBM Software Group

Solution: Plug-in -----SSL-----WSAS (cont)

 How to enable Mutual Authentication in WSAS
 Client authentication
 TWO way SSL handshake negotiation – which means plugin and
AppServer both require SSL certificate exchange. By default its set to
NONE (no mutual authentication)

Change the
settings to
enable

WebSphere ® Support Technical Exchange 23

 IBM Software Group

SSL between
WebSphere Application Server --
- SSL --- LDAP

WebSphere ® Support Technical Exchange 24

 IBM Software Group

SSL between WebSphere Application Server and LDAP

 Understand your topology
 Single stand alone profile or Network Deployment dmgr setup
• Stand alone profile –
− NodeDefaultKeyStore, NodeDefaultTrustStore
• Dmgr profile –
− CellDefaultKeyStore, CellDefaultTrustStore
 You want to manage SSL within WebSphere Default keyStore and trustStore or
by creating new SSL config?
• If you want to use WSAS Centrally managed keyStore/trustStore then
− Import or retrieve signer from port to add LDAP signer into the
trustStore – Mutual authentication does not permit the “retrieve from
port” due to two way handshake.
• If you want to use New SSL alias then – Please see following instruction.
− 5.6.1 Securing LDAP communication
http://www.redbooks.ibm.com/redbooks/pdfs/sg247660.pdf

WebSphere ® Support Technical Exchange 25

 IBM Software Group

SSL between WebSphere Application Server and LDAP

- (cont)

Centrally
managed

Specified SSL
New CUSTOM

WebSphere ® Support Technical Exchange 26

 IBM Software Group

Problem Scenarios – WSAS -----SSL----LDAP

 WebSphere Application Server (Client LDAP) User Registry setup
 LDAP (Server) Port non-SSL : 389
 Stand alone (Single Profile) Port SSL : 636

SSL
LDAP Client
Config
key.p12 NodeDefaultKeyStore
trust.p12 NodeDefaultTrustStore LDAP Server
AppServer

WAS_HOME/profiles/profileName/config/cells/cellName/nodes/nodeName -
key.p12, trust.p12
NOTE: You might see a message in console or in logs saying Simple Bind Failed – this indicates a
problem with connection or certificate - Check certificate content, certificate chain order, firewall etc.

WebSphere ® Support Technical Exchange 27

 IBM Software Group

Single Profile – keyStore and trustStore

WebSphere ® Support Technical Exchange 28

 IBM Software Group

Problem Scenarios – WSAS -----SSL----LDAP

 WebSphere Application Server (Client LDAP) User Registry setup LDAP (Server)
 Network Deployment – ND (profile)
CELL DOMAIN
NodeDefaultKeyStore
NodeDefaultTrustStore
key.p12
SSL
trust.p12
LDAP Client Config AppServer -profile
key.p12, trust.p12

Dmgr AppServer
CellDefaultKeyStore SSL
-ND LDAP Server
CellDefaultTrustStore

WAS_HOME/profiles/profileName/config/cells/cellName/
WAS_HOME/profiles/profileName/config/cells/cellName/ nodes/nodeName/
key.p12 and trust.p12
key.p12 and trust.p12
Network Deployment environment, we recommend that you place this store at the cell level.
Note:- Ensure that security config is propagated with nodes (synchronized)

WebSphere ® Support Technical Exchange 29

 IBM Software Group

Solution: WSAS -----SSL----LDAP

 You can retrieve the LDAP ssl certificate directly into your Integrated
Solution Console – Here we are showing NodeDefaultTrustStore for a single
base profile

 OR – LDAP Admin needs to provide LDAP extracted certificate into the .arm
file, Once you have that then import the certs into the trustStore signers

V7.0 IBM Redbooks http://www.redbooks.ibm.com/redbooks/pdfs/sg247660.pdf

5.2.2 Securing LDAP communication
 Note: Best practice: We recommend that you create a separate
keystore and SSL configuration for the LDAP connection, which ensures
that the LDAP server certificate or signing certificate (if used) is only
trusted for LDAP connections and not other connections.
5.6.1 Securing LDAP communication
• Configuring SSL on WebSphere Application Server

WebSphere ® Support Technical Exchange 30

 IBM Software Group

SSL between
Deployment Manager --- SSL ---
Nodes profile

WebSphere ® Support Technical Exchange 31

 IBM Software Group

SSL between Deployment Manager – Nodes

profile
 Administrative security is enabled – If security is off no SSL communication and
synchronization will work normally.

 By default
 SOAP is the preferred connector, SSL is used to secure communications.

Deployment Manager profile

keyStore – self signed certif icate - CellDef aultKeyStore
CELL DOMAIN
key.p12 trustStore – exchange the signer with keyStore in dmgr –

trust.p12 CellDef aultTrustStore

AppServer
SSL – SOAP key.p12
Dmgr - ND
RMI, IPC trust.p12
AppServer profile
keyStore – self signed certif icate - NodeDef aultKeyStore
Note:- AppServer keyStore (NodeDefaultKeyStore) – self signed certificate needs to
trustStore – exchange the signer with keyStore in AppServer –
Exchange the signer with dmgr trustStore (CellDefaultTrustS tore)
NodeDef aultTrustStore

WebSphere ® Support Technical Exchange 32

 IBM Software Group

SSL between Deployment Manager – Nodes

profile – (cont)
 For V6.1 during profile creation, a single self-signed certificate is created and placed
in the key.p12 and trust.p12 residing in the /etc (for clients) and
/config/cells/<cellname>/nodes/<nodename> dir for a base profile or
/config/cells/<cellname> dir for a dmgr profile. A trust.p12 in
/config/cells/<cellname> contains signers from every profile federated into the cell.
 In V7 and later release the same principle applies, but at profile creation time a self
signed root certificate is created as well that by default expires in 15 years.
 Federation of a node ensures that trust is established between all servers in the Cell,
by default. Client’s still only have signers to connect to servers in the same profile.
 Cross cell connectivity requires signer exchange between
/config/cells/<cellname>/trust.p12 in Cell A with /config/cells/<cellname>/trust.p12 in
Cell B. If you merge these two files, you have complete trust establishment among
all servers.
CELL DOMAIN CELL DOMAIN

A B
AppServer
SSL AppServer
SSL
Dmgr - ND SSL Dmgr - ND

WebSphere ® Support Technical Exchange 33

 IBM Software Group

Solution: Network Deployment –-SSL--Nodes

 Deployment Manager trustStore - (CellDefaultTrustStore) trust.p12 v6.1
should have all nodes signer (ensure that certificate is not missing) for
v7 and later you just need the signer to the root.

 In v6.1 the self signed certificate life span was only 1 year – not
renewing correctly and missing from Deployment Manager caused
synchronization break.
 By following this technote it will setup the self signed certificate for
longer period and synchronization will not break.
• http://www.ibm.com/support/docview.wss?uid=swg21305596

 V7 introduced the root certificate default life span of 15 years so now

even if the self signed certificate expired, synchronization will not break.
If key is missing in NodeDefaultKeyStore, synchronization will break

WebSphere ® Support Technical Exchange 34

 IBM Software Group

SSL between
WebSphere Application Server
--- SSL --- Remote Server

WebSphere ® Support Technical Exchange 35

 IBM Software Group

SSL between WebSphere Application Server ---

SSL ---to Remote Server
 Outbound SSL to Remote Server
 Remote server – e.g. like MQ, DB, Web Server,

CELL
DOMAIN
Outbound call
AppServer
SSL
Dmgr - ND SSL
Remote Server
Client Server

WebSphere ® Support Technical Exchange 36

 IBM Software Group

SSL between WebSphere Application Server –

Web Service outbound to Remote Server
 Most common issue - certificate is “not trusted”

 ServerHello response, then server send certificate chain

 Remote Server closing the socket

 Certificate Chain problem – Chain order does not match Issue To

(A), Issue by (B) –
 Example: Chain [0] A, B Correct chain order Chain [0] A, B
Chain [1] C,D Chain [1] B, C

 AbstractJSSEP 3 Exception caught during init,

java.lang.IllegalArgumentException: Invalid trust file name of null

WebSphere ® Support Technical Exchange 37

 IBM Software Group

Solution: Outbound SSL connection

 MustGather for JSSE, SSL or JCE problems
 http://www.ibm.com/support/docview.wss?uid=swg21162961
i. *=info:SSL=all trace for debugging WebSphere security components
ii. JSSE debug trace for debugging JSSE provider
• javax.net.debug=true system property enables JSSE trace
Check SSL trace to see SSL
 SSL=all trace tells about configuration

 Which type of SSL configuration is selected (Dynamic, programmatic, managed

scope, direct selection)
 Which truststore/keystore is used
Check JSSE trace to see
 javax.net.debug trace tells about
which certificates are sent from remote
 Certificate chain sent from remote
• Distinguished name, expiration, serial number, Issuer etc,,,
 Cipher Suite used in the session

WebSphere ® Support Technical Exchange 38

 IBM Software Group

Solution: Outbound SSL to remote

server
 “No trusted” Certificate – Add missing signer to client
trustStore – (trust.p12)
 In ND topology singer should be added to centrally
managed at cell level
 Any customize SSL configuration for outbound should
add missing signer to client trustStore
 Certificate chaining order issue – Fix the certificate
chain order at remote server endpoint side – nothing
on WSAS client side
 If socket issue – check server side why closing socket

WebSphere ® Support Technical Exchange 39

 IBM Software Group

Solution: WebSphere Application Server ---

SSL --- Remote Server - cont
 Application might be using JSSE API for outbound Socket connection
 1. System property API within java code
 javax.net.ssl.keyStore=<keyStore path>
 javax.net.ssl.keyStoreType=<jks,p12>
 javax.net.ssl.keyStorePassword=<password>
 javax.net.ssl.trustStore=<trustStore path>
 javax.net.ssl.trustStoreType=<jks,p12>
 javax.net.ssl.trustStorePassword=<password>
 2. Alternative to use JVM™ system property to configured –
e.g server.xml
<systemProperties xmi:id="Property_1” name="javax.net.ssl.trustStore“ value="/truststore/xyz.jks“
required="false" />

 3. Best practice
 Dynamic Outbound SSL configuration in WSAS

WebSphere ® Support Technical Exchange 40

 IBM Software Group

SSL between
WSAS client --- SSL --- Remote
process

WebSphere ® Support Technical Exchange 41

 IBM Software Group

SSL between WSAS client --- SSL ---

Remote process
• stopManager, or wsadmin, etc – Any .sh or .bat script
consider as client
• Only if WSAS Global Administrative security is
enabled Client Server
Dmgr or Nodeagent
or AppServer
SSL Process
Client

WAS_HOME/profiles/profileName/bin/stopManager.
sh/bat Dmgr – ND Or AppServ

WAS_HOME/profiles/profileName/etc/key.p12 and stopManager

trust.p12
Or stopNode, stopServer, etc

config/cells/cellName/trust.p12 and key.p12

Note: Client trust.p12 needs signer from server process
config/cells/cellName/nodes/nodeName/trust.p12
trustStore and key.p12

WebSphere ® Support Technical Exchange 42

 IBM Software Group

Client trace instruction (Windows®):

To trace SSL client side:
Before running client commands like
 stopServer
 stopManager
 stopNode
 serverStatus
 wsadmin
 etc

Open the command prompt then …

 set WAS_TRACE "-Djavax.net.debug=true“
Then run the client command … example:
 stopServer dmgr -username (id) -password (pw) >JSSEtrace.log

WebSphere ® Support Technical Exchange 43

 IBM Software Group

Client trace instruction (Linux™):

 To trace client side:
1. Take a backup of original script
2. Edit the client script – here stopManager.sh from WAS_HOME/bin
3. Edit the following line – some release use JAVA_EXE or JAVA_HOME
• "$JAVA_HOME"/bin/java
With following string
"$JAVA_HOME"/bin/java -Djavax.net.debug=true > jsse-
stopServer.log \

4. Output will be recorded in jsse-stopServer.log in WAS_HOME/bin

Successful stop shows in logs – via grep

[root@waslinux bin]# cat jsse-stopServer.log | grep "stop completed"

ADMU4000I: Server dmgr stop completed.
Note: - If there is no issue with SSL then we will see stop completed, if there is a
problem with certificate then we will see exceptions in log

WebSphere ® Support Technical Exchange 44

 IBM Software Group

Solutions: WSAS client --- SSL ---

Remote process
 Client trustStore needs trusted certificate from remote process.

 New ssl.client.props should be added to your scripts for the new

configuration to be effective. SSL configurations in the sas.client.props
and soap.client.props are still effective, but won’t have the enhanced
function unless properties are added.

 RetrieveSigners script the recommended method for downloading signers

from the server to prepare clients.

 RetrieveSigners can be used for Cell->Cell interop by changing the client

truststore (in /etc) to point the server truststore (in
/config/cells/<cellname>) for the local truststore.

 com.ibm.ssl.enableSignerExchangePrompt property in
properties/ssl.client.props file.

WebSphere ® Support Technical Exchange 45

 IBM Software Group

Summary

 Discuss WebSphere Application Server(WSAS)

SSL topologies, SSL terminology, messages and
configuration options like dynamic outbound
endpoints, show some common problems and
solutions with SSL sessions between WSAS and
plug-in, LDAP, Dmgr and nodes, remote hosts and
clients to WSAS like stopServer etc. and provide
some links to reference information and highlight
our social presence.

WebSphere ® Support Technical Exchange 46

 IBM Software Group

Connect with us!

1. Get notified on upcoming webcasts

Send an e-mail to wsehelp@us.ibm.com with subject line “wste
subscribe” to get a list of mailing lists and to subscribe

2. Tell us what you want to learn

Send us suggestions for future topics or improvements about our
webcasts to wsehelp@us.ibm.com

WebSphere ® Support Technical Exchange 47

 IBM Software Group

Questions and Answers

WebSphere ® Support Technical Exchange 48

 IBM Software Group

Recent vulnerabilities notes

 Webcast: Preventing the Secure Socket (SSL)
bugs as named Poodle, Freak, and Bar Mitzvah
Bug

 http://www.ibm.com/support/docview.wss?uid=swg
27046078

WebSphere ® Support Technical Exchange 49

 IBM Software Group

Recent dwAnswers
 What is the procedure to replace the IBM default
certificate With External/Inernal CA certificate in
Websphere Application Server Network
Deployment via the admin console
 https://developer.ibm.com/answers/questions/2069
42/what-is-the-procedure-to-replace-the-ibm-
default-c.html

WebSphere ® Support Technical Exchange 50

 IBM Software Group

Recent dwAnswers (Continued)

 How to replace Websphere default certificate from
SHA1 certificates to Sha256 Certificates and also
Keysize from 1024 to 2048?
 https://developer.ibm.com/answers/questions/2063
39/how-to-replace-websphere-default-certificate-
from.html

WebSphere ® Support Technical Exchange 51

 IBM Software Group

Recent dwAnswers (Continued)

 How do I configure websphere application server
SSL protocol to TLSv1.2?
 https://developer.ibm.com/answers/questions/2069
52/how-do-i-configure-websphere-application-
server-ss.html
 How to configure Liberty Profile Server to avoid
weak Diffie-Hellman key messages from browsers
when using SSL/TLS ?
 https://developer.ibm.com/answers/questions/2122
12/how-to-configure-liberty-profile-server-to-avoid-
w.html

WebSphere ® Support Technical Exchange 52

 IBM Software Group

Recent IBM SupportTV

 How to identify and resolve SSL certificate not
trusted problems?
 https://www.youtube.com/watch?v=ua9gYRUgoZg

 How do I use the keytool command to verify the

certificate chain for WebSphere?
 https://www.youtube.com/watch?v=c-pgDyve1Es

 How do I replace the WAS self signed SSL

certificate with a CA certificate?
 https://www.youtube.com/watch?v=7q7gXZg1DbA

WebSphere ® Support Technical Exchange 53

 IBM Software Group

Additional WebSphere Product Resources

 Learn about upcoming WebSphere Support Technical Exchange webcasts, and access
previously recorded presentations at:
http://www.ibm.com/software/websphere/support/supp_tech.html

 Discover the latest trends in WebSphere Technology and implementation, participate in

technically-focused briefings, webcasts and podcasts at:
http://www.ibm.com/developerworks/websphere/community/
 Join the Global WebSphere Community:
http://www.websphereusergroup.org
 Access key product show-me demos and tutorials by visiting IBM Education Assistant:
http://www.ibm.com/software/info/education/assistant

 View a webcast replay with step-by-step instructions for using the Service Request (SR)
tool for submitting problems electronically:
http://www.ibm.com/software/websphere/support/d2w.html
 Sign up to receive weekly technical My Notifications emails:
http://www.ibm.com/software/support/einfo.html

WebSphere ® Support Technical Exchange 54