TSPM console error reading the RTSS Configuration

When trying to read the RTSS configuration:

TSPM Server Log:

Caused by: javax.xml.ws.soap.SOAPFaultException: security.wssecurity.WSSContextImpl.s02: 
com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: 
CWWSS6521E: The Login failed because of an exception: 
	javax.security.auth.login.LoginException: com.ibm.wsspi.wssecurity.core.SoapSecurityException: 
	CWWSS6800E: The entry with alias 'ktppd1' of keystore 
		'name=RTSS managementScope=(cell):sleslocal:(node):sleslocal' cannot be found: 
		entry=null ocurred while running action: 
			com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@7c407c4

RTSS Client Log

Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: 
	CWWSS6521E: The Login failed because of an exception: 
	javax.security.auth.login.LoginException: 
		com.ibm.wsspi.wssecurity.core.SoapSecurityException: 
			CWWSS6800E: The entry with alias 'ktppd1' of keystore 
			'name=RTSS managementScope=(cell):sleslocal:(node):sleslocal' cannot be found: entry=null

I found two things that were suss:
In my WebSphere Installation:

wp_profile/config/cells/sleslocal/applications/
 IBM Tivoli Runtime Security Services Agent.ear/
 deployments/IBM Tivoli Runtime Security Services Agent/
 META-INF/RTSSAdminCommandServiceBinding/PolicyTypes/WSSecurity/bindings.xml

I found that their was a seemingly incorrect alias being used for my PDT and certificate:
‘ktppd1’ instead of ‘ktppdt1’
And the Cert CN seemed to be incorrect too:

<tokenGenerator classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator" 
		name="AsymmetricBindingRecipientSignatureToken0">
	<valueType localName="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
	<jAASConfig configName="system.wss.generate.x509"/>
	<callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler">
		<keyStore KeyStoreRef="name=RTSS managementScope=(cell):sleslocal:(node):sleslocal"/>
		<key name="CN=ktppdt1, OU=tivoli, O=ibm, C=us" keypass="{xor}Lz4sLChvLTs=" alias="ktppdt1"/>
	</callbackHandler>
</tokenGenerator>
<tokenGenerator classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator" 
		name="AsymmetricBindingInitiatorEncryptionToken0">
	<valueType localName="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
	<jAASConfig configName="system.wss.generate.x509"/>
	<callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler">
		<keyStore KeyStoreRef="name=RTSS managementScope=(cell):sleslocal:(node):sleslocal"/>
		<key name="CN=ktppdt1, OU=tivoli, O=ibm, C=us" alias="ktppdt1"/>
		<properties value="true" name="com.ibm.wsspi.wssecurity.token.cert.useRequestorCert"/>
	</callbackHandler>
</tokenGenerator>

And further down:

<tokenConsumer classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer" 
     name="AsymmetricBindingRecipientEncryptionToken0">
	<valueType localName=
            "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
	<jAASConfig configName="system.wss.consume.x509"/>
	<callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler">
		<keyStore KeyStoreRef="name=RTSS managementScope=(cell):sleslocal:(node):sleslocal"/>                    
		<key name="CN=ktppdt1, OU=tivoli, O=ibm, C=us" 
			keypass="{xor}Lz4sLChvLTs=" alias="ktppdt1"/>
		<certPathSettings>
			<trustAnchorRef reference="RTSSTrustAnchor"/>
		</certPathSettings>
	</callbackHandler>
</tokenConsumer>

So I corrected them, to no real joy, (although I didn’t restart the WAS’s at this point, just the RTSS application) but I also noticed that one of my WAS certificates had just rolled over automatically, so I ran the comand:

opt/IBM/RTSSClient/registration # ./tspmRegisterRTSS.sh -a 
          -o refresh -f tspmRegisterRTSS.properties

To refresh the certificates being used.  (Detailed in Chapter 11 of the Configuration Guides)

After restarting both the TSPM Server and the WAS RTSS Server, things improved.

Comments are closed.

WordPress.com.

Up ↑

%d bloggers like this: