TSPM console error reading the RTSS Configuration

When trying to read the RTSS configuration:

TSPM Server Log:

Caused by: javax.xml.ws.soap.SOAPFaultException: security.wssecurity.WSSContextImpl.s02: 
com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: 
CWWSS6521E: The Login failed because of an exception: 
	javax.security.auth.login.LoginException: com.ibm.wsspi.wssecurity.core.SoapSecurityException: 
	CWWSS6800E: The entry with alias 'ktppd1' of keystore 
		'name=RTSS managementScope=(cell):sleslocal:(node):sleslocal' cannot be found: 
		entry=null ocurred while running action: 
			com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@7c407c4

RTSS Client Log

Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: 
	CWWSS6521E: The Login failed because of an exception: 
	javax.security.auth.login.LoginException: 
		com.ibm.wsspi.wssecurity.core.SoapSecurityException: 
			CWWSS6800E: The entry with alias 'ktppd1' of keystore 
			'name=RTSS managementScope=(cell):sleslocal:(node):sleslocal' cannot be found: entry=null

I found two things that were suss:
In my WebSphere Installation:

wp_profile/config/cells/sleslocal/applications/
 IBM Tivoli Runtime Security Services Agent.ear/
 deployments/IBM Tivoli Runtime Security Services Agent/
 META-INF/RTSSAdminCommandServiceBinding/PolicyTypes/WSSecurity/bindings.xml

I found that their was a seemingly incorrect alias being used for my PDT and certificate:
‘ktppd1’ instead of ‘ktppdt1’
And the Cert CN seemed to be incorrect too:

<tokenGenerator classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator" 
		name="AsymmetricBindingRecipientSignatureToken0">
	<valueType localName="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
	<jAASConfig configName="system.wss.generate.x509"/>
	<callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler">
		<keyStore KeyStoreRef="name=RTSS managementScope=(cell):sleslocal:(node):sleslocal"/>
		<key name="CN=ktppdt1, OU=tivoli, O=ibm, C=us" keypass="{xor}Lz4sLChvLTs=" alias="ktppdt1"/>
	</callbackHandler>
</tokenGenerator>
<tokenGenerator classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator" 
		name="AsymmetricBindingInitiatorEncryptionToken0">
	<valueType localName="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
	<jAASConfig configName="system.wss.generate.x509"/>
	<callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler">
		<keyStore KeyStoreRef="name=RTSS managementScope=(cell):sleslocal:(node):sleslocal"/>
		<key name="CN=ktppdt1, OU=tivoli, O=ibm, C=us" alias="ktppdt1"/>
		<properties value="true" name="com.ibm.wsspi.wssecurity.token.cert.useRequestorCert"/>
	</callbackHandler>
</tokenGenerator>

And further down:

<tokenConsumer classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer" 
     name="AsymmetricBindingRecipientEncryptionToken0">
	<valueType localName=
            "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
	<jAASConfig configName="system.wss.consume.x509"/>
	<callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler">
		<keyStore KeyStoreRef="name=RTSS managementScope=(cell):sleslocal:(node):sleslocal"/>                    
		<key name="CN=ktppdt1, OU=tivoli, O=ibm, C=us" 
			keypass="{xor}Lz4sLChvLTs=" alias="ktppdt1"/>
		<certPathSettings>
			<trustAnchorRef reference="RTSSTrustAnchor"/>
		</certPathSettings>
	</callbackHandler>
</tokenConsumer>

So I corrected them, to no real joy, (although I didn’t restart the WAS’s at this point, just the RTSS application) but I also noticed that one of my WAS certificates had just rolled over automatically, so I ran the comand:

opt/IBM/RTSSClient/registration # ./tspmRegisterRTSS.sh -a 
          -o refresh -f tspmRegisterRTSS.properties

To refresh the certificates being used.  (Detailed in Chapter 11 of the Configuration Guides)

After restarting both the TSPM Server and the WAS RTSS Server, things improved.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: