When trying to read the RTSS configuration:
TSPM Server Log:
Caused by: javax.xml.ws.soap.SOAPFaultException: security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6800E: The entry with alias 'ktppd1' of keystore 'name=RTSS managementScope=(cell):sleslocal:(node):sleslocal' cannot be found: entry=null ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@7c407c4
RTSS Client Log
Caused by: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6800E: The entry with alias 'ktppd1' of keystore 'name=RTSS managementScope=(cell):sleslocal:(node):sleslocal' cannot be found: entry=null
I found two things that were suss:
In my WebSphere Installation:
wp_profile/config/cells/sleslocal/applications/ IBM Tivoli Runtime Security Services Agent.ear/ deployments/IBM Tivoli Runtime Security Services Agent/ META-INF/RTSSAdminCommandServiceBinding/PolicyTypes/WSSecurity/bindings.xml
I found that their was a seemingly incorrect alias being used for my PDT and certificate:
‘ktppd1’ instead of ‘ktppdt1’
And the Cert CN seemed to be incorrect too:
<tokenGenerator classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator"
name="AsymmetricBindingRecipientSignatureToken0">
<valueType localName="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
<jAASConfig configName="system.wss.generate.x509"/>
<callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler">
<keyStore KeyStoreRef="name=RTSS managementScope=(cell):sleslocal:(node):sleslocal"/>
<key name="CN=ktppdt1, OU=tivoli, O=ibm, C=us" keypass="{xor}Lz4sLChvLTs=" alias="ktppdt1"/>
</callbackHandler>
</tokenGenerator>
<tokenGenerator classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenGenerator"
name="AsymmetricBindingInitiatorEncryptionToken0">
<valueType localName="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
<jAASConfig configName="system.wss.generate.x509"/>
<callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509GenerateCallbackHandler">
<keyStore KeyStoreRef="name=RTSS managementScope=(cell):sleslocal:(node):sleslocal"/>
<key name="CN=ktppdt1, OU=tivoli, O=ibm, C=us" alias="ktppdt1"/>
<properties value="true" name="com.ibm.wsspi.wssecurity.token.cert.useRequestorCert"/>
</callbackHandler>
</tokenGenerator>
And further down:
<tokenConsumer classname="com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer"
name="AsymmetricBindingRecipientEncryptionToken0">
<valueType localName=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
<jAASConfig configName="system.wss.consume.x509"/>
<callbackHandler classname="com.ibm.websphere.wssecurity.callbackhandler.X509ConsumeCallbackHandler">
<keyStore KeyStoreRef="name=RTSS managementScope=(cell):sleslocal:(node):sleslocal"/>
<key name="CN=ktppdt1, OU=tivoli, O=ibm, C=us"
keypass="{xor}Lz4sLChvLTs=" alias="ktppdt1"/>
<certPathSettings>
<trustAnchorRef reference="RTSSTrustAnchor"/>
</certPathSettings>
</callbackHandler>
</tokenConsumer>
So I corrected them, to no real joy, (although I didn’t restart the WAS’s at this point, just the RTSS application) but I also noticed that one of my WAS certificates had just rolled over automatically, so I ran the comand:
opt/IBM/RTSSClient/registration # ./tspmRegisterRTSS.sh -a
-o refresh -f tspmRegisterRTSS.properties
To refresh the certificates being used. (Detailed in Chapter 11 of the Configuration Guides)
After restarting both the TSPM Server and the WAS RTSS Server, things improved.
Philip Nye 