Db2

 View Only
  • 1.  DSM 2.1.5.4 CWWKO0801E: Unable to initialize SSL connection

    Posted Mon August 02, 2021 05:08 AM
    Hello,

    Since today I got a "Not Found" message opening the DSM website to login. 
    Found following error in the /opt/IBM/DSM/ibm-datasrvrmgr/work/dsweb/logs/messages.log

    [8/2/21 11:03:30:265 CEST] 00000048 com.ibm.ws.channel.ssl.internal.SSLHandshakeErrorTracker E CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
    at com.ibm.jsse2.k.a(k.java:32)
    at com.ibm.jsse2.as.a(as.java:353)
    at com.ibm.jsse2.as.a(as.java:483)
    at com.ibm.jsse2.as.j(as.java:170)
    at com.ibm.jsse2.as.b(as.java:286)
    at com.ibm.jsse2.as.a(as.java:424)
    at com.ibm.jsse2.as.unwrap(as.java:528)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:5)
    at com.ibm.ws.channel.ssl.internal.SSLUtils.handleHandshake(SSLUtils.java:897)
    at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInbound(SSLConnectionLink.java:538)
    at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.ready(SSLConnectionLink.java:311)
    at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165)
    at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74)
    at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503)
    at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573)
    at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:928)
    at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1017)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.lang.Thread.run(Thread.java:812)

    Best reagrds,
    Joachim

    ------------------------------
    Joachim Müller
    ------------------------------

    #Db2


  • 2.  RE: DSM 2.1.5.4 CWWKO0801E: Unable to initialize SSL connection

    Posted Tue August 03, 2021 02:25 PM
    Hi Joachim,

    Can you check the cert install for DSM?  If you use Chrome, you can click on the "lock" icon in front of the URL, then, see if the certificate is valid.  You can also click on "Certificate" to see more details on the cert.

    ------------------------------
    Jason Sizto
    ------------------------------



  • 3.  RE: DSM 2.1.5.4 CWWKO0801E: Unable to initialize SSL connection

    Posted Wed August 04, 2021 02:35 AM
    Hello Jason,

    This is what I see following your suggestion.




    Best regards,
    Joachim

    ------------------------------
    Joachim Müller
    ------------------------------



  • 4.  RE: DSM 2.1.5.4 CWWKO0801E: Unable to initialize SSL connection

    Posted Wed August 04, 2021 12:40 PM
    Hi Joachim,

    The DSM you have is using the self-signed cert that comes with the install.  It is recommended that you obtain a SSL cert for your DSM machine from an official CA or the internal CA for your company.  You can then configure that cert to DSM.  The error you saw above should be fixed. 

    Once you obtained a SSL cert for the DSM machine, you can follow the steps here to configure the cert to DSM: https://www.ibm.com/docs/en/db2-data-mgr-console/2.1.x?topic=sdsm-establishing-secure-channels-from-browser-data-server-manager

    Alternatively, you can create a self-signed cert for your DSM machine and configure that self-signed cert to DSM.  By doing so, you will see see warning (and accept the warning) when using https connection.  You can look at the Example section for steps to create self-signed cert in case you want to give a try:  https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=securing-enabling-https-db2-data-management-console

    ------------------------------
    Jason Sizto
    ------------------------------



  • 5.  RE: DSM 2.1.5.4 CWWKO0801E: Unable to initialize SSL connection

    Posted Thu August 05, 2021 09:53 AM
    Hello Jason,

    Done all steps you suggested but without success. Found a new error message in the log file /opt/IBM/DSM/ibm-datasrvrmgr/work/dsweb/logs/messages.log 

    CWWKE0701E: [com.ibm.ws.security.jaas.common.JAASConfigurationFactory(241)] The activate method has th
    rown an exception Bundle:com.ibm.ws.security.jaas.common(id=106) java.lang.IllegalArgumentException: The headRegion must not be null.
    [8/5/21 15:42:28:841 CEST] 00000028 ibm.ws.security.authentication.internal.jaas.JAASServiceImpl I CWWKS1123I: The collective authentication plugin with class name NullCollectiveAuthenticationPlugin ha
    s been activated.
    [8/5/21 15:42:28:924 CEST] 00000028 com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "java.lang.IllegalArgumentException: The headRegion must
     not be null. com.ibm.ws.kernel.feature.ApiRegion 167" at ffdc_21.08.05_15.42.28.0.log
    [8/5/21 15:42:28:928 CEST] 00000028 LogService-106-com.ibm.ws.security.jaas.common               E CWWKE0701E: [com.ibm.ws.security.jaas.common.JAASConfigurationFactory(241)] The activate method has th
    rown an exception Bundle:com.ibm.ws.security.jaas.common(id=106) java.lang.IllegalArgumentException: The headRegion must not be null.
            at org.eclipse.equinox.internal.region.StandardRegionDigraph.createConnection(StandardRegionDigraph.java:149)
            at org.eclipse.equinox.internal.region.StandardRegionDigraph.connect(StandardRegionDigraph.java:133)
    ​

    Login came up with a new error:


    Try to solve a startup.sh --clean which I found in the wide web, but also this didn't solve the login issue.

    Best regards,
    Joachim

    ------------------------------
    Joachim Müller
    ------------------------------



  • 6.  RE: DSM 2.1.5.4 CWWKO0801E: Unable to initialize SSL connection

    Posted Thu August 05, 2021 02:27 PM
    Hi Joachim,

    I also search for the error and found the suggested workaround is to clean liberty cache.  I attached the steps I normally use to clean liberty cache below.  But, you mentioned you already tried to do startup.sh --clean.  Another way to remove cache is to remove the work folder under <DSM_Path>.  You can stop DSM and remove the .../<DSM_Path>/work directory, and restart DSM and clear any liberty cache.

    Just in case, the steps to clear liberty cache:
    1. Stop DSM completely.
      • .../<DSM_Path>/ibm-datasrvrmgr/bin/stop.sh
    2. Add DSM JVM to PATH Temporarily with command.
      • export PATH=<DSM_Path>/ibm-datasrvrmgr/java/jre/bin:$PATH
      • Check JAVA Path has been added successfully with command.
      • echo $PATH
      • java -version
    3. Start default WebSphere Liberty server with --clean command to clear cache.
      • cd .../<DSM_Path>/ibm-datasrvrmgr/wlp/bin
      • ./server start --clean
    4. Stop default WebSphere Liberty server with command.
      • ./server stop defaultServer
    5. Restart DSM.
      • .../<DSM_Path>/ibm-datasrvrmgr/bin/start.sh


    ------------------------------
    Jason Sizto
    ------------------------------



  • 7.  RE: DSM 2.1.5.4 CWWKO0801E: Unable to initialize SSL connection

    Posted Fri August 06, 2021 04:36 AM
    Hello Jason,

    That's odd. Try your steps to delete the work directory and clean the liberty cache. But the same result as before, no login possible.
    After I have restored the file SSLConfig.xml to its original state all works fine now.

    That's enough invest for the old DSM. With the next DMC Release (Q4/2021) I will migrate all our production databases to DMC 3.1.x.

    Thanks a lot for your help and time.

    Best regards,
    Joachim

    ------------------------------
    Joachim Müller
    ------------------------------



  • 8.  RE: DSM 2.1.5.4 CWWKO0801E: Unable to initialize SSL connection

    Posted Fri August 06, 2021 05:23 PM
    Hi Joachim,

    Thank you for sharing the solution that helped you resolved the encountered error.  And looking forward to have you move from DSM to DMC soon.

    Kind Regards,

    ------------------------------
    Jason Sizto
    ------------------------------