WebSphere Application Server & Liberty

  • 1.  SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired

    Posted Thu June 03, 2021 07:20 PM
      |   view attached
    Using Java8, WebSphere 9.0.5.5
    After created profile and trying to start webspehre and successfully started first time. Then, logged into WAS admin console and enabled security as follows:

    1. Security --> Global Security --> Security Config Wizard --> Check first check box as Enable application security

    2. click on Next --> select user repository as Federated repositories  and click on Next

    3. Enter user administrative user name and password. Click on Next --> Click on Finish

    4. Save

    Then logout from Admin console and restart server. Then, after restarts server I do see bunch of logs in console as below and because of this I couldn't proceed further. Also, find logs as attached. Please, some one help me...

    [6/3/21 18:15:53:796 CDT] 0000005e SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    at com.ibm.jsse2.c.a(c.java:29)
    at com.ibm.jsse2.as.a(as.java:130)
    at com.ibm.jsse2.as.unwrap(as.java:473)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:5)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:586)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:346)
    at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
    at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
    at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
    at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
    at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
    at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
    at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
    at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
    at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
    at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)

    ------------------------------
    sharat mandava
    ------------------------------

    Attachment(s)

    log
    SystemOut.log   226 KB 1 version


  • 2.  RE: SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired

    Posted Fri June 04, 2021 09:00 AM

    I am guessing that you are running something "around" or "on top of" WebSphere Application Server.

    What I see is what you described and what you showed me (SystemOut.log) ... what that resolves to is that there is a port on WebSphere Application Server that is now configured for SSL traffic and is open and waiting for an SSL connection but instead receives a non-SSL packet (plain text) and so it complains about that.

    There are only a few lines in that SystemOut.log that are not about the plaintext, and they should be reviewed

    [6/3/21 18:16:04:060 CDT] 00000063 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.wim.exception.PasswordCheckFailedException: CWWIM4537E No principal is found from the 'admin' principal name..
    [6/3/21 18:16:02:140 CDT] 00000062 WrappingFileO W switchFiles TRAS0031W: Unable to rename file C:\IBM\WebSphere\AppServer9\profiles\eprofile3\logs\server1\SystemOut.log to C:\IBM\WebSphere\AppServer9\profiles\eprofile3\logs\server1\SystemOut_21.06.03_18.16.02.log during log file rollover. Attempting to copy file contents.

    It is not real clear to me but I think the user registry (Where the userids and passwords etc. are stored) is the file based user registry, and there was a search done for the user 'admin' and it was not found...

    And there is something weird going on in the Windows OS not being able to rename a file.

    Maybe you are using something like RAD or Eclipse to start (And connect) to the server and you have not told RAD/Eclipse that the server is now secure?

    Maybe the way WebSphere Application Server is being started is not with Windows Administrator rights, and that is why the file can not be renamed? 



    ------------------------------
    Bill Holtzhauser
    ------------------------------



  • 3.  RE: SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired

    Posted Fri June 04, 2021 11:31 AM

    WebSphere System Test here.  I believe this is a known issue;  the workaround is to create a custom property in the Security section of the admin console:

    Security > Global Security > Custom Properties
    name: com.ibm.websphere.security.useAllSSLClientAuthKeytypes
    value: true

    And restart the deployment manager and affected node agents.



    ------------------------------
    Jeff Mierzejewski
    Software Engineer
    IBM
    ------------------------------



  • 4.  RE: SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired

    Posted Mon June 07, 2021 01:13 PM
    Edited by sharat mandava Mon June 07, 2021 01:15 PM
    Hello Jeff,

    Even after I have added this custom properties and still getting same exception. Not, sure why this is failing and continuously posting this message in the logs.

    [6/7/21 12:12:37:397 CDT] 0000006f SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    at com.ibm.jsse2.c.a(c.java:29)
    at com.ibm.jsse2.as.a(as.java:130)
    at com.ibm.jsse2.as.unwrap(as.java:473)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:5)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:586)
    at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:346)
    at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
    at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
    at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
    at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
    at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
    at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
    at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
    at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
    at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
    at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
    .
    If we disable security  and no issues. Without security, our application will not works.
    ------------------------------
    sharat mandava
    ------------------------------



  • 5.  RE: SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired

    Posted Mon June 07, 2021 01:44 PM
    Are you running something that connects to WebSphere?  (like eclipse, RAD, homemade JMX client, or some monitoring software, etc.) 


    Can you upgrade to the latest fixpack of WebSphere and Java?  (you have 9.0.5.5 and 8.0.6.15)

    Recommended updates for WebSphere Application Server
    https://www.ibm.com/support/pages/node/715553

    ------------------------------
    Bill Holtzhauser
    ------------------------------



  • 6.  RE: SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired

    Posted Tue June 08, 2021 02:26 AM
    It could be you are using a port that has not been configured for https, or you are not using TLS program to connect to the TLS port. ( For example using http://  instead of https://

    ------------------------------
    Colin Paice
    ------------------------------



  • 7.  RE: SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired

    Posted Tue June 08, 2021 09:09 AM
    @Colin Paice made an excellent point. Make sure you are using the console using

    unsecured port -  http://<HOSTNAME>​:9060/ibm/console or
    secured port - https://<HOSTNAME>:9043/ibm/console

    If you are not using the default ports, replace 9060 and 9043 with your custom ports.

    ------------------------------
    Regards,
    Azhagesan Pazhani Gurusamy
    ------------------------------