Unable to login to Websphere console with ldap id

User’s are unable to login to Websphere admin console where LDAP is integrated . From the logs we could see below error

00000048 SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at com.ibm.jsse2.b.a(b.java:33) at com.ibm.jsse2.nc.a(nc.java:456) at com.ibm.jsse2.nc.unwrap(nc.java:373) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:26) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:534) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:294) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)

Since we are unable to login to Websphere admin console .Lets try to disable the security manually

To disable security manually follow below steps

1.Take backup of security.xml file located in <PROFILE_HOME>/config/cells/CellName/security.xml

2.update enabled=”true” to enabled=”false” on the first occurrence in security.xml file then kill the admin process that is running as we cannot stop since we don’t have working userid and password .

hi-lighted string decide the security of admin console .It will act as a switch to on/off

3.start the dmgr or AppNode Now we should be able to login to Admin without userid & password

Once logged in, proceed to “Security -> SSL certificate and key management”.

image 3874

From there, select “Key stores and certificates -> NodeDefaultKeyStore -> Personal certificates”.

image 3869

Once the configured certificates are displayed, you have to check the expiration of the certificate. 

If the certificate’s are still valid then issue might be due to certificate validation add below JVM argument and restart the server

  • -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to avoid possible “No subject alternative names”
Follow below steps to add JVM argument in WebSphere Application Server
-->Login to Admin console .In the left pane, expand the Servers node.
-->Click Application Servers. Then click the name of the server that you want to configure.
-->Select Process Definition ► Java Virtual Machine.
-->Provide the JVM options in the Generic JVM Arguments text box.
   Example : -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Click Apply. Then click Save to save the changes to the master configuration.
-->Restart the server so that the new settings are used.

You can verify in the ps -ef |grep -i WebSphere output for the newly added JVM argument .

4. Then go security.xml file and change back to enabled=”true” . Kill the admin process then start it try to login to admin console with LDAP id and password .

Issue might be due to Websphere patch update where JAVA is updated and started validating subject alternative names . Issue resolved with above JVM argument .

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *