User’s are unable to login to Websphere admin console where LDAP is integrated . From the logs we could see below error
00000048 SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at com.ibm.jsse2.b.a(b.java:33) at com.ibm.jsse2.nc.a(nc.java:456) at com.ibm.jsse2.nc.unwrap(nc.java:373) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:26) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:534) at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:294) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214) at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
Since we are unable to login to Websphere admin console .Lets try to disable the security manually
To disable security manually follow below steps
1.Take backup of security.xml file located in <PROFILE_HOME>/config/cells/CellName/security.xml
2.update enabled=”true” to enabled=”false” on the first occurrence in security.xml file then kill the admin process that is running as we cannot stop since we don’t have working userid and password .
hi-lighted string decide the security of admin console .It will act as a switch to on/off
3.start the dmgr or AppNode Now we should be able to login to Admin without userid & password
Once logged in, proceed to “Security -> SSL certificate and key management”.
From there, select “Key stores and certificates -> NodeDefaultKeyStore -> Personal certificates”.
Once the configured certificates are displayed, you have to check the expiration of the certificate.
If the certificate’s are still valid then issue might be due to certificate validation add below JVM argument and restart the server
- -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to avoid possible “No subject alternative names”
Follow below steps to add JVM argument in WebSphere Application Server
-->Login to Admin console .In the left pane, expand the Servers node. -->Click Application Servers. Then click the name of the server that you want to configure. -->Select Process Definition ► Java Virtual Machine. -->Provide the JVM options in the Generic JVM Arguments text box. Example : -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true Click Apply. Then click Save to save the changes to the master configuration. -->Restart the server so that the new settings are used. You can verify in the ps -ef |grep -i WebSphere output for the newly added JVM argument .
4. Then go security.xml file and change back to enabled=”true” . Kill the admin process then start it try to login to admin console with LDAP id and password .
Issue might be due to Websphere patch update where JAVA is updated and started validating subject alternative names . Issue resolved with above JVM argument .