Premaster RSA secret error with 4096-bit encryption in WAS ISC

Had a customer the other day that couldn’t import their SSL certificate into the WebSphere Application Server (WAS) Integrated Solutions Console (ISC) due to a “RSA premaster secret” error being shown when attempting the import. A PMR with IBM Support confirmed my suspicion that export restrictions was in play. Here is the response from IBM Support.

The premaster RSA secret error with 4096-bit encryption is usually due to the unrestricted JCE policy requirement.

Please, try to install the unrestricted policy files as follow:

  • Take existing jar file backup from /usr/WebSphere/AppServer/java/jre/lib/security
  • Go to the following website:
    • Click Java SE 6
    • Click IBM SDK Policy files. The Unrestricted JCE Policy files for the SDK website is displayed.
    • Click Sign in and provide your IBM ID and password or register with IBM to download the files.
    • Select Unrestricted JCE Policy files for SDK for all newer versions (version 1.4.2 and higher) and click Continue.
    • View the license agreement and then click I Agree.
    • Click Download Now.
    • Install the files. Extract the file: into a directory of your choice. Copy the .jar files from the extraction directory to following
      directoriy: /usr/WebSphere/AppServer/java/jre/lib/security
    • Restart the server.

Trusting certificates in WebSphere Application Server

If you make SSL connections from a WebSphere Application Server based application the server (or rather the cell) needs to trust the certificate of the server you are connecting to. This is very easy to do in WAS and is easily done using the Integrated Solutions Console (ISC). The way to establish the trust is as follows:

  1. Log into the WebSphere Application Server Integrated Solutions Console (ISC)
  2. From the lefthand navigator select Security/SSL certificate and key management
  3. In the list of related items on the right click “Key stores and certificates”
  4. Click “CellDefaultTrustStore”
  5. In the list of “Additional properties” on the right click “Signer certificates”
  6. Click “Retrieve from port”
  7. Fill out the form with the hostname of the server and the SSL port (usually 443) of the you want WAS to trust. Also supply an alias to know the trust by in the list of trusted certificates.
  8. Click the “Retrieve signer information” button to validate the input and retrieve and trust the certificate
  9. Click OK and then save the changes to the master configuration.

Hiding the Social Mail username and password from socialmail-discovery-config.xml

It’s been bothering me a while that the username and password for our LDAP user was visible in clear text in our socialmail-discovery-config.xml. After going looking for a solution by using very specific searching I found a solution where you can hide the username and password and – stupid as I am – it’s actually right there in the install docs. Stupid is as stupid does. The solution is to remove the authentication data from the socialmail-discovery-config.xml and replace the <DirectoryUser> and <DirectoryPW> tags with a single <DirectoryAuthAlias> tag. This tag should reference a J2C alias configured in the Websphere ISC. Simple and effective.

The above solution is for Domino only – if you’re using Exchange mail you need two additional tags. For complete instructions on the tags refer to the wiki at Enabling the discovery service for IBM Connections Mail.

Make the Integrated Solutions Console (ISC) accessible on standard ports

When you install Websphere Application Server (WAS) either standalone or as a network deployment (ND) you normally install the Integrated Solutions Console (ISC) as well to allow you to configure and manage the server. By default the ISC is available on ports 9060/9443 and it not normally mapped onto an IBM HTTP Server (IHS) for access on ports 80/443. This makes it a real hazzle to access it so I normally change WAS to make ISC available on ports 80/443 on servers where port 80/443 isn’t used. Doing so is really easy and only require a few changes. Below I have outlines the required changes.

In the left-hand menu go to “Environment / Virtual hosts” and select “admin_host” in the list. On the right select “Host Aliases”, click “New” and add an entry for port 80 and one for port 443.

Now in the left-hand menu go to “System Administration / Deployment manager” and select “Ports”. Now change the port for “WC_adminhost” from 9060 to 80 and “WC_adminhost_secure” from 9443 to 443.

Now save the configuration and restart the server or Deployment Manager running the ISC. When you access the ISC again it will be on http://hostname/ibm/console instead of http://hostname:9060/ibm/console.

And as Stephan always says – YMMV…