环境:ISVGIM 10.0.2.3 VA
ISVDI 10.0.0.2, ISAM Service Adapter 10.0.0.2 RHEL 8.9
问题:在登录ISVGIM控制台后,发现ISAM service 状态不可用,点击 “Connection Test” 报错如下:
CTGIMU107W
The connection to the specified service cannot be established. Verify the service information, and try again.
CTGIMT605E
An error occurred while processing the executeAL operation on the IBM Security Directory Integrator server. Error: com.ibm.jsse2.util.j: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
诊断
解压收集的opt\IBM\WebSphere\AppServer\profiles\isimNode\logs\ISIMVa_APP_MEMBERSystemOut.log中看到:
[8/20/25 15:30:30:020 CST] 000001d0 WebContainer E com.ibm.ws.webcontainer.internal.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle / has not been defined. [8/20/25 15:33:02:643 CST] 0000015b WSX509TrustMa E CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN “CN=SVDI, OU=Security, O=IBM, L=Armonk, ST=New York, C=US” was sent from target host:port “10.1.2.3:35745”. The signer may need to be added to local trust store “/opt/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts” located in SSL configuration alias “DefaultSystemProperties” loaded from SSL configuration file “System Properties”. The extended error message from the SSL handshake exception is: “PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed”. [8/20/25 15:33:02:644 CST] 0000015b SystemOut O [8/20/25 15:33:02:644 CST] 0000015b SystemOut O CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN “CN=SVDI, OU=Security, O=IBM, L=Armonk, ST=New York, C=US” was sent from target host:port “10.1.2.3:35745”. The signer may need to be added to local trust store “/opt/IBM/WebSphere/AppServer/java/8.0/jre/lib/security/cacerts” located in SSL configuration alias “DefaultSystemProperties” loaded from SSL configuration file “System Properties”. The extended error message from the SSL handshake exception is: “PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed”.注:日志里列出的这个建议并不适用于内嵌WAS的ISVGIM
[8/20/25 15:33:02:644 CST] 0000015b SystemOut O CWPKI0428I: The signer might need to be added to the local trust store. You can use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem. If you determine that the request is trusted, complete the following steps: 1. Log into the administrative console. 2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations. 3. Select the appropriate outbound configuration to get to the (cell):isimCell management scope. 4. Under Related Items, click Key stores and certificates and click the DefaultSystemProperties_trust key store. 5. Under Additional Properties, click Signer certificates and Retrieve From Port. 6. In the Host field, enter 10.1.2.3 in the host name field, enter 35745 in the Port field, and 10.1.2.3_cert in the Alias field. 7. Click Retrieve Signer Information. 8. Verify that the certificate information is for a certificate that you can trust. 9. Click Apply and Save.去ISVDI的服务器上,查看jks包含的证书有两个,一个别名是admin,另一个别名是server:
sudo keytool -list -keystore /opt/IBM/TDI/V10/timsol/serverapi/testadmin.jks
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries:
admin, Aug 15, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 34:03:B3:74:9D:9A:BC:DB:FF:89:E8:61:63:A5:5C:FC:13:65:3D:66:57:5E:56:E6:C2:2D:35:D7:40:25:BE:29
server, Sep 1, 2025, trustedCertEntry,
Certificate fingerprint (SHA-256): 26:C6:94:58:46:88:9D:71:EC:13:AA:F2:B1:80:41:84:64:3A:94:50:76:4A:5D:83:93:B5:4D:09:2B:79:4B:21
将admin别名的证书导出为admin123.pem (BASE64格式的证书)
sudo keytool -exportcert -alias admin -rfc -file /tmp/admin123.cer -keystore /opt/IBM/TDI/V10/timsol/serverapi/testadmin.jks
Enter keystore password(输入密码administrator):
Certificate stored in file </tmp/admin123.cer>
从登录ISVGIM的管理页面选择Configure Identity Manager > SSL Certificate Management
然后点击New,弹出Import Certificate窗口里点Browse,选择admin123.cer,点Save Configuration即可。
