Support Article

System Management Console generates a SOAP connection error.

SA-25829

Summary



The System Management Console generates a SOAP connection error when connection is remote and the environment is Websphere.


Error Messages



com.pega.jmx.ui.util.JMXClientException: Fail to instantiate WASJMXConnector
Failed to get mbean server connection
SMA ERROR: Failed to create admin client
ADMC0016E: The system cannot create a SOAP connector to connect to host your_ip at port your_WAS_remote_SOAP_port.



and in systemout.log:

com.pega.jmx.ui.util.JMXClientException: Fail to instantiate WASJMXConnector
Failed to get mbean server connection
SMA ERROR: Failed to create admin client
ADMC0016E: The system cannot create a SOAP connector to connect to host
your_ip at port your_WAS_remote_SOAP_port.
at com.pega.jmx.ui.util.JMXClientException.wrap(JMXClientException.java:49)
at com.pega.jmx.ui.action.AuthenticateAction.execute(AuthenticateAction.java:346)
at com.pega.jmx.ui.action.AuthenticateAction.executeWithoutValidation(AuthenticateAction.java:86)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:450)

Setting JVM debug argument 
-Djavax.net.debug=ssl:handshake and reproducing the case, the following appears in the SystemOUT.log

[7/18/16 6:50:33:856 EDT] 0000004c WSX509TrustMa E   CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN "CN=your_server, OU=your_cell, OU=your_node, O=IBM, C=US" was sent from target host:port "your_server_ip:your_WAS_remote_SOAP_port".  The signer may need to be added to local trust store "/usr/IBM/WebSphereV8/AppServer/profiles/appsrvr/config/cells/your_cell/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml".  The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=your_server, OU=Root Certificate, OU=your_cell, OU=your_cell_manager, O=IBM, C=US is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error".
[7/18/16 6:50:33:860 EDT] 0000004c SystemOut     O 
[7/18/16 6:50:33:860 EDT] 0000004c SystemOut     O CWPKI0022E: SSL HANDSHAKE FAILURE:  A signer with SubjectDN "CN=your_server, OU=your_celll, OU=your_node, O=IBM, C=US" was sent from target host:port "your_server_ip:your_WAS_remote_SOAP_port".  The signer may need to be added to local trust store "/usr/IBM/WebSphereV8/AppServer/profiles/appsrvr/config/cells/your_cell/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml".  The extended error message from the SSL handshake exception is: "PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=your_server, OU=Root Certificate, OU=your_cell, OU=your_cell_manager, O=IBM, C=US is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error".
[7/18/16 6:50:33:860 EDT] 0000004c SystemOut     O 
[7/18/16 6:50:33:860 EDT] 0000004c SystemOut     O 
[7/18/16 6:50:33:860 EDT] 0000004c SystemOut     O CWPKI0428I: The signer might need to be added to the local trust store. You can use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem. If you determine that the request is trusted, complete the following steps: 1. Log into the administrative console.  2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations. 3. Select the appropriate outbound configuration to get to the (cell):naswaspegaint01Cell01 management scope. 4. Under Related Items, click Key stores and certificates and click the CellDefaultTrustStore key store. 5. Under Additional Properties, click Signer certificates and  Retrieve From Port.  6. In the Host field, enter your_server_ip in the host name field, enter your_WAS_remote_SOAP_port in the Port field, and your_server_cert in the Alias field. 7. Click Retrieve Signer Information.  8. Verify that the certificate information is for a certificate that you can trust. 9. Click Apply and Save.
[7/18/16 6:50:33:860 EDT] 0000004c SystemOut     O 
[7/18/16 6:50:33:901 EDT] 0000004c SystemOut     O SMA ERROR: Failed to create admin client: com.ibm.websphere.management.exception.ConnectorException: ADMC0016E: The system cannot create a SOAP connector to connect to host your_server at port your_WAS_remote_SOAP_port.
[7/18/16 6:50:33:914 EDT] 0000004c ServletWrappe I com.ibm.ws.webcontainer.servlet.ServletWrapperinit SRVE0242I: [prsysmgmt] [/prsysmgmt/deployment] [/jmxclienterror.jsp]: Initialization successful.



Steps to Reproduce

  1. Install SMA in Integration.
  2. Add integration nodes to SMA (they work).
  3. Add development node to SMA.
  4. Observe SOAP connector error occurs.


Root Cause



A third-party product issue

The problem stems from the certificate imported into the trust store that did not contain the complete certificate path. This is highlighted in the message, CWPKI0428I, generated in the SystemOUT.log file



Resolution



Make the following change to the operating environment: 
  1. Log into the administrative console. 
  2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations. 
  3. Select the appropriate outbound configuration to get to the (cell) management scope. 
  4.  Under Related Items, click Key stores and certificates and click the CellDefaultTrustStore key store. 
  5. Under Additional Properties, click Signer certificates and Retrieve From Port. 
  6.  In the Host field, enter remote server IP in the host name field, enter SOAP PORT in the Port field, and remote server IP _cert in the Alias field. 
  7.  Click Retrieve Signer Information. 
  8.  Verify that the certificate information is for a certificate that you can trust. 
  9. Click Apply and Save.

 

Published July 20, 2016 - Updated July 23, 2016

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.