관리보안을 사용하는 경우에 혹, 노드간 동기화가 실패가 지속적으로 발생한 경우
dmgr 및 nodeagent의 SystemOut.log에 아래와 유사한 메세지가 확인되는 경우
Cell과 node간의 자체인증키가 정상적으로 처리되지 않아서 발생하기도 한다.
그런 경우 아래 내용을 참고하여 조치하면 된다.
Synchronization fails with SSLHandshakeException "No trusted certificate found"
Synchronization fails with SSLHandshakeException "No trusted certificate found"
Technote (troubleshooting)
Problem(Abstract)Synchronization between the nodeagents and deployment manager fails with this error in the IBM® WebSphere® Application Server logs SystemOut.log and/or SystemErr.log:
SymptomYou cannot synchronize the nodes with the deployment manager. Messages such as "synchronization failed" appear in the administrative console or when running the syncNode script located in <install_root>/profiles/<profile_name>/bin directory.
[10/1/07 14:34:09:542 MDT] 00000040 ORBRas E
com.ibm.ws.security.orbssl.WSSSLClientSocketFactoryImpl
createSSLSocket Pr ocessDiscovery : 0 JSSL0080E:
javax.net.ssl.SSLHandshakeException - The client and server could
not negotiate the desired leve l of security. Reason:
com.ibm.jsse2.util.h: No trusted certificate found
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2. util.h: No
trusted certificate found
CauseOne or both of the following:
1. The personal certificate has not been added to the truststore file(s).
2. The truststore file containing the correct certificate has not been copied throughout the cell.
EnvironmentWebSphere deployment manager with one or more federated nodes. Global security is enabled on the deployment manager.
Resolving the problem
1.Add the personal certificate to the signer section of the trustfile (trust.p12). For default configurations, you can extract the personal certificate from the key.p12 file and add it to the signer section of trust.p12. For more information see the Information Center topics Certificate management or Certificate management using iKeyman.
2.Place a copy of the trustfile with the correct certificate in these three directories on the deployment manager (dmgr):
<install_root>/profiles/dmgr/etc
<install_root>/profiles/dmgr/config/cells/< your cellname>
<install_root>/profiles/dmgr/config/cells/<your cellname>/nodes/<your nodename>
It is a good idea to make sure the key.p12 file also matches in these directories.
3.Once the *.p12 files are correct on the dmgr, use the synchronization process to push them down to the nodes. Do the following:
a.Ensure that all processes are stopped: dmgr, nodeagents and servers.
b.Start the dmgr only. Do not start the nodeagents.
c.Run the syncNode script from the node's bin directory (not the dmgr's bin directory): <install_root>/profiles/<node_profile_name>/bin
./syncNode.sh <dmgr hostname> <SOAP port of dmgr> for UNIX® platforms
syncNode.bat <dmgr hostname> <SOAP port of dmgr> for Windows® platforms
*Note: The default SOAP port of the deployment manager is 8879.
You can find the value inside the serverindex.xml file for the deployment manager. This is located in <install_root>/profiles/<dmgr_profile>/config/cells/<your cellname>/nodes/<dmgr_nodename> directory. It is the port number associated with the SOAP_CONNECTOR_ADDRESS.
Running syncNode will push the *.p12 files from the dmgr directories to the node's directories. Run syncNode on each of the nodes in your cell.
d.After synchronization, you still need to manually copy the *.p12 files into the node's etc directories, profiles/<your profile name>/etc. Do this for every node in your cell.
e.Start the nodes and servers.
If the problem remains, contact IBM support, and follow the instructions in MustGather for JSSE, SSL, or JCE problems
댓글 없음:
댓글 쓰기