Fixing WebSEAL that suddenly stopped responding to HTTPS

Did it happen to you that your lab WebSEAL instance suddenly stopped working? Everything seems to be up and running, but any regular request to port 444 results in “Internet Explorer cannot display the webpage”? Well, it happened to me several days ago. Testing the same URL in Google Chrome revealed the possible cause – “ERR_SSL_PROTOCOL_ERROR”. Additional test revealed that HTTP traffic on port 81 (which is typically not used) is served correctly.

I’ll save you from reading the frustrating troubleshooting details. The bottom line is simple – the self-signed SSL certificate supplied with IBM WebSEAL expired on August 27, 2011. This is the certificate that is used by default in many labs, including mine. The fix is really simple – if you know where to look and what to do. 

Open the configuration file of your WebSEAL instance (“webseald-default.conf” in my case) and go to “[ssl]” stanza to check where the certificate keys file is located and what is the name of the certificate being used.

# WebSEAL certificate keyfile
webseal-cert-keyfile = C:/Program Files/Tivoli/PDWeb/www-default/certs/pdsrv.kdb
# Label of key to use other than the default
webseal-cert-keyfile-label = WebSEAL-Test-Only

Now you can use IBM Key Management utility to open this Key Database (this is what “kdb” stands for) file. You can run the utility via “ikeyman.bat” found in IBM HTTP Server directory. Luckily I had one on the same server; you can copy the “pdsrv.kdb” file to the server IBM HTTP Server is installed on. Choose file type “CMS” while opening the file.

At this stage the utility will ask you for password. The default one is “pdsrv”; this is probably what you have if you are still using default self-signed certificate…

Here you can verify the that the file really contains the certificate used by WebSEAL. Click on “View/Edit…” – and the WebSEAL will confirm you that the certificate is expired even before showing the details.

Now it is the time to remove old expired certificate and create a new (again, self-signed) one. The following details have to be filled:

  • Key Label: any (say, “WebSEAL-New”)
  • Common Name: FQDN of WebSEAL server
  • Organization: your company name
  • Validity Period: 3650

Note that the default for validity period is 365 days, which means that you will suffer from the similar problems again a year from now. I suggest to add a zero, effectively setting it to 10 years (which should be enough for this WebSEAL instance to die).

Save the file, restart the WebSEAL – and you are done!

P.S. After the issue was found and solved, I got a response from IBM. Looks like really a lot of people suffered from the issue, so they filed a dedicated alert on their support site.

Leave a Reply