IMW6802E SSL Handshake failed: return code 12 (SSL error)

Technote (troubleshooting)


Problem(Abstract)

Failure to open a secure Web page using IBM HTTP Server (or failure at startup) and the HTTP Server log shows the following error:

IMW6802E SSL Handshake failed: return code 12 (SSL error)

Cause

No valid certificate identified as default.

Resolving the problem

  1. Verify the problem:
    1. Edit the http.envvars file.
    2. Obtain an SSL trace by adding the following:

      GSK_TRACE=255

    3. Stop IBM HTTP Server.
    4. Start IBM HTTP Server.
    5. After the IBM HTTP Server is initialized, then make a SSL request (https://... etc) using the SSL port.
    6. Run gsktrace to generate an SSL trace.

  2. Review contents of /tmp/gskssl.%.trc for indication of invalid certificate:
    1. Format trace data from an OMVS shell:

      gsktrace /tmp/gskssl.%.trc  >  /tmp/gskssl.%.txt

      Where % is the PID number.

    2. View the /tmp/gskssl.%.txt file.

  3. After looking at the GSK trace you can determine the cause and the correct course of action. This is an example of a log where the certificate is not valid:

    EXIT gsk_get_default_label():
      <--- Exit status 0x0335300e (53817358) Default label ´N/A'
    ERROR gsk_secure_socket_init():
      Unable to get default key label: Error 0x0335300e
    EXIT gsk_secure_socket_init():
      <--- Exit status 0x00000006 (6)

  4. The .kdb file must have a label marking the default certificate.
    1. Open the http.conf file.
    2. Locate the .kdb key for the default certificate.
    3. Mark the certificate as the default.
    4. Stop IBM HTTP Server
    5. Start IBM HTTP Server


Helpful RACF Commands
The following RACF commands can assist you:
  • The following will display the certificate information and help validate the certificate itself:

    racdcert list (label('label name')) id(userid)

    Examples:

    RACDCERT ID(CBSYMSR1) LISTRING(WASKeyring)
    RACDCERT CERTAUTH LIST(LABEL('WebSphereCA')) ID(CBSYMSR1)

  • The following will display the CA information for the certificate:

    racdcert list (label('labelname')) certauth

    Example:

    RACDCERT CERTAUTH LIST(LABEL('WebSphereCA'))

  • Issue the following command to add a label to export certificate.

    racdcert certauth export label('label name')) dsn('dataset name') format(CERTDER)

    Example:

    RACDCERT CERTAUTH LIST(LABEL('WebSphereCA')) dsn('boss.zrock060.certauth') format(CERTDER)

  • Issue the following command to add the label to internal SAF keyring.

    racdcert id(<userid_for _websphere>) conntect (RING(WASKeyring) label('<name_of_label_adding>') default)

    Example:

    RACDCERT ID(WEBSRV) CONNECT (RING(WASKeyring) LABEL('WEBSRVCertForWAS') DEFAULT)

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM HTTP Server
SSL

Software version:

1.3.12

Operating system(s):

z/OS

Reference #:

1217386

Modified date:

2008-10-17

Translate my page

Machine Translation

Content navigation