Unable to start JMS Connection Alias in IS due to bad Certificate

What product/components do you use and which version/fix level?

Integration server version 10.5

What are trying to achieve? Please describe in detail.

I’ve got same error as described here: Unable to start JMS Connection Alias in IS due to bad Certificate?
However this topic has been closed

Do you get any error messages? Please provide a full error message screenshot and log file.

The full error message was:
com.wm.app.b2b.server.jms.JMSSubsystemException: [ISS.0134.9064] Error creating connection: javax.jms.JMSException: [BRM.10.9003] JMS: Unable to connect to any Brokers in the cluster: lon-2-a@gbvleuaacubrk07.windmill.local:2020 - [BRM.10.5061] JMS: SSL certificate “/opt/webm/ssl/is/keystore_nonprodwmis.p12”: bad certificate.; lon-2-b@gbvleuaacubrk08.windmill.local:2020 - [BRM.10.5061] JMS: SSL certificate “/opt/webm/ssl/is/keystore_nonprodwmis.p12”: bad certificate.

I’ve got exact the same configuration on leg A and leg B
I’ve check the keystore / trustore etc
The keystore and trustore are used also for HTTPS connection - what is working fine.

On the A leg everything works fine, when on B leg we’ve got the error as above.

I’ve compare everything: certificates, jars, fix level, java version etc.
I’ve restated server few times …

Finally the JMS Connection has been fixed by deleting and recreating it.
It has been recreated exact with the same parameters.
After recreation it worked without any issues.

I would like to leave it here for the future - maybe someone else would have the same problem and would find solution here :slight_smile:

1 Like

Hi Lukasz,

the topic was automatically closed in April after the migration of the community system to a new platform as there were no further replies to it.

Meanwhile we have migrated to newer versions of wM (9.12 currently) and are preparing wM 10.7 for the upcoming migration.
But the described issue with the path name did not occur again.

Deriving from your solution this looks like an issue with the password handle for the keystore config.

Regards,
Holger

I am not sure how recreating with exact same parameters resolved the issue. SSL keystore load is repeatable operation.

In case it helps, last year one issue was resolved in Broker Java/JMS jars. Wrong message was reported if the keystore password was not correct:
If using Broker Java client: "BrokerException: No Permission (109-1389): The file ‘/opt/webm/ssl/keystore.p12’ is not a valid certificate file.
If using Broker JMS client: [BRM.10.5061] JMS: SSL certificate “/opt/webm/ssl/keystore.p12”: bad certificate.

With fixed jars, wrong keystore password will throw message with correct text “invalid password”.
“bad certificate” is still reported for cases when file is not a valid PKCS12 file.

Fixes:
BR_9.6_Java_API_Fix16
BR_10.5_Java_API_Fix1

1 Like

@Holger_von_Thomsen we are using the same keystore at Security > Keystore and there it is loaded without any issues. This is used to HTTPS port and also without the issue.
To be honest … The password I haven’t checked. However in PRD when I’ve got wrong password I’ve had this error:
com.wm.app.b2b.server.jms.JMSSubsystemException: [ISS.0134.9064] Error creating connection: javax.jms.JMSException: [BRM.10.9003] JMS: Unable to connect to any Brokers in the cluster: lon-2-a@gbvleuaacpbrk02.windmill.local:2020 - [BRM.10.5063] JMS: SSL certificate “/opt/webm/ssl/is/keystore_prodwmis.p12”: invalid password; lon-2-b@gbvleuaacpbrk06.windmill.local:2020 - [BRM.10.5063] JMS: SSL certificate “/opt/webm/ssl/is/keystore_prodwmis.p12”: invalid password

I’ve checked now on problematic server and … I’ve got the same error as I used to have before: “bad certificate”.
I don’t understand why I’ve got “bad certificate” instead of “invalid password” …
I’ve got the same fix level on PRD and UAT:
IS_10.5_Core_Fix5

However thanks for explanation. How I know that this error could be due to invalid password … and to be honest - this I haven’t check before recreation :slight_smile:

Regards,
Łukasz Konkol

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.