In the <ihs_root/logs.error_log we find the following error when connecting to IBM HTTP Server using SSL.

[Fri May 01 14:08:10 2015] [error] [client] [1a6a0a0] [15650] SSL0208E: SSL Handshake Failed, Certificate validation error. [ ->] [14:08:10.000087901] 0ms

IBM documentation gives the explanation for this error message.

SSL0208E: SSL Handshake Failed, Certificate validation error

This message may appear if you create a (keyring) KeyFile that does not have a complete trust chain for your personal certificate. In other words, there is a gap between the trust status of your end-entity certificate and some trusted root certificate.

When Ikeyman (or gskcmd/gskcapicmd) as bundled with IHS are used, the tools enforce that you load a complete certificate chain starting with a self-signed cert and terminating in your personal cert. Using other Java, WebSphere, or native tools does not enforce this restriction at certificate management time. You have most likely recieved a signed certifcate from a CA, but you have not added that CA to the Key File Database.

You must acquire the complete cert chain from your Certificate vendor, and “add” a complete cert chain (from the top down) using ikeyman either on command-line using gskcmd or manually using the ikeyman GUI.


Leave a Reply