It's all about the answers!

Ask a question

A distributed environment using 4096 bit SSL keys


Georg Kellner (825375105) | asked Oct 13 '14, 5:44 p.m.
edited Oct 13 '14, 5:46 p.m.
Hey fellows,

we have a serious problem after updating the SSL certificates of a CCM instance which is configured on a remote server.
CCM can interact with JTS but JTS can't interact with CCM.
Does anyone of you use 4096bit SSL certificates?
What experiences do you have with 4096bit certificates?

Thanks for the answers. ;-)

greetings georg.

P.S. We are working on the issue with IBM via PMR. 

Accepted answer


permanent link
Georg Kellner (825375105) | answered Oct 14 '14, 3:30 a.m.
We've tested it.
Switching from 4096bit certificate to 2048bit certificate solved our problem.
Ralph Schoon selected this answer as the correct answer

Comments
Ralph Schoon commented Oct 14 '14, 3:38 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Odd, you should think that this is on a layer where the app wouldn't notice at all. Was this an issue of the application server?

One other answer



permanent link
Georg Kellner (825375105) | answered Oct 16 '14, 5:42 a.m.

Some more informations about what happened and the symptoms:

server A: WebSphere with JTS and QM installed, having a 2048 bit certificate
server B: WebSphere with CCM installed, having a 4096 bit certificate, reverse proxy

JTS said
No access to rootservices scr *URL*
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

CCM itself was available via any webbrowser, it could aquire licenses and user roles from JTS, using workitems was okay.
The DWH jobs of CCM couldn't be run.
So we thought it is a wrong configuration in the reverse proxy.


The access via rich client was depending on the version of Eclipse. The standard RTC client was not able to connect to CCM, newer Eclipse clients with RTC plugin were able to connect to CCM.

We reconfigured the reverse proxy, but the problem was still there.

Switching the certificate back to 2048 solved the complete issue.

Your answer


Register or to post your answer.