I have found the solution. CLM was correctly configured. But the CLM Server where Websphere is running on, was not able to create a secure SSL connection to the Websphere on the RRDI Server. Because I'm using the selfsigned certificates between the Websphere servers, the Signer certificate of the RRDI Server was not in the keystore of the CLM Server.
Error Message in systemout.log of CLM-Websphere profile:
[8/9/12 11:47:00:527 CEST] 00000026 WSX509TrustMa E CWPKI0022E: SSL
HANDSHAKE FAILURE: A signer with SubjectDN "CN=GIRTC3XDB2IHS, OU=GIRTC3XDB2IHSNode01Cell, OU=RationalReportingNode01, O=IBM, C=US" was sent from target host:port "db1.devclm.company.com:9086". The signer may need to be added to local trust store "C:/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/GIRTC3XWASRTCNode01Cell/nodes/GIRTC3XWASRTCNode01/trust.p12"
located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml". The extended error message from the SSL handshake exception is: "PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=GIRTC3XDB2IHS, OU=Root Certificate, OU=GIRTC3XDB2IHSNode01Cell, OU=RationalReportingNode01, O=IBM, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error".
CWPKI0428I: The signer might need to be added to the local trust store. You can use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem. If you determine that the request is trusted, complete the following steps:
Solution:
1. Log into the administrative console.
2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations.
3. Select the appropriate outbound configuration to get to the (cell):GIRTC3XWASRTCNode01Cell:(node):GIRTC3XWASRTCNode01 management scope.
4. Under Related Items, click Key stores and certificates and click the NodeDefaultTrustStore key store.
5. Under Additional Properties, click Signer certificates and Retrieve From Port.
6. In the Host field, enter db1.devclm.company.com in the host name field, enter 9086 in the Port field, and db1.devclm.company.com_cert in the Alias field.
7. Click Retrieve Signer Information.
8. Verify that the certificate information is for a certificate that you can trust.
9. Click Apply and Save.
