PM54559: Migration convertScriptCompatibilty tool generates keystores without name attribute; leads to issues such as addNode failure

Fixes are available

APAR status

Closed as program error.

Error description

This problem can occurs when migrating to WebSphere Application
Server V7 from a previous version of WebSphere Application
Server.

By default, the WASPostUpgrade migration tool migrates nearly
the entire configuration in a profile.  However, for
compatibility reasons, the migration tool can optionally leave
certain setting in their old state.  This causes those
settings to continue using deprecated attributes.  The V7
application server is backward-compatible with these deprecated
attributes.  This allows user-created configuration scripts
targeted for the previous product version (such as jython
scripts) to continue to be compatible with the newly-migrated
profile.  This allows more time for modifying such scripts to be
compatible with the new version of the prduct.

At some point after the migration is complete, the
backward-compatible attributes can be converted to the standard
V7 attributes.  The tool which accomplishes this is called
"convertScriptCompatiblity".  Refer to the product Information
Center for more details about this tool.

The SSL security settings are among those settings which use
different attributes in V7 than in previous product versions.

The convertScriptCompatibility tool will convert old keystores
(defined in security.xml), such as the default Key Store and
default Trust Store, to new keystores.  However, the defect
causes the new keystores to be missing the "name" attribute.

The effect of this issue is not immediately obvious.  The
WASPostMigration process will seem to have completed without
error, and the application servers will appear to function
normally if global security is not used.  But, this defect makes
it impossible to edit or delete the converted keystores using
the administrative console.

Also, if the node is not federated (standalone) after migration,
it will not be possible to federate the node using the addNode
command.  The addNode process will fail.  The failure stack
trace will be similar to the following:

Exception thrown in RequiredModelMBean while trying to invoke
operation mergeConfigDataOnDmgr at
com.ibm.ws.management.connector.soap.SOAPConnectorClient.handleA
dminFault(SOAPConnectorClient.java:935)
...
Caused by:
com.ibm.websphere.management.exception.AdminException:
doMergeConfig failed at
com.ibm.ws.management.tools.DMgrConfigUtils.doMergeConfig(DMgrCo
nfigUtils.java:85)
...
Caused by: com.ibm.wsspi.configarchive.ConfigArchiveException:
mergeSecurity step failed  at
com.ibm.ws.management.configarchive.AddNodeSecurityExt.executeSt
ep(AddNodeSecurityExt.java:165)
Caused by: java.lang.NullPointerException at
com.ibm.ws.security.common.util.MergeSecurityConfig.replaceDefau
ltNodeTrustStoreWithCellTrustStore(MergeSecurityConfig.java:2340
)

Local fix

This can be addressed by manually editing the security.xml file
and inserting a name="KeyStoreName" attribute in the keystore(s)
which are missing the name.  Search the file for the phrase
"<keystore" and review every keystore to ensure that each one
has a name= attribute.

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
****************************************************************
* PROBLEM DESCRIPTION: Keystore names were not set when the    *
*                      convertscriptCompatibility flag is      *
*                      set to false                            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Keystore names are blank in the administrative console when the
convertScriptCompatiblity flag is set to false during
WASPostUpgrade

Problem conclusion

Changed the code to set the keystore names when the
convertScriptCompatibility flag is set to false

The fix for this APAR is currently targeted for inclusion in
fix packs 7.0.0.25 and 8.0.0.4.  Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PM54559
Reported component name
WEBSPHERE APP S
Reported component ID
5724J0800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-12-16
Closed date
2012-05-11
Last modified date
2012-05-11

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WEBSPHERE APP S
Fixed component ID
5724J0800

Applicable component levels

R700 PSY
UP
R800 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
28 October 2021

Tips

PM54559: Migration convertScriptCompatibilty tool generates keystores without name attribute; leads to issues such as addNode failure

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R700 PSY

R800 PSY

Document Information

Share your feedback

Need support?