📌WebSphere Outbound SSL & SNI – Troubleshooting Guide

• ERROR : javax.net.ssl.SSLHandshakeException: No name matching found.
• This guide helps you diagnose and fix WebSphere outbound HTTPS failures when the target requires SNI.
• You'll get exact OpenSSL checks, JVM flags, and a support matrix.

---

WebSphere Outbound SSL & SNI – Troubleshooting Guide

📑 Table of Contents

• What is SNI?
• Why SNI matters in WebSphere
• Common error patterns
• Confirming an SNI issue (OpenSSL)
• SNI support matrix (WebSphere/Java)
• How to enable SNI in WebSphere
• Best practices checklist
• FAQ (quick answers)

---

🔎 What is SNI?

• Server Name Indication (SNI) is a TLS extension
• Client includes the target hostname in the ClientHello message
• Allows servers to present the correct certificate when multiple virtual hosts share the same IP address

Without SNI you often receive a default certificate → CN/SAN mismatch → hostname validation fails even if the trust chain is fine.

🎯 Why SNI matters in WebSphere

• Outbound calls from WebSphere to cloud APIs, SaaS, and WAF/CDN fronted apps often terminate on shared VIPs
• Older or non-default Java settings may not send SNI (Server Name Indication).
• Without SNI, the remote server sends a default certificate.
• Your client fails with hostname mismatch error.

---

🚨 Common error patterns

javax.net.ssl.SSLHandshakeException: No name matching <api.company.com> found
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
PKIX path building failed: unable to find valid certification path to requested target
CWPKI0022E: SSL HANDSHAKE FAILURE
GSK_ERROR_BAD_CERT

---

🧪 Confirming an SNI issue (OpenSSL)

Compare results with and without SNI from the WebSphere host:

# Baseline ( May still send SNI implicitly)
openssl s_client -connect api.company.com:443 -showcerts

# Force SNI (ClientHello includes hostname)
openssl s_client -connect api.company.com:443 -servername api.company.com -showcerts

💬 Interpretation

If CN/SAN only matches when -servername is used, the endpoint requires SNI and your client must send it.

---

⚙️ How to enable SNI in WebSphere

Add this JVM system property to the server's Generic JVM Arguments:

-Djsse.enableSNIExtension=true

Console path: Servers → Server Types → WebSphere application servers → <server> → Java and Process Management → Process Definition → Java Virtual Machine → Generic JVM Arguments

Save, synchronize nodes, restart the JVM.

---

Optional: align TLS baseline

-Dhttps.protocols=TLSv1.2

---

🧭 Best practices checklist

• Verify CN/SAN with openssl s_client -servername before go-live or on UAT
• Standardize JVM args across environments; document SNI-dependent endpoints.
• Keep Java 8+; enforce TLS1.2+ to match common provider baselines.

---

❓ FAQ

Question	Answer
What is SNI and why does it matter?	SNI makes the server present the right certificate on shared IPs. Without it, you'll likely hit hostname mismatch in WebSphere even if trust is correct.
How do I enable SNI?	Add -Djsse.enableSNIExtension=true to Generic JVM Arguments, then save, sync, and restart.
Which versions support SNI?	WAS 8.5.5.x (Java 8) and WAS 9.x (Java 8/11) support SNI; WAS 7.x doesn't; WAS 8.0.x is partial/inconsistent.
How do I confirm an SNI issue?	Compare openssl s_client with/without -servername. If only the SNI run shows the correct CN/SAN, you need SNI.

🎯Shell Scripting for Beginners – Part 10: Middleware Health Monitoring Project (Mixed Example).

• This is our final, beginner-friendly project 🎯 — where we'll combine everything you've learned: variables, if-else, loops, functions, logging, and cron automation.
• Let's create a simple Middleware Health Monitoring script that checks Tomcat, Jenkins, Docker, MySQL, and SSL expiry.

---

📑 Table of Contents

• 1️⃣ Overview
• 2️⃣ Full Simple Script
• 3️⃣ Example Output
• 4️⃣ Automate the Script

---

1️⃣ Overview

This script uses:

• Variables – store names, logs, and domains.
• Functions – reusable checks for each service.
• If-Else – to decide if a service needs restart.
• For loop – to check multiple Docker containers.
• While loop – to retry connection.
• Logs – write output to a file.

---

2️⃣ Full Middleware Health Monitoring Script

#!/bin/bash
# MiddlewareBox - Simple Health Monitor

LOG="/var/log/middleware_health.log"
domain="middlewarebox.com"
echo "===== Middleware Health Check =====" >> $LOG
date >> $LOG

# --- Function to check Tomcat ---
check_tomcat() {
  echo "Checking Tomcat..."
  if pgrep -f "org.apache.catalina.startup.Bootstrap" > /dev/null; then
     echo "✅ Tomcat is running" | tee -a $LOG
  else
     echo "🚨 Tomcat is down, restarting..." | tee -a $LOG
     /opt/tomcat/bin/startup.sh
     echo "✅ Tomcat restarted" | tee -a $LOG
  fi
}

# --- Function to check Jenkins ---
check_jenkins() {
  echo "Checking Jenkins..."
  if systemctl is-active --quiet jenkins; then
     echo "✅ Jenkins is active" | tee -a $LOG
  else
     echo "🚨 Jenkins not running, restarting..." | tee -a $LOG
     systemctl restart jenkins
     echo "✅ Jenkins restarted" | tee -a $LOG
  fi
}

# --- Function to check MySQL ---
check_db() {
  echo "Checking MySQL..."
  if mysql -u root -pSecret -e "show databases;" > /dev/null 2>&1; then
     echo "✅ MySQL connection successful" | tee -a $LOG
  else
     echo "🚨 MySQL connection failed" | tee -a $LOG
     echo "Retrying in 5 seconds..."
     sleep 5
     mysql -u root -pSecret -e "show databases;" && echo "✅ MySQL reconnected" | tee -a $LOG
  fi
}

# --- Check Docker Containers using FOR Loop ---
check_docker() {
  echo "Checking Docker containers..."
  for c in nginx webapp db
  do
    status=$(docker inspect -f '{{.State.Status}}' $c 2>/dev/null)
    if [ "$status" != "running" ]; then
      echo "🚨 Container $c is $status, restarting..." | tee -a $LOG
      docker start $c
    else
      echo "✅ Container $c is running" | tee -a $LOG
    fi
  done
}

# --- Check SSL certificate expiry ---
check_ssl() {
  echo "Checking SSL expiry..."
  expiry=$(echo | openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -dates | grep notAfter | cut -d= -f2)
  days_left=$(( ($(date -d "$expiry" +%s) - $(date +%s)) / 86400 ))
  if [ $days_left -le 15 ]; then
    echo "⚠️ SSL expires in $days_left days!" | tee -a $LOG
  else
    echo "✅ SSL valid for $days_left days" | tee -a $LOG
  fi
}

# --- MAIN EXECUTION FLOW ---
check_tomcat
check_jenkins
check_db
check_docker
check_ssl

echo "✅ Health check completed successfully!" | tee -a $LOG
echo "========================================" >> $LOG

💬 Example Output:

✅ Tomcat is running
✅ Jenkins is active
✅ MySQL connection successful
✅ Container nginx is running
✅ SSL valid for 70 days
✅ Health check completed successfully!

---

3️⃣ Automate the Script

# Run every 30 minutes
*/30 * * * * /opt/scripts/middleware_health.sh >> /var/log/health_cron.log 2>&1

# Run automatically on system reboot
@reboot /opt/scripts/middleware_health.sh >> /var/log/boot_health.log 2>&1

💬 Output (Cron log):

[BOOT] Health check executed
✅ All services healthy

---

🏁 Summary

• ✅ Combined all major shell scripting concepts.
• ✅ Checks Tomcat, Jenkins, Docker, MySQL, and SSL in one file.
• ✅ Uses if, for, functions, and basic while retry logic.
• ✅ Can run manually or via cron / reboot automation.

← Previous: Part 9 – Scheduling & Automation Next: Part 11 – Log Management & Rotation →

TLS / SSL Certificate Lifetimes Reduced to 47 Days.

SSL Certificate Validation till 47 Days.

• The CA/Browser Forum has finalized a proposal that will change the TLS certificate landscape forever. 

• Starting in 2026 and fully enforced by 2029, public TLS / SSL certificates will have a maximum lifetime of just 47 days. 

• This major change will significantly impact how Middleware and Infrastructure teams manage web server security, certificate renewal processes, and application availability.

TLS / SSL Certificate Validity Reduction Timeline

Effective Date	Max Certificate Validity	Domain Validation Reuse
Until Mar 15, 2026	398 days	398 days
Mar 15, 2026	200 days	200 days
Mar 15, 2027	100 days	100 days
Mar 15, 2029	47 days	10 days

🕒 Effective Date

The date on which the new TLS certificate rules take effect. 

Starting from that date, the updated validity and validation rules must be followed.

📅 Max Certificate Validity

This is the maximum number of days a TLS certificate will remain valid. 

After this period, the certificate must be renewed or replaced.

🌐 Domain Validation Reuse

This is the number of days you can reuse domain validation (proving you own the domain). 

After this, you’ll need to re-validate the domain again for new certificates.

Impact on Middleware and Infrastructure Teams (OnPrem / Cloud)

• Shorter certificate lifetimes mean Middleware and Infrastructure engineers must shift from traditional, manual certificate management to more automated, robust, and monitored systems. 
• The focus must be on securing critical web frontends, load balancers, and backend integrations that rely on TLS encryption.

Web Server and Certificate Management Summary:-

Web Server	Certificate Format	Automation Support	Middleware Challenge
Apache HTTP Server	.crt, .key (PEM)	Yes (Certbot)	Reload needed post-renewal
NGINX	.crt, .key (PEM)	Yes (Certbot + plugins)	Restart/reload required on renewal
IBM HTTP Server (IHS)	.kdb, .sth (CMS format)	Manual or scripted	No ACME support, import via gskcapicmd required

SSL Certificate Automation means,  ACME (Automatic Certificate Management Environment).

 

It is a protocol developed by the Internet Security Research Group (ISRG) — the same organization behind Let’s Encrypt.

ACME is designed to automate the entire lifecycle of TLS/SSL certificates, including:

• Issuing new certificates.

• Renewing certificates before they expire.

• Validating domain ownership.

• Downloading and installing certificates.

Conclusion:-

• By 2029, TLS certificates will expire in just 47 days.
• Automate certificate issuance and renewal using ACME ( Using Certbot)
• Use monitoring tools to avoid expiry. (Using Openssl command from bash / .bat script to trigger alert)

Reference Link :

• https://www.thesslstore.com

• https://www.digicert.com

• https://www.cyberark.com/what-is/acme-protocol/

How to Check DB latency using Datasource Test-Connection.

1. Create JdbcLatencyTest.java file and copy below code.

2. Do the changes for respective DB Driver class name and JDBC string along with Username & Password.

// ###################### JdbcLatencyTest.java File Contents ############# //

**********************************************************
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.text.SimpleDateFormat;
import java.util.Date;
public class JdbcLatencyTest {
    private static final int NUM_ITERATIONS = 10;

    public static void main(String[] args) {
        // JDBC driver class name and database URL string
        String driver = "oracle.jdbc.xa.client.OracleXADataSource";
        String url = "jdbc:oracle:thin:@123.789.123.456/SERVICENAME";

        // JDBC connection properties for Username and password
        String username = "username";
        String password = "Password";

        // Array to store latency measurements
        long[] latencyArray = new long[NUM_ITERATIONS];
        for (int i = 0; i < NUM_ITERATIONS; i++) {
            Connection conn = null;
            SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss.SSS");
            String connectionStartTime = null;
            String connectionEndTime = null;
            try {
                // Load the JDBC driver
                Class.forName(driver);
                // Start the timer for connection establishment
                long startConnectionTime = System.currentTimeMillis();
                // Capture the timestamp when the connection is created
                connectionStartTime = dateFormat.format(new Date());
                // Create the connection
                conn = DriverManager.getConnection(url, username, password);
                // Calculate the elapsed time for connection establishment
                long endConnectionTime = System.currentTimeMillis();
                long connectionLatency = endConnectionTime - startConnectionTime;
                // Capture the timestamp when the connection is closed
                connectionEndTime = dateFormat.format(new Date());
                // Store the latency value in the array
                latencyArray[i] = connectionLatency;
                // Print detailed latency information
                System.out.println("Iteration " + (i + 1) + ":");
                System.out.println("    Connection Start Time: " + connectionStartTime);
                System.out.println("    Connection End Time:   " + connectionEndTime);
                System.out.println("    Latency:               " + connectionLatency + " ms");
                // Close the connection
                conn.close();
            } catch (ClassNotFoundException e) {
                // Handle driver loading exception
                e.printStackTrace();
            } catch (SQLException e) {
                // Handle connection exception
                e.printStackTrace();
            }
        }
        // Print the overall latency statistics
        System.out.println("Connection Latency Measurements:");
        for (int i = 0; i < NUM_ITERATIONS; i++) {
            System.out.println("Iteration " + (i + 1) + ": " + latencyArray[i] + " ms");
        }
    }
}
***************************************************

FYI, JDBC Driver Class Name to connect respective DB:

• oracle.jdbc.xa.client.OracleXADataSource   (for Oracle 19c and 12c DB , ojdbc8.jar with JDK8 complied)
• oracle.jdbc.pool.OracleConnectionPoolDataSource  (for Oracle 11g with minimum jDK7, JDK8 complied)
• org.postgresql.Driver (for POSTGRESQL DB , with postgresql-42.6.0.jar  )
• com.microsoft.sqlserver.jdbc.SQLServerXADataSource (for MSSQL DB, with mssql-jdbc-12.2.0.jre8.jar)

3. Execute the below commands for compile and run.

$JAVA_HOME/java/8.0/bin/javac -cp /home/wasadmin/ojdbc8.jar JdbcLatencyTest.java

$JAVA_HOME/java/8.0/bin/java  -cp .:/home/wasadmin/ojdbc8.jar JdbcLatencyTest

################# Output #######################

[user@newhost ~]$ $JAVA_HOME/java/8.0/bin/javac -cp /home/wasadmin/ojdbc8.jar JdbcLatencyTest.java
[user@newhost ~]$ $JAVA_HOME/java/8.0/bin/java -cp .:/home/wasadmin/ojdbc8.jar JdbcLatencyTest

Iteration 1:
    Connection Start Time: 2023-10-03 06:42:24.018
    Connection End Time:   2023-10-03 06:42:30.189
    Latency:               6171 ms
Iteration 2:
    Connection Start Time: 2023-10-03 06:42:30.212
    Connection End Time:   2023-10-03 06:42:30.537
    Latency:               325 ms
Iteration 3:
    Connection Start Time: 2023-10-03 06:42:30.549
    Connection End Time:   2023-10-03 06:42:30.842
    Latency:               293 ms
Iteration 4:
    Connection Start Time: 2023-10-03 06:42:30.854
    Connection End Time:   2023-10-03 06:42:31.150
    Latency:               296 ms
Iteration 5:
    Connection Start Time: 2023-10-03 06:42:31.162
    Connection End Time:   2023-10-03 06:42:31.446
    Latency:               284 ms
Iteration 6:
    Connection Start Time: 2023-10-03 06:42:31.458
    Connection End Time:   2023-10-03 06:42:31.694
    Latency:               236 ms
Iteration 7:
    Connection Start Time: 2023-10-03 06:42:31.708
    Connection End Time:   2023-10-03 06:42:31.946
    Latency:               238 ms
Iteration 8:
    Connection Start Time: 2023-10-03 06:42:31.958
    Connection End Time:   2023-10-03 06:42:32.215
    Latency:               257 ms
Iteration 9:
    Connection Start Time: 2023-10-03 06:42:32.226
    Connection End Time:   2023-10-03 06:42:32.459
    Latency:               233 ms
Iteration 10:
    Connection Start Time: 2023-10-03 06:42:32.472
    Connection End Time:   2023-10-03 06:42:32.729
    Latency:               257 ms
Connection Latency Measurements:
Iteration 1: 6171 ms
Iteration 2: 325 ms
Iteration 3: 293 ms
Iteration 4: 296 ms
Iteration 5: 284 ms
Iteration 6: 236 ms
Iteration 7: 238 ms
Iteration 8: 257 ms
Iteration 9: 233 ms
Iteration 10: 257 ms
[user@newhost ~]$

SSL on JBOSS 7.1 Admin console & Application.

Step 1: Locate to JBOSS /configuration folder.

Screenshot  :

Step 2: open standalone.xml file.  NOTE : Always take backup before doing any config. changes.

Command >> vim  standalone.xml


Step 3: Add below parameters for ssl on Application and Management.

where,
              "ManagementRealm" is belongs to Admin Console.
"ApplicationRealm" is belongs to Application.


Screenshot :

Step 4 : Add below changes for "ApplicationRealm".

Screenshot :

Screenshot  :

Step 5 : Add below changes for "ManagementRealm".

Screenshot :

Add below changes from <socket-binding http="management-http"/>  tag to <socket-binding https="management-https"/>

<management-interfaces>
             <http-interface security-realm="ManagementRealm">
               <http-upgrade enabled="true"/>
               <socket-binding https="management-https"/>
             </http-interface>
        </management-interfaces>
 
 
Screenshot  :

Screenshot  :

Thanks :-)