Tuesday, April 14, 2009

Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414) with

I'm helping a client setup a SSL for their Documentum Application. Whenever I Configure the SSL Key Store, I hit this error on the http_plugin.log file :

Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414) with

What I did though was I removed the "WCInboundDefaultSecure" chain under:Servers -> Application Servers -> -> Web container settings -> Web container Transport chains.

After regenerating the plugin file and restarting the Web Server. It worked

But if you need SSL between HTTP and WAS, then follow the steps below :


The following error is generated if your WebSphere Application Server SSL
certificate is not trusted by the WebSphere Application Server Plugin
configured for the IBM HTTP Server:

ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init:
GSK_ERROR_BAD_CERT(gsk rc = 414)

To fix this error:

Extract the default Personal Certificate

  1.  Login to the WebSphere Application Server Administrative Console
  2. Select Security > SSL certificate and key management > Key Stores and certificates
  3. Select NodeDefaultKeyStore for a stand-alone deployment or CellDefaultKeyStore for a network deployment.
  4. Click Personal Certificates, select the default check box, and then click Extract.
  5. Give the extracted file a path and name, such as: /root/defaultCert.ARM. Note: The convention is to give the file a .ARM extension.
  6. Leave encoding set to Base64.
  7. Click OK.

Locate your *.kdb file

  1. In the httpd.conf file, find the directory in which the plugin-cfg.xml file is stored by searching for the WebSpherePluginConfig line. It should look something like this: WebSpherePluginConfig "/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-cfg.xml"
  2. Find the directory in which the key database file (*.kdb) is stored by searchingfor the term "keyring" in the plugin-cfg.xml file. For example: [property name="keyring" value="/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb"] Note this location as you will need to use it later.
Add the extracted certificate to your key database file

  1. Go to the directory for ikeyman and start it: /opt/IBM/HTTPServer/bin/ikeyman
  2. Click Key Database File > Open, and then select a key database type of CMS.
  3. Specify the filename and loacation you found above. For example:
  4. Click OK, and then enter the password. Note: If you have not given this file another password, the default password from WebSphere Application Server is WebAS (case sensitive).
  5. Click Personal Certificates drop down and then select Signer Certificates.
  6. Click Add.
  7. Browse to the file you exported with the extension *.ARM, Select it, then Open and click OK. Supply a name if prompted.
  8. Select Key Database File > Save As and save to the original location.
  9. Select Key Database File > Exit.
  10. Restart the IBM HTTP Server.



  1. Thanks!!! This really helped...

  2. Thank you! I was not able to find what kdb file needed the certificates!. But I may add some extra to your post... if you use the TrustStore instead of the actuall store, you don't need to add extra nodes or whatsoever, because the signer will be always the same.

  3. I am getting the same error with websphere7. I have followed the above steps but no success.

    1. Same with WAS 8.0

    2. Same with WAS 8.5.5