Problem

-- Old AS2 server certificate expired

-- New AS2 certificate with "HTTPS_SERVER_CERT" added to Certificate Management, but connection fail

-- Error messages are showing:

ERROR 2016-05-03 16:29:41,387 SocketVirtualChannel [P-0-MPX-1] - #309#: 
communicator raised an exception during HANDSHAKE, closing 
javax.net.ssl.SSLHandshakeException: no cipher suites in common 
 at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) 
 at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) 
 at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) 
 at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) 
 at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) 
 at com.axway.niocore.communicator.SSLCommunicator.wrap(SSLCommunicator.java:482) 
 at com.axway.niocore.communicator.SSLCommunicator.writeEvent(SSLCommunicator.java:423) 
 at com.axway.niocore.NIOCore.run(NIOCore.java:331) 
 at java.lang.Thread.run(Thread.java:745)

or

ERROR 2017-07-06 08:08:04,024 TsimGPS [pool-7-thread-253] - An error occurs
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at de.axway.proxy.securerelay.TsimGPS$RequestHandler.handlePrivateKey(TsimGPS.java:619)
    at de.axway.proxy.securerelay.TsimGPS$RequestHandler.handleInvokeRequestType(TsimGPS.java:414)
    at de.axway.proxy.securerelay.TsimGPS$RequestHandler.run(TsimGPS.java:333)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.IllegalArgumentException
    at javax.security.auth.x500.X500PrivateCredential.<init>(X500PrivateCredential.java:58)
    at de.axway.certmgr.utils.CMKeyManager.initializeKeystore(CMKeyManager.java:59)
    at de.axway.certmgr.utils.CMKeyManager.getPrivateKey(CMKeyManager.java:91)or

or

17-07-06 08:08:50,828 ERROR GPX509ExtendedKeyManager : Error invoking getPrivateKey
com.axway.xsr.agent.router.gp.context.SendContextException: Error message recieved, cause: null
at com.axway.xsr.agent.router.gp.context.SendContext.invoke(SendContext.java:147)
at com.axway.xsr.agent.router.gp.GPX509ExtendedKeyManager.getPrivateKey(GPX509ExtendedKeyManager.java:181)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.setupPrivateKeyAndChain(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.trySetCipherSuite(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at com.axway.niocore.task.Worker.run(Worker.java:17) 

Resolution

** While the first error above does not indicate the correct problem, the keyword in the other two errors is "getPrivateKey", and it's related to the failure of retrieving the private key.

The reason for this is, that the certificate TSIM configured in the Certificate Manager for the AS2 TLS server has no private key. The certificate is a public certificate only. Most likely due to having multiple "HTTPS_SERVER_CERT" certificates, probably for different partners.

To solve the issue:

1. Log into the TSIM UI with an Administration user
2. Go to Administration -> Certificate Manager
3. Enter "HTTPS_SERVER_CERT" as a filter in the "purpose" column. Keep the asterisk (*) in all other filters.
4. If more than one certificate is displayed, delete (or rename the purpose or application of) all certificate but the correct one
5. Make sure the correct one is Valid and has a check-mark in the "PK" column.
6. Activate CM
7. Test connection again