Article Number | 000030096 |
Applies To | RSA Product Set: RSA Federated Identity Manager (FIM) 4.1 RSA Product/Service Type: Oracle Weblogic 10.0.1
|
Issue | After upgrading Weblogic SSL certificate the servers throws the following exception on restart:
java.io.IOException: Cannot convert identity certificate at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:59) at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:273) at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76) at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39) at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) at weblogic.work.ExecuteThread.run(ExecuteThread.java:172) Caused by: java.lang.RuntimeException: Cannot convert identity certificate at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source) at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source) at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source) at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:77) at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:286) at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLContextManager.java:239) at weblogic.security.utils.SSLContextManager.getSSLServerSocketFactory(SSLContextManager.java:89) at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:55) ... 6 more
|
Cause | The new certificate was created using SHA256withRSA, while the old one used SHA1withRSA. Weblogic prior to 10.3.4 cannot use certificates with SHA256withRSA encryption as it uses Certicom SSL implementation. |
Resolution | Upgrade the weblogic to a supported version 10.3.4 or greater.
Enable JSSE SSL, which is under the advanced options of the weblogic console found under the SSL tab Set “Use JSSE SSL” for Admin server after you import the certificate into the trust keystore on admin server. Otherwise, Admin server may fail to communicate with node manager, and you will see “javax.net.ssl.SSLKeyException” error when you check Node Manager Status from weblogic console.
Also modify the file $WL_HOME/server/bin/startNodeManager.sh to add the following line: JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"
|
Workaround | Use a certificate made with SHA1withRSA algorithm. |