Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000030096 - FIM Weblogic throws exception with new SSL cert - java.io.IOException: Cannot convert identity certificate

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000030096
Applies To	RSA Federated Identity Manager (FIM) 4.1 Oracle Weblogic 10.0.1
Issue	After upgrading Weblogic SSL certificate the servers throws the following exception on restart: java.io.IOException: Cannot convert identity certificate at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:59) at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:273) at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76) at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39) at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) at weblogic.work.ExecuteThread.run(ExecuteThread.java:172) Caused by: java.lang.RuntimeException: Cannot convert identity certificate at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source) at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source) at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source) at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:77) at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:286) at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLContextManager.java:239) at weblogic.security.utils.SSLContextManager.getSSLServerSocketFactory(SSLContextManager.java:89) at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:55) ... 6 more
Cause	The new certificate was created using SHA256withRSA, while the old one used SHA1withRSA. Weblogic prior to 10.3.4 cannot use certificates with SHA256withRSA encryption as it uses Certicom SSL implementation.
Resolution	Upgrade the weblogic to a supported version 10.3.4 or greater. Enable JSSE SSL, which is under the advanced options of the weblogic console found under the SSL tab Set “Use JSSE SSL” for Admin server after you import the certificate into the trust keystore on admin server. Otherwise Admin server may fail to communicate with node manager, and you will see “javax.net.ssl.SSLKeyException” error when you check Node Manager Status from weblogic console. Also modify the file $WL_HOME/server/bin/startNodeManager.sh to add the following line: JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"
Workaround	Use a certificate made with SHA1withRSA algorithm.

Attachments

Outcomes

0 Comments

Recommended Content