000030096 - FIM Weblogic throws exception with new SSL cert - java.io.IOException: Cannot convert identity certificate

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030096
Applies ToRSA Federated Identity Manager (FIM) 4.1
Oracle Weblogic 10.0.1
 
IssueAfter upgrading Weblogic SSL certificate the servers throws the following exception on restart:
java.io.IOException: Cannot convert identity certificate
      at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:59)
      at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:273)
      at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76)
      at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39)
      at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
Caused by: java.lang.RuntimeException: Cannot convert identity certificate
      at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
      at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
      at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
      at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:77)
      at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:286)
      at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLContextManager.java:239)
      at weblogic.security.utils.SSLContextManager.getSSLServerSocketFactory(SSLContextManager.java:89)
      at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:55)
      ... 6 more
CauseThe new certificate was created using SHA256withRSA, while the old one used SHA1withRSA.  Weblogic prior to 10.3.4 cannot use certificates with SHA256withRSA encryption as it uses Certicom SSL implementation.
ResolutionUpgrade the weblogic to a supported version 10.3.4  or greater.  
Enable JSSE SSL, which is under the advanced options of the weblogic console found under the SSL tab
Set “Use JSSE SSL” for Admin server after you import the certificate into the trust keystore on admin server. Otherwise Admin server may fail to communicate with node manager, and you will see “javax.net.ssl.SSLKeyException” error when you check Node Manager Status from weblogic console.
Also modify the file $WL_HOME/server/bin/startNodeManager.sh
to add the following line:
JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"
 
WorkaroundUse a certificate made with SHA1withRSA algorithm.

Attachments

    Outcomes