FIM Weblogic throws exception with new SSL cert - java.io.IOException: Cannot convert identity certificate
Originally Published: 2015-04-20
Article Number
Applies To
RSA Product/Service Type: Oracle Weblogic 10.0.1
Issue
java.io.IOException: Cannot convert identity certificate at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:59) at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:273) at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76) at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39) at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) at weblogic.work.ExecuteThread.run(ExecuteThread.java:172) Caused by: java.lang.RuntimeException: Cannot convert identity certificate at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source) at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source) at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source) at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:77) at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:286) at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLContextManager.java:239) at weblogic.security.utils.SSLContextManager.getSSLServerSocketFactory(SSLContextManager.java:89) at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:55) ... 6 more
Cause
Resolution
Enable JSSE SSL, which is under the advanced options of the weblogic console found under the SSL tab
Set “Use JSSE SSL” for Admin server after you import the certificate into the trust keystore on admin server. Otherwise, Admin server may fail to communicate with node manager, and you will see “javax.net.ssl.SSLKeyException” error when you check Node Manager Status from weblogic console.
Also modify the file $WL_HOME/server/bin/startNodeManager.sh
to add the following line:
JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"
Workaround
Related Articles
To notify the CA administrator of a new cert request. Number of Views Edit an Identity Source SSL Certificate Number of Views How to generate an SSL certificate for tomcat. Number of Views Add an Identity Source SSL Certificate Number of Views Unrecognized string/value shown in SubjectAltName extension of a certificate issued using the MS Logon Cert profile Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
