FIM Weblogic throws exception with new SSL cert - java.io.IOException: Cannot convert identity certificate
Originally Published: 2015-04-20
Article Number
Applies To
RSA Product/Service Type: Oracle Weblogic 10.0.1
Issue
java.io.IOException: Cannot convert identity certificate at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:59) at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:273) at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76) at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39) at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) at weblogic.work.ExecuteThread.run(ExecuteThread.java:172) Caused by: java.lang.RuntimeException: Cannot convert identity certificate at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source) at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source) at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source) at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:77) at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:286) at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLContextManager.java:239) at weblogic.security.utils.SSLContextManager.getSSLServerSocketFactory(SSLContextManager.java:89) at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:55) ... 6 more
Cause
Resolution
Enable JSSE SSL, which is under the advanced options of the weblogic console found under the SSL tab
Set “Use JSSE SSL” for Admin server after you import the certificate into the trust keystore on admin server. Otherwise, Admin server may fail to communicate with node manager, and you will see “javax.net.ssl.SSLKeyException” error when you check Node Manager Status from weblogic console.
Also modify the file $WL_HOME/server/bin/startNodeManager.sh
to add the following line:
JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"
Workaround
Related Articles
Unrecognized string/value shown in SubjectAltName extension of a certificate issued using the MS Logon Cert profile 19Number of Views How to create an Extended Validation (EV) compatible Root CA? 9Number of Views How to generate an SSL certificate for tomcat. 178Number of Views Upgrade of RSA Governance and Lifecycle from 7.0.0 to 7.0.1 fails with Checking database... Invalid Username/Password 235Number of Views 'Host name configured is not listed in subject alternative names of certificate' and 'LDAP_CERT_HOSTNAME_MISMATCH_MSG_SHOR… 349Number of Views
Trending Articles
RSA Authentication Manager 8.9 Setup and Configuration Guide How to 'Trust' the RSA Authentication Manager Security Console Self-Signed Root CA certificate and prevent Cert warnings. RSA Authentication Manager 8.9 Release Notes (January 2026) Configure RSA Authentication Manager as a Secure Proxy Server for Cloud Access Service RSA Authentication Manager Upgrade Process
Don't see what you're looking for?