FIM Weblogic throws exception with new SSL cert - java.io.IOException: Cannot convert identity certificate
Originally Published: 2015-04-20
Article Number
Applies To
RSA Product/Service Type: Oracle Weblogic 10.0.1
Issue
java.io.IOException: Cannot convert identity certificate at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:59) at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:273) at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76) at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39) at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) at weblogic.work.ExecuteThread.run(ExecuteThread.java:172) Caused by: java.lang.RuntimeException: Cannot convert identity certificate at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source) at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source) at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source) at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:77) at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:286) at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLContextManager.java:239) at weblogic.security.utils.SSLContextManager.getSSLServerSocketFactory(SSLContextManager.java:89) at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:55) ... 6 more
Cause
Resolution
Enable JSSE SSL, which is under the advanced options of the weblogic console found under the SSL tab
Set “Use JSSE SSL” for Admin server after you import the certificate into the trust keystore on admin server. Otherwise, Admin server may fail to communicate with node manager, and you will see “javax.net.ssl.SSLKeyException” error when you check Node Manager Status from weblogic console.
Also modify the file $WL_HOME/server/bin/startNodeManager.sh
to add the following line:
JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"
Workaround
Related Articles
Unrecognized string/value shown in SubjectAltName extension of a certificate issued using the MS Logon Cert profile Number of Views How do I import a Subordinate CA certificate into MSIE4.0 Number of Views To notify the CA administrator of a new cert request. Number of Views Edit an Identity Source SSL Certificate Number of Views How to renew the self-signed SSL Certificate on Enterprise Manager Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle RSA Authenticator 6.2.2 for Windows Administrator Guide RSA SecurID software token .sdtid file fails to import into RSA SecurID Software Token 5.0 for Windows RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
