While configuring the SSL I got some complications led to some error in other hosts.
When I tried to start the node manager in one of my clustered hosts I got below error
WARNING: Uncaught exception in server handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from HOSTNAME - HOST_IP. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from HOSTNAME - HOST_IP. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertReceived(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.ReadHandler.read(Unknown Source)
at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:283)
at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:325)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177)
at java.io.InputStreamReader.read(InputStreamReader.java:184)
at java.io.BufferedReader.fill(BufferedReader.java:154)
at java.io.BufferedReader.readLine(BufferedReader.java:317)
at java.io.BufferedReader.readLine(BufferedReader.java:382)
at weblogic.nodemanager.server.Handler.run(Handler.java:71)
at java.lang.Thread.run(Thread.java:724)
In the other side (The AdminServer) I got below error:
<BEA-090504> <Certificate chain received from HOSTNAME - HOST_IP failed hostname verification check.
I checked the certificate and I found that the Common Name has been changed:
$ keytool -list -v -keystore DemoIdentity.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: demoidentity
Creation date: Nov 15, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=rn360-a1-20, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Serial number: 5b04b231c13431ed67bdb087bcd009df
Valid from: Mon Nov 14 19:57:00 AST 2011 until: Sun Nov 15 19:57:00 AST 2026
Certificate fingerprints:
MD5: CF:C6:F4:C7:9C:F2:D2:34:6D:58:B3:06:EE:46:FA:68
SHA1: 9D:5F:53:F2:96:EB:AA:03:01:33:F0:B4:85:EA:14:E3:24:04:03:B7
SHA256: B2:48:31:CC:A6:3F:B9:6C:F3:FD:E9:FA:57:DB:84:06:11:56:74:E9:63:C7:86:B6:D5:90:A9:D3:33:61:00:E7
Signature algorithm name: MD5withRSA
Version: 1
*******************************************
*******************************************
Solution:
$ . $WLS_HOME/server/bin/setWLSEnv.sh
$ cp DemoIdentity.jks DemoIdentity.jks.bkp16122016
$ rm DemoIdentity.jks
$ java utils.CertGen -keyfilepass DemoIdentityPassPhrase -certfile newcert -keyfile newkey
Generating a certificate with common name HOSTNAME and key strength 1024
issued by CA with certificate from CertGenCA.der file and key from CertGenCAKey.der file
$ java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile newkey.pem -keyfilepass DemoIdentityPassPhrase -certfile newcert.pem -alias demoidentity
No password was specified for the key entry
Key file password will be used
<Dec 16, 2016 7:07:27 PM AST> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<Dec 16, 2016 7:07:27 PM AST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<Dec 16, 2016 7:07:28 PM AST> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.>
Imported private key newkey.pem and certificate newcert.pem
into a new keystore DemoIdentity.jks of type jks under alias demoidentity
Finally, Start your node manager.
No comments:
Post a Comment