Security:090294 could not get connection javax. net. ssl. SSLKeyException FATAL Alert BAD_CERTIFICATE – A corrupt or unuseable certificate was received

In today’s post I am going to discuss issue while integrating WebLogic Server with LDAP Server (OID/OVD) listening on SSL. To know more about adding OID as authentication provider in WebLogic click here

If OID/OVD is configured to listen on SSL (for steps on how to configure OID/OVD in SSL click here and here ) then you select checkbox SSL Enabled in Provider Specific details.

 

 

 

  • You must also import CA’s certificate (Certifying Authority) that issued certificate to your LDAP Server (OID/OVD) into trust store of WebLogic Server. To more about SSL and steps to import CA’s certificate in WebLogic’s Trust Store click here and here

Note: Default trust store for WebLogic Admin Server is $WL_HOME/ server/ lib/ DemoTrust.jks

 

 

Issue : After integrating WebLogic with OID (on SSL Port), OID users were not visible in WebLogic Server User’s list.

Errror message in WebLogic’s Admin Server log file $DOMAIN_HOME/ servers/ AdminServer/ logs was like

_________________

####<03-Jan-2014 17:27:14 o’clock GMT> <Error> <Console> <weblogic-host> <AdminServer> <[ACTIVE] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <weblogic> <> <8bd6ca5edfb80812:2e32f4d2:143fdec9191:-8000-0000000000000033> <1391534834374> <BEA-240003> <Console encountered the following error weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection  at weblogic. security. providers. authentication. LDAPAtnDelegate. getConnection

. . . . Caused by: javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE – A corrupt or unuseable certificate was received.  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)

__________________

 

  • Looking at error message, isssue seems to be becasue of bad SSL certificate .  Verified ROOT CA’s certificate usingn keytool -v and certificate listed properly.

.

On carefully looking at Admin Server logs again at start of Admin Server

________________

####<03-Jan-2014 12:29:55 o’clock GMT> <Notice> <Security> <WebLogic-Host> <AdminServer> <[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <><1391603395409> <BEA-090169> <Loading trusted certificates from the jks keystore file /u01/app/weblogic/certs/WebLogic-Host.jks.>

####<03-Jan-2014 12:29:55 o’clock GMT> <Notice> <Security> <WebLogic-Host> <AdminServer> <[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <>

<1391603395425> <BEA-090898> <Ignoring the trusted CA certificate “cn=myRootCA,DC=onlineAppsDBA,DC=com”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

_____

Note: WebLogic’s TrustStore in my environemnt is pointing to /u01/app/weblogic/certs/WebLogic-Host.jks

Note: Notice loading of trusted certificate failed in WebLogic’s Admin Server with error Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11

Root Cause : By default WebLogic Server does not trust certificates stronger that 128-bit. You must use JSSE (Java Secure Socket Extenstion) SSL implementation that supports certificates stronger than 128-bit

Fix :  Enable JSSE SSL implementation for Weblogic : Admin Server -> Configuration -> SSL (Under Advanced) select Use JSSE SSL . Restart Weblogic Server.

 

 

 

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

1 comments
Jokkeri says March 6, 2015

Halleluja! Thanks for this post! I was getting the BAD_CERTIFICATE error and was strugling with it for 2 days. I my case the solution was the “Use JSSE SSL”.

Reply
Add Your Reply

Not found