WebLogic SSL configuration : Inconsistent security configuration Cannot convert identity certificate

I discussed about SSL basics and SSL configuration in WebLogic Server. In this post I am going to cover an issue encountered after configuring SSL in OIM/SOA deployed on WebLogic Server.

Issue : After configuring SSL WebLogic Server failed to start on SSL.

Error message reported in WebLogic Server Log : $DOMAIN_HOME/servers/[server_name]/logs/

_______

<07-Aug-2013 13:52:53 o’clock UTC> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias soa from the JKS keystore file /u01/app/oracle/admin/domain/dev/config/fmwconfig/soa.jks.>
<07-Aug-2013 13:52:53 o’clock UTC> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate>
<07-Aug-2013 13:52:53 o’clock UTC> <Error> <Server> <BEA-002618> <An invalid attempt was made to configure a channel for unconfigured protocol “Cannotconvert identity certificate”.>

______

Root Cause : This issue could be because of many reasons

1. SHA as HASH ALgorithm : If while signing the Certificate, signature hash algorithm used by CA is SHA256 (to find Algorithm, click certificate and then Details) then this is supported only on WebLogic 10.3.3 or higher version (for prior version of WebLogic use SHA1). For WebLogic 10.3.3 or higher with SHA256, select option Use JSSE SSL in SSL tab

Fix: Use option Use JSEE SSL

Servers -> [name_of_the_weblogic_server_for_which_ssl_is_configured] -> Configuration -> SSL (sub tab) : Click on Advanced at bottom of the Page , select check box Use JSSE SSL and then save . Activate Change and restart WebLogic Server.

2. Other reason could be use of wildcard (*.domain_name) in SSL certificate .

Reference

664243.1 E-WL: WebLogic Fails to Listen on SSL Port after Installing a WildCard Certificate or a SHA2 Certificate. Logs Message: “Cannot convert identity certificate”

Did you get a chance to download Free Interview Questions related to WebLogic? If not, download it here http://k21academy.com/weblogic-interview-question

Learn Oracle Weblogic Server Administration

If you want to learn Oracle WebLogic Server Administration with tons of additional features like Live Interactive Sessions, Life time access to membership portal, Free re-taking sessions for next one year, Dedicated Machine to practice, On Job Support and much more

Click here to know more

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

5 comments

volvorin says September 29, 2015

Thanks a lot , this workaround worked for me.

Dipesh says June 1, 2017

I must say your troubleshooting articles are amazing. This FIX does work for one of my client.

Atul Kumar says August 22, 2017

Good to hear that it worked for you @Dipesh

Ravi Ranjan says May 4, 2018

Hi Atul,

It did work for me as well. But after setting this value I am getting below error.

<Exception: {0}
oracle.security.fed.controller.frontend.action.RequestHandlerRuntimeException: An error occurred while verifying/signing/encrypting/decrypting a message java.security.UnrecoverableKeyException: Given final block not properly padded; oracle.security.fed.security.key.KeySourceException: java.security.UnrecoverableKeyException: Given final block not properly padded

Could you please guide me on this.

Thanks,
Ravi

Ashok says May 7, 2018

Hi Atul,

The above fix worked for me and it doesn’t show the “Cannot convert the identity certificate” message in logs. Thanks for the article but still when I’m trying to browser with HTTPS link (https://localhost:16201/cs) it is still not responding…
I also see the below message in the managed server log.

Thanks,
Ashok

Add Your Reply