WebLogic SSL configuration : Inconsistent security configuration Cannot convert identity certificate

I discussed about SSL basics and SSL configuration in WebLogic Server. In this post I am going to cover an issue encountered after configuring SSL in OIM/SOA deployed on WebLogic Server.

 

Issue : After configuring SSL WebLogic Server failed to start on SSL.

Error message reported in WebLogic Server Log : $DOMAIN_HOME/servers/[server_name]/logs/

_______

<07-Aug-2013 13:52:53 o’clock UTC> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias soa from the JKS keystore file /u01/app/oracle/admin/domain/dev/config/fmwconfig/soa.jks.>
<07-Aug-2013 13:52:53 o’clock UTC> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate>
<07-Aug-2013 13:52:53 o’clock UTC> <Error> <Server> <BEA-002618> <An invalid attempt was made to configure a channel for unconfigured protocol “Cannotconvert identity certificate”.>

______

 

Root Cause : This issue could be because of many reasons

1. SHA as HASH ALgorithm : If while signing the Certificate, signature hash algorithm used by CA is SHA256 (to find Algorithm, click certificate and then Details) then this is supported only on WebLogic 10.3.3 or higher version (for prior version of WebLogic use SHA1). For WebLogic 10.3.3 or higher with SHA256, select option Use JSSE SSL in SSL tab

 

 

Fix:  Use option Use JSEE SSL

Servers -> [name_of_the_weblogic_server_for_which_ssl_is_configured] -> Configuration -> SSL (sub tab) : Click on Advanced at bottom of the Page , select check box Use JSSE SSL and then save . Activate Change and restart WebLogic Server.

 

 

2. Other reason could be use of wildcard (*.domain_name) in SSL certificate .

 

Reference

  • 664243.1 E-WL: WebLogic Fails to Listen on SSL Port after Installing a WildCard Certificate or a SHA2 Certificate. Logs Message: “Cannot convert identity certificate”

Did you get a chance to download Free Interview Questions related to WebLogic? If not, download it here http://k21academy.com/weblogic-interview-question

weblogic banner

Learn Oracle Weblogic Server Administration

If you want to learn Oracle WebLogic Server Administration with tons of additional features like Live Interactive Sessions, Life time access to membership portal, Free re-taking sessions for next one year, Dedicated Machine to practice, On Job Support and much more

Click here to know more

Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

5 comments
volvorin says September 29, 2015

Thanks a lot , this workaround worked for me.

Reply
Dipesh says June 1, 2017

I must say your troubleshooting articles are amazing. This FIX does work for one of my client.

Reply
Ravi Ranjan says May 4, 2018

Hi Atul,

It did work for me as well. But after setting this value I am getting below error.

<Exception: {0}
oracle.security.fed.controller.frontend.action.RequestHandlerRuntimeException: An error occurred while verifying/signing/encrypting/decrypting a message java.security.UnrecoverableKeyException: Given final block not properly padded; oracle.security.fed.security.key.KeySourceException: java.security.UnrecoverableKeyException: Given final block not properly padded

Could you please guide me on this.

Thanks,
Ravi

Reply
Ashok says May 7, 2018

Hi Atul,

The above fix worked for me and it doesn’t show the “Cannot convert the identity certificate” message in logs. Thanks for the article but still when I’m trying to browser with HTTPS link (https://localhost:16201/cs) it is still not responding…
I also see the below message in the managed server log.

Thanks,
Ashok

Reply
Add Your Reply