Security:090294 could not get connection javax. net. ssl. SSLKeyException FATAL Alert BAD_CERTIFICATE – A corrupt or unuseable certificate was received
In today’s post I am going to discuss issue while integrating WebLogic Server with LDAP Server (OID/OVD) listening on SSL. To know more about adding OID as authentication provider in WebLogic click here
If OID/OVD is configured to listen on SSL (for steps on how to configure OID/OVD in SSL click here and here ) then you select checkbox SSL Enabled in Provider Specific details.
- You must also import CA’s certificate (Certifying Authority) that issued certificate to your LDAP Server (OID/OVD) into trust store of WebLogic Server. To more about SSL and steps to import CA’s certificate in WebLogic’s Trust Store click here and here
Note: Default trust store for WebLogic Admin Server is $WL_HOME/ server/ lib/ DemoTrust.jks
Issue : After integrating WebLogic with OID (on SSL Port), OID users were not visible in WebLogic Server User’s list.
Errror message in WebLogic’s Admin Server log file $DOMAIN_HOME/ servers/ AdminServer/ logs was like
_________________
####<03-Jan-2014 17:27:14 o’clock GMT> <Error> <Console> <weblogic-host> <AdminServer> <[ACTIVE] ExecuteThread: ‘2’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <weblogic> <> <8bd6ca5edfb80812:2e32f4d2:143fdec9191:-8000-0000000000000033> <1391534834374> <BEA-240003> <Console encountered the following error weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection at weblogic. security. providers. authentication. LDAPAtnDelegate. getConnection
. . . . Caused by: javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE – A corrupt or unuseable certificate was received. at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
__________________
- Looking at error message, isssue seems to be becasue of bad SSL certificate . Verified ROOT CA’s certificate usingn keytool -v and certificate listed properly.
.
On carefully looking at Admin Server logs again at start of Admin Server
________________
####<03-Jan-2014 12:29:55 o’clock GMT> <Notice> <Security> <WebLogic-Host> <AdminServer> <[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <><1391603395409> <BEA-090169> <Loading trusted certificates from the jks keystore file /u01/app/weblogic/certs/WebLogic-Host.jks.>
####<03-Jan-2014 12:29:55 o’clock GMT> <Notice> <Security> <WebLogic-Host> <AdminServer> <[ACTIVE] ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’> <<WLS Kernel>> <> <>
<1391603395425> <BEA-090898> <Ignoring the trusted CA certificate “cn=myRootCA,DC=onlineAppsDBA,DC=com”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
_____
Note: WebLogic’s TrustStore in my environemnt is pointing to /u01/app/weblogic/certs/WebLogic-Host.jks
Note: Notice loading of trusted certificate failed in WebLogic’s Admin Server with error Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
Root Cause : By default WebLogic Server does not trust certificates stronger that 128-bit. You must use JSSE (Java Secure Socket Extenstion) SSL implementation that supports certificates stronger than 128-bit
Fix : Enable JSSE SSL implementation for Weblogic : Admin Server -> Configuration -> SSL (Under Advanced) select Use JSSE SSL . Restart Weblogic Server.
