WebLogic SSL Certificate
Can I install two SSL certificate in one weblogic instance.
The server is connected through the Load Balancer.
So I need one certificate with Alteon URL and one more for direct server.
Thanks for your help.
Lax
309-735-1038.
Hi Lax,
This thread addresses your question
http://newsgroups.bea.com/cgi-bin/dnewsweb?utag=&group=weblogic.developer.interest.security&xrelated=6279&cmd_thread_last.x=56&cmd_thread_last.y=8
Cheers,
Joe Jerry
Laxman wrote:
Can I install two SSL certificate in one weblogic instance.
The server is connected through the Load Balancer.
So I need one certificate with Alteon URL and one more for direct server.
Thanks for your help.
Lax
309-735-1038.
Similar Messages
-
Can I reference 2 different SSL certificates in the same weblogic.properties
Hello,
Can I reference 2 different SSL certificates in the same
weblogic.properties
file?
Reason is we have 2 groups of users for a web application: one will use
a
French-language DNS to access
the application, and the other will use English DNS. Both DNS will point
to
the same application on the same
server.
Example of what we require:
weblogic.security.certificate.server=mycert1.pem
weblogic.security.key.server=mykey1.der
weblogic.security.certificate.authority=rootCertificate1.pem
----and---
weblogic.security.certificate.server=mycert2.der
weblogic.security.key.server=mykey2.der
weblogic.security.certificate.authority=rootCertificate2.pem
mycert1 will correspond to DNS1, and mcert2 will correspond to DNS2, and
both
DNS1 and DNS2 point to the same application on the same box.
Thanks,
RaguI think that you can only have one server certificate per server currently
since the certificate establishes the server's identity and there isn't
support for a server to have two identities at the same time.
"RAGUTAM BOMMAREDDY" <[email protected]> wrote in message
news:[email protected]..
Hello,
Can I reference 2 different SSL certificates in the same
weblogic.properties
file?
Reason is we have 2 groups of users for a web application: one will use
a
French-language DNS to access
the application, and the other will use English DNS. Both DNS will point
to
the same application on the same
server.
Example of what we require:
weblogic.security.certificate.server=mycert1.pem
weblogic.security.key.server=mykey1.der
weblogic.security.certificate.authority=rootCertificate1.pem
----and---
weblogic.security.certificate.server=mycert2.der
weblogic.security.key.server=mykey2.der
weblogic.security.certificate.authority=rootCertificate2.pem
mycert1 will correspond to DNS1, and mcert2 will correspond to DNS2, and
both
DNS1 and DNS2 point to the same application on the same box.
Thanks,
Ragu -
Problem in installation of free SSL certificate on Weblogic using keytool
We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
Steps followed:-
1) To generate keystore and private key and digital cerficate:-
keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
2) To generate CSR
keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
4) Same certificate is put into same keystore using following command
keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
(intermediateCa.cer file is downloaded from verisign site)
keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
6) After this configuration we used weblogic admin module to configure Keystore and SSL.
7) For KeyStore tab in weblogic admin module, we have select option Custom Identity And Custom Trust provided following details under Identity and Trust columns:-
Private key alias: mykey2
PassKeyphrase: webconkeystorepassword
Location of keystore: location of webconkeystore.jks file on server
8) For SSL tab in weblogic admin module, we have select option KeyStores for Identity and Trust locations.
Error on console:
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
<Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
<Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
If anyone knows the solution ,please help us out.Thanx in advance.
I was really happy to get reply yesterday from "mv".I was not expecting such instant response.Thanx all guys for your interest and support.
I have solved this issue.
We have weblogic 9 on unix env.
Following steps which I followed:
#generate private key
keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
#generate csr
keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
We copied that text file in "ert4nov2009.crt" rt file used below.
Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
roo ca in "root4nov2009.cer" file.
intermediate ca in "intermediateca4nov2009.cer"
both these files used in
#import root certificate
keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
#import intermediate ca certificate
keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
#install free ssl certifiate
keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
#after this admin configuration
In weblogic admin console module, we did following settings:-
1. under Configuration tab
a. Under KeyStore tab
For keystore , we selected "Custom identity and Custom Trust"
Under Identity,
Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
Same we copied Under "Trust", as we have not created separate keystore for trust.
Save setting.
b. Under SSL tab
Identity and Trust Locations: select "Keystores"
Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
Save setting.
c. Under General tab
Check checkbox "SSL Listen Port Enabled"
and mention ssl port "SSL Listen Port"
Save setting.
After this activate changes.You might see error on admin module.
Using command prompt, stop the server and again restart and then try to access using https and port ...
you will definately get output...
in our case issue might be due to key size..we used 1024 key size ..it solve problem.
for your further reference plz find link below..it is also helpful.
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674 -
Accepting runtime-specified SSL certificates in WebLogic 11g
Hi all!
In our application we need to call several Web Servervices based on URL's and trusted SSL certificates that are stored in database. Those certificates are self-signed but we cannot add them in the WebLogic truststore (we only want to accept them for those specific web service calls). This is 2-way SSL but our server refuses the remote certificate.
What is the right way to do this?
In WebLogic 10g we used to do the following:
WlsSSLAdapter adapter = new WlsSSLAdapter();
try {
// setup for client certificate
adapter.setKeystore(…);
adapter.setClientCert(…);
// setup for accepting the remote certificate
adapter.setTrustManager(new TrustManager() {
@Override
public boolean certificateCallback(X509Certificate[] paramArrayOfX509Certificate, int paramInt) {
return paramArrayOfX509Certificate[0] == expectedCertificate;
} catch (Exception e) {
throw new RuntimeException(e);
((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(weblogic.wsee.jaxrpc.WLStub.SSL_ADAPTER, adapter);However in WebLogic 11g it appears that even if the <tt>TrustManager</tt> is called (which we checked by using a debugger), WebLogic refuses the certificate:
<validationCallback: validateErr = 16>
< cert[0] = Serial number: 9232073310112809071929676484517784211
Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
Not Valid Before:Tue Nov 01 14:33:31 CET 2011
Not Valid After:Sun Nov 02 14:33:31 CET 2031
Signature Algorithm:MD5withRSA
>
<weblogic user specified trustmanager validation status 16>
<Certificate chain received from mestoudi2 - 10.142.0.23 was not trusted causing SSL handshake failure.>
<Validation error = 16>
<Certificate chain is untrusted>
<SSLTrustValidator returns: 16>
<Trust status (16): CERT_CHAIN_UNTRUSTED>
<NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
…I think the first difference occurs on the line "+weblogic user specified trustmanager validation status 16+" where in WebLogic 10g the value was 0 instead of 16.
If we check "Use JSSE SSL" in the WebLogic administration console (which switches the implementation to com.sun.net.ssl instead of com.certicom.tls), the <tt>TrustManager</tt> is not called at all.
We also tried to configure the <tt>TrustManager</tt> by implementing a <tt>javax.net.ssl.X509TrustManager</tt> that we set on a <tt>weblogic.wsee.connection.transport.https.HttpsTransportInfo</tt> passed to the stub using
((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(TRANSPORT_INFO, transportInfo);But it is not called either – however it works for setting up a proxy for example. We are generating the stubs using the clientgen Ant task (<tt>weblogic.wsee.tools.anttasks.ClientGenTask</tt>).
We are a little bit stuck, any idea of what we should do? Is the WebLogic 11g behavior a regression or is there something else we should configure to get back the old behavior?Hello,
Weblogic has two keystores : identity (if you are doing 2 ways SSL) and trust. you should import your "external" certificate in the "trust" key store.
look at your server config to know your config : Home >Summary of Servers >AdminServer-->configuration-->keystore
I suggest that you change the default configuration (not using the demo one),
then when you know where is yo key store use the command line to add your certificate to trusted store (this is a example) :
opt/weblogic10_3_3/jdk160_18/jre/bin/keytool -import -noprompt -trustcacerts -alias BLCCertificateAuthority -file cacert2035.pem -keystore /opt/weblogic10_3_3/jdk160_18/jre/lib/security/cacerts
once your certificated is added to your trust store it should work.
I hope it will help. -
Godaddy SSL certificate on weblogic
Hello,
Recentally I purchased ssl certificate from godaddy, they send me 2 files (mydomain.crt) and (gd_bundle.crt).
now I don't know how to create .pem file just to complete the installation. below the instruction I did.
- keytool -genkey -alias client -keyalg RSA -keysize 2048 -keystore identity.jks -storepass password -keypass password
- keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password
here when I enter this I get an error ( keytool error: java.io.FileNotFoundException: CertChain.pem (No such file or directory not found). so how to create the CertChain.pem from the files I got from godaddy.
- keytool -import -file CertChain.pem -alias client -keystore identity.jks -storepass password
- keytool -import -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password
Keytool –list –v –keystore <keystore-name> -storepass <keystore-password>I found out how to install godaddy ssl certificate on weblogic follow the link below.
http://coreygilmore.com/blog/2009/06/02/install-a-go-daddy-ssl-certificate-for-use-with-jboss-or-the-bes-5-bas/
but I still get This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store. -
Apache configuration for proxying requests to Weblogic SSL port
Hello Everyone,
I want to proxy requests from Apache to Weblogic server on its SSL Port 7002. I am using the default SSL demo version provided by Oracle/BEA.
Both my Apache and Weblogic instances are running on same machine.
This is the procedure I followed. I enabled SSL port on Weblogic. Added below configuration to Apache conf file. I am passing trusted.crt file inside WL_HOME/server/lib as parameter to TrustedCAFile .
<Location "/">
SetHandler weblogic-handler
</Location>
<IfModule mod_weblogic.c>
SetHandler weblogic-handler
WebLogicHost ServerHostMame
WebLogicPort WLInstanceSSLPort
SecureProxy ON
TrustedCAFile "C:/trusted.crt"
RequireSSLHostMatch false
Debug ALL
WLLogFile "C:/wl_proxy.log"
</IfModule>
When I start the Apache instance and try to access the webpage I see below exception in proxy log.
Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[WL-Proxy-Client-IP]=[10.149.181.55]
Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[Proxy-Client-IP]=[10.149.181.55]
Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[X-Forwarded-For]=[10.149.181.55]
Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[X-WebLogic-KeepAliveSecs]=[30]
Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
Thu Apr 09 10:38:05 2009 <735212392878761> INFO: No session match found
Thu Apr 09 10:38:05 2009 <735212392878852> INFO: SSL certificate chain validation failed: 3015
Thu Apr 09 10:38:05 2009 <735212392878852> trusted certs = 0
Thu Apr 09 10:38:05 2009 <735212392878852> dumping cert chain
Thu Apr 09 10:38:05 2009 <735212392878852> commonName is testmachine-us
Thu Apr 09 10:38:05 2009 <735212392878761> INFO: DeleteSessionCallback
Thu Apr 09 10:38:05 2009 <735212392878852> ERROR: SSLWrite failed
Thu Apr 09 10:38:05 2009 <735212392878852> SEND failed (ret=-1) at 789 of file ../nsapi/URL.cpp
Thu Apr 09 10:38:05 2009 <735212392878852> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 790 of ../nsapi/URL.cpp
Thu Apr 09 10:38:05 2009 <735212392878852> Marking 10.149.181.55:40011 as bad
Thu Apr 09 10:38:05 2009 <735212392878852> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 790 of ../nsapi/URL.cpp]: at line 2994
Thu Apr 09 10:38:05 2009 <735212392878852> INFO: Closing SSL context
Thu Apr 09 10:38:05 2009 <735212392878852> INFO: Error after SSLClose, socket may already have been closed by peer
Thu Apr 09 10:38:05 2009 <735212392878852> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
Thu Apr 09 10:38:05 2009 <735212392878852> attempt #1 out of a max of 5
Thu Apr 09 10:38:05 2009 <735212392878852> general list: trying connect to '10.149.181.55'/40011/40011 at line 2619 for '/'
Thu Apr 09 10:38:05 2009 <735212392878852> New SSL URL: match = 0 oid = 22
Thu Apr 09 10:38:05 2009 <735212392878852> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Thu Apr 09 10:38:05 2009 <735212392878852> EINPROGRESS in connect() - selecting
Thu Apr 09 10:38:05 2009 <735212392878852> Setting peerID for new SSL connection
Please advice if I am missing anything here?
- - TarunI'm using WL9 and Apache2.2
I had exact same issue as above (which I solved with these directions) in additiion to another issue, that only showed once I enabled full logging, since it shows as warning/info, not as error
First to enable full logging, add this
Debug ALL
WLLogFile "C:/wl_proxy.log"
Then after a failure (even after fixing the above), look at the log, and if you see this INFO/WARN:
Thu Apr 23 00:48:27 2009 <235612404369072> INFO: Host (comp1) doesn't match (192.168.0.229), validation failed
Thu Apr 23 00:48:27 2009 <235612404368911> WARN: DeleteSessionCallback: No match found!!
Thu Apr 23 00:48:27 2009 <235612404369072> ERROR: SSLWrite failed
Thu Apr 23 00:48:27 2009 <235612404369072> SEND failed (ret=-1) at 795 of file ../nsapi/URL.cpp
Thu Apr 23 00:48:27 2009 <235612404369072> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 796 of ../nsapi/URL.cpp
Thu Apr 23 00:48:27 2009 <235612404369072> Marking 192.168.0.229:7002 as bad
that means you have same problem as I do. The WeblogicHost inside the Location descriptor should match the actual host name for the machine. I believe it's easer because the certificate created by weblogic during its installation will encapsulate the machine host name, or because the SSL validation mechanism expects the machine host name, nothing else.
Here's how the config would like (my hostname is comp1)
<IfModule mod_weblogic.c>
SecureProxy on
TrustedCAFile "C:/tools/bea9/weblogic92/server/lib/CertGenCA.pem"
Debug ALL
WLLogFile "C:/wl_proxy.log"
EnforceBasicConstraints off
</IfModule>
<Location /EnterpriseCMP>
SetHandler weblogic-handler
WebLogicHost comp1
WebLogicPort 7002
ConnectTimeoutSecs 1000
ConnectRetrySecs 1000
</Location>
I believe the -
Web server type of standalone oc4j needed for SSL Certificate
Hi,
We have a standalone oc4j 10.1.3 that hosts an application whose many of its pages use https and so we need to buy SSL certificate from any of CAs like Verisign, GeoTrust, etc.. All of these CAs are asking us about the web server type that the standalone OC4J uses. I read the following statement from this url:
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28950/intro.htm#JICON100
"communications in a standalone environment is provided through the built-in *_OC4J Web server_*, which supports HTTP and HTTPS communications natively without the use of the Oracle HTTP Server"
On all of the SSL certificate systems of above CAs websites, they ask us to choose the web server type from a list of server types but I don't see OC4J web server listed and I am told that it is very important to make sure the web server type is correct otherwise the SSL Certificate that we buy may not be compatible with our web server type.
So, I like to know the exact built in web server type name that goes with Standalone OC4J or one that is closest and for which SSL Certificate is compatible.
Shown below is a list of web server types that I am asked to choose from on Verisign website.The closest to standalone oc4j according to below list is Oracle Wallet Manager but isn't this meant for Oracle Application Server (OAS) and not the standalone OC4J? we are using the java keytool to generate the CSR that we look to sign it via the verisign but again we are not sure about the web server type in the case of standalone OC4J that is not listed below. Please advice and thanks in advance to any of your responses in helping out.
Webstar 4.x
ApacheSSL mod_ssl
WebLogic 6.0
WebLogic 8.1
Cisco
ACS 3.2
Covalent
Apache ERS 2.4
Apache ERS 3.0
F5
BIG-IP
IBM
Websphere MQ
HTTP Server
Lotus
Domino 5.0
Domino 6.0
Domino 7.0
Domino 8.0
Windows NT - IIS 4.0
Windows 2000 - IIS 5.0
Windows 2003 - IIS 6.0
Windows 2008 - IIS 7.0
Exchange 2007
iPlanet 4.x
iPlanet 6.x
ScreenOS
SSL Accelerator
Oracle Wallet Manager_
Secure Web Server
SSL Offloaders
Stronghold
Java Web Server 6.x
Sun ONE
AS Server w/IIS 4
AS Server w/IIS 5
EA Server
Tomcat
ZeusHi Zeus,
Type of certificate depends the method you will use to deploy the certificate on your application server.
Please refer the links,
http://download.oracle.com/docs/cd/B31017_01/web.1013/b28957/configssl.htm
http://download.oracle.com/docs/cd/B14099_19/core.1012/b13995/wallets.htm#ASADM400
http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
Regards,
mYth -
SSL Certificate Install Problem
To all Sun App Server Gurus,
I face a major challenge trying to install an SSL certificate on our Application Server.
The Manage Database was successful.
I filled out the certificate request form in the Security > Certificate Management > Request section and forwared the information / CSR to the CA.
The certificate is issued and validated by our CA.
I follow the steps according the documentation to import the certificate.
I specify the following to import the certificate
1) Certificate for : o This Server
2) Cryptographic Module: internal
3) Key Pair File Password: **************
4) Message Text (with headers):
-----BEGIN CERTIFICATE-----
U0UgT05MWSAtIE5PIFdBUlJBTlRZIEFUVEFDSE.....
-----END CERTIFICATE-----
5) Click OK
The next screen shows the certificate information which are correct as well.
After pressing "Add Server Certificate" it take about 20 seconds until I receive a pop error message. It says: "Incorrect Useage: No Private Key. The server could not find the private key associated with this certificate."
After I click OK the Admin GUI displays the following error in the browser: "Not Found
The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it. "
Security > General
Log Level: finest
Audit Logging Enabled: unchecked
Default Realm: file
Anonymous Roule: ANYONE
In the admin server log I get the following entry:
WARNING ( 1182): for host x.x.x.x trying to GET /instance-server1/admin/bin/(null), cgi_start_exec reports: HTTP4049: cannot find CGI program /opt/SUNWappserver7/lib/admincgi/(null) (File not found)
I checked the directories and they all exist and the admincgi even has files included. I don't know which one should be missing.
I also reinstalled the App Server twice so far and used the default options.
If anyone could please help me with this that would be extremly helpful.
Thank you.
Regards,
Martintry converting your key from der2pem using
java utils.der2pem {keyfile in der} {keyfile out in pem}
thanks
kiran
"eraldo" <[email protected]> wrote in message
news:[email protected]..
hi,
I tried to install SSL certicate on a Weblogic 6.1 SP3 (running on a
Solaris 8). Following the post 5457 (found in your newsgroup) I made
this steps:
- I generated CSR using web application /certificate
- I sent CSR to Entrust.com obtaining a certicate and a chain
certificate
- I configured the server under "Configuration - SSL" with following
parameters:
- Enabled = true
- Listen port = 8002
- Server Key File Name = <path to private key ".der" file>
- Server Certificate File Name = <path to Entrust CRT ".pem" file>
- Server Certificate Chain File Name = <path to Entrust CA ".pem"
file>
- Key Encrypted = true
- I changed startWebLogic.sh:
- added "-Dweblogic.management.pkpassword=<my_pwd>" to JAVA command
line
Launchin' the script I got the following exception:
<Nov 22, 2002 2:34:44 PM GMT-01:00> <Alert> <WebLogicServer> <Security
configuration problem with ce
rtificate file config/sdfdomain/H3MIS097_H3G_IT-key.der,
java.io.IOException: weblogic.security.Ciph
erException: Invalid padding length 48>
java.io.IOException: weblogic.security.CipherException: Invalid
padding length 48
atweblogic.security.RSAPrivateKeyPKCS8.input(RSAPrivateKeyPKCS8.java:157)
atweblogic.security.RSAPrivateKeyPKCS8.<init>(RSAPrivateKeyPKCS8.java:125)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:391)
atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1097)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:490)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:206)
at weblogic.Server.main(Server.java:35)
Any idea?
Thanks in advance,
Eraldo -
"hi, all,
I got your information from weblogic.developer.interest.security.
I have a question about the SSL certificate
1. I generate the private key file using Weblogic certificate servlet,
2. get the request, then goto thawte get the response
3. goto weblogic console -> server -> ssl, specify the filename, click "Enable", click "Key Encrypted"
4. change the startWeblogic.cmd, adding -Dpkpassword=adminadmin
But when I restart the weblogic, got the following error msg:
Starting WebLogic Server ....
<Sep 27, 2001 1:34:29 PM CST> <Notice> <Management> <Loading configuration file
.\config\citi1\config.xml ...>
<Sep 27, 2001 1:34:35 PM CST> <Notice> <WebLogicServer> <Starting WebLogic Admin
Server "server1" for domain "citi1">
<Sep 27, 2001 1:34:35 PM CST> <Alert> <WebLogicServer> <Security configuration p
roblem with certificate file adamfeng-key.der, java.lang.NullPointerException>
java.lang.NullPointerException
at weblogic.security.PKCS5.setPassword(PKCS5.java:173)
at weblogic.security.RSAPrivateKeyPKCS8.<init>(RSAPrivateKeyPKCS8.java:1
24)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:390)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3SrvrHi adam,
I wish to let u know that your ****-key.der file is not generated correctly. I
suppose you must have used Certificate Requeste Generator of WLS to generate the
key file and the request file.
please follow the following to get your system running:
(1) Generate a new certificate request making sure that you enter "yourmachine.domain.com"
in the Full Host name field within the certificate request generator. Fill all
the required values like the state should be filled in full not with abreviations
etc(do not fill the ones which are not required. That means do not fill the password
field and random string field...etc )then u will get a key file and the request
file..press the submit button on the same page to test the key file with Verisign..if
all fields are filled correctly then it says so..if not it will bounce back saying
an ERROR..so see to it that u get the right key file..i.e. ****;key.der file.
(2) Save the certificate request in a text file. (including the ----BEGIN CERTIFICATE
REQUEST-- and END CERTIFICATE REQUEST)
(3) Go to https://www.thawte.com/cgi/server/test.exe and paste the above request.
(4) Do NOT choose any other options as the default options are set correctly
(unless you are using a domestic build of the weblogic server which requires a
different license).
(5) Save the certificate obtained in a text file and save it as a .pem file
(6) Also save the root certificate obtained in the above URL (see the 2nd line
from the top) in .pem format and use this file against the ServerCertChain name.
(7) Make sure you enter the certificate key and server certificate fields with
the correct path to the key and cert (inclusive of the file names).
After having done the above steps restart the server and you should be able to
get SSL to work. Hope the above information
If not then mail me at [email protected].
Sujit.
adamfeng <[email protected]> wrote:
"hi, all,
I got your information from weblogic.developer.interest.security.
I have a question about the SSL certificate
1. I generate the private key file using Weblogic certificate servlet,
2. get the request, then goto thawte get the response
3. goto weblogic console -> server -> ssl, specify the filename, click
"Enable", click "Key Encrypted"
4. change the startWeblogic.cmd, adding -Dpkpassword=adminadmin
But when I restart the weblogic, got the following error msg:
Starting WebLogic Server ....
<Sep 27, 2001 1:34:29 PM CST> <Notice> <Management> <Loading configuration
file
..\config\citi1\config.xml ...>
<Sep 27, 2001 1:34:35 PM CST> <Notice> <WebLogicServer> <Starting WebLogic
Admin
Server "server1" for domain "citi1">
<Sep 27, 2001 1:34:35 PM CST> <Alert> <WebLogicServer> <Security configuration
p
roblem with certificate file adamfeng-key.der, java.lang.NullPointerException>
java.lang.NullPointerException
at weblogic.security.PKCS5.setPassword(PKCS5.java:173)
at weblogic.security.RSAPrivateKeyPKCS8.<init>(RSAPrivateKeyPKCS8.java:1
24)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:390)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr -
Problem installing SSL certificate for CPS
I work at a medium-sized University, and we have used
Contribute 3 with CPS1.11 for well over a year. Recently, however,
the Contribute clients began having difficulty logging in to CPS.
At first this was intermittent, but is now constant. Adobe support
suggested replacing the CPS self-signed SSL certificate with a
genuine one, because apparently the self-signed certificate is
causing communication delays and timeouts.
I have the certificate, and am trying to use keytool (see
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html)
to install it, but it is asking me for a keystore password, which I
don't know. Apparently the standard defaults are "changeit" or
"passphrase", but neither of these work.
As a test, I created a fresh install of CPS and attempted to
list the keys in the keystore, but again was asked for a keystore
password and the defaults did not work. Adobe support suggested I
ask here. Anybody have any experience installing a certificate for
CPS?Are you sure that the certificate needs to be installed to all users? Can you provide more details about the certificate and its purposes?
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new:
SSL Certificate Verifier
Check out new:
PowerShell FCIV tool. -
Inccorect Encrypted block when inserting SSL certificate
Generated new SSL certificate for Weblogic Serer 6.1, inserted Server certificate, the Root Certificate Authority (Chain File), the Private key file but is getting the following error - can anyone assist?
weblogic.security.AuthenticationException: Incorrect encrypted block possibly incorrect SSLServerCertificateChainFileName set for this server certificate at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:291)...This might be caused by an invalid/not specified private key password.
Pavel.
bibi <[email protected]> wrote:
Generated new SSL certificate for Weblogic Serer 6.1, inserted Server
certificate, the Root Certificate Authority (Chain File), the Private
key file but is getting the following error - can anyone assist?
weblogic.security.AuthenticationException: Incorrect encrypted block
possibly incorrect SSLServerCertificateChainFileName set for this server
certificate at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:291)... -
Verisign SSL certificate Encryption
At present in our application, we are using weblogic server-7.0 with SSL Certificate of 40 bit minimum to 256 bit for SSL encryption. Does anyone know if our application can use the 128 - 256 bit encryption certificate instead of same weblogic server 7.0?
Hi,
by default Weblogic 7.0 does not supports only 56 bit of SSL encryption.
At the highest WLS 7.0 can be enabled for 128 bit SSL encryption but for that there is a need for a separate license for which you need to contact Oracle Weblogic Support.
The type of SSL encryption does not depends upon the SSL certificate because almost all of the SSL certificates available does support 256 bit encryption.
The 128-256 SSL encryption generally depends upon the Client JDK and the Ciphers(JCE/ algorithms) being used at the client end because it is the client which always initiates the SSL communication and the client presents the list of ciphers it supports and the server has to only choose from that list of algorithms.
So, to conclude WLS 7.0 uses by defaKult JDK 1.3_6 and JDK 1.3 by default does not have the algorithms to support 256 bit SSL encryption.
WLS 7.0 will not support 256 bit SSL encryption.
Hope this helps.
Thanks,
Sandeep -
Install SSL certificate for Oracle HTTP server
I received a PFX file that contains an SSL wildcard certificate for our company *.xyz.com.
I used this tool "xca" to extract two files: "server.crt" and "serverkey.pem".
I want to install this on the oracle 11g HTTP server (OHS) installed as standalone based on apache 2.2
With oracle, i have to create a wallet and point the SSL.CONF wallet directive to use that wallet.
I used Oracle Wallet Manager to create it and import the certificate but this is where i am having a problems.
First I could not restart the web server but the it worked but I got SSL handshake errors (Shown below).
According to oracle steps, I have to create a CSR and then import the certificate into the wallet
http://www.apache.com/resources/how-to-setup-an-ssl-certificate-on-apache/
However, when I tried to use Oracle Wallet Manager, there were two options: import server certificate and trusted certificate.
The import server certificate was greyed out. I had to create a CSR just to get it enabled but I did not use the CSR, i just imported the "server.crt" file.
I also tried to import the "serverkey.pem" into the trused certificate option but was rejected (invalid certificate).
Do you know how to create a successful wallet based on the files i have and not creating a CSR since i already have a certificate file?
2013-05-04T20:11:40.2718-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
[2013-05-04T20:11:40.2719-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
[2013-05-04T20:11:40.4774-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
[2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
[2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
[2013-05-04T20:11:40.6814-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
[2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
[2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown errorI do not have weblogic installed. I only have standalone 11g HTTP server with mod_plsql.
If i can get OWM working to create a successful certificate them the problem would be resolved.
I am just not sure what is Root Certificate and Trustworthy Certificate and how to get that from the files i have. -
NEED TO REFERENCE 2 DIFFERENT SSL CERTIFICATES BASED ON VIRTUAL HOST NAMES
Hi,
If you have a managed server in a cluster that has two virtual hosts running
on it how can you intsall the ssl certificates for both virtual hosts, in
the admin console.
any help would be great!I think that you can only have one server certificate per server currently
since the certificate establishes the server's identity and there isn't
support for a server to have two identities at the same time.
"RAGUTAM BOMMAREDDY" <[email protected]> wrote in message
news:[email protected]..
Hello,
Can I reference 2 different SSL certificates in the same
weblogic.properties
file?
Reason is we have 2 groups of users for a web application: one will use
a
French-language DNS to access
the application, and the other will use English DNS. Both DNS will point
to
the same application on the same
server.
Example of what we require:
weblogic.security.certificate.server=mycert1.pem
weblogic.security.key.server=mykey1.der
weblogic.security.certificate.authority=rootCertificate1.pem
----and---
weblogic.security.certificate.server=mycert2.der
weblogic.security.key.server=mykey2.der
weblogic.security.certificate.authority=rootCertificate2.pem
mycert1 will correspond to DNS1, and mcert2 will correspond to DNS2, and
both
DNS1 and DNS2 point to the same application on the same box.
Thanks,
Ragu -
Problem Installing Entrust SSL Certificate
Hello:
We are using BEA Weblogic 6.1 SP1. This year when we renew SSL certificate, we changed vendor from Verisign to Entrust. I just got the certificate from Entrust. Here's what happended:
1. In the Entrust certificate email, it says "Entrust would like to inform you that as of January 1, 2004, the current GTE Corporation chain certificate that is distributed with all Entrust SSL certificates, will no longer be distributed with certificates that have an expiry date greater than January 1, 2006". However, I can't get Weblogic started on SSL without a valid ServerCertificateChainFileName. So I got the ServerChainFile from http://www.entrust.net/tech/weblogic6/removechain.cfm and saved the certificate into entrust-cert.pem file.
2. It works on the server with BEA development license. However, when I move it to test web server with "SSL/Export" license, it gives this error "<License allows low strength (export) SSL.>" and Weblogic won't even start on both HTTP and SSL port.
3. After trying all sorts of things and nothing helped, I'm wondering whether it's OK to use the same CSR request I generated using Weblogic certificate servlet last year, since no information has been changed since then?
Does anybody have similar experience and can you shed some light on how to solve this issue. Should I contact Entrust to get a low strength SSL?
Thanks in advance!
JennyIt looks like you have the correct certificate but perhaps didn't import it the correct way. Did you create the Certificate Request on the same machine as you imported it? Otherwise you don't have the private key. If not them import the certificate on the
same where you created the CR and then export the certificatye and make sure you select to export the private key as well and then import it on the RDS. If you followed the import steps correctly I suggest you contact GoDaddy to make sure the delivered
a valid certificate.
Kind regards,
Freek Berson
http://microsoftplatform.blogspot.com/
Maybe you are looking for
-
Cancelled PO still appeared in ME28 list.
Hi Experts, Last time I have several POs that were not released yet. But a few of POs was cancelled by user. I was checking the transaction ME28 Release Purchasing Doc list, I found the list of POs is still waiting to be released. Those POs actually
-
FileAdapter write mode - Dynamic filename, write down simple text structure
Hi, I tried to use the FileAdapter in a BPEL Process to write down and existing structure as String, comming from Database (CLOB), which has a defined structure. My first problem is, that I assign an output filename through the output message header
-
Preview in bin doesn't work in STP 3
I send a multitrack from FCP 7 to STP 3, withing STP 3 I open the bin & select a file to audition, nothing happens & the play button is grayed out and not selectable. Same in the browser. I browse to a file on my HD, select it & it won't preview... A
-
How do i stop the file name popup
when I move the cursor over a page, a yellow box appears with the original filename in it. it is v.annoying and blocks what I am trying to read. How do I disable this feature ?
-
Media Manager Equivalent in FCE
My girlfriend just got FCE and we are working on sports highlight movie of a sports season. Each game tape is like 40 minutes long, which we've used "Capture Now" to create 1 long clip per game. We only need 2 minutes or so of footage from each game.