WebLogic SSL Certificate

Similar Messages

• Can I reference 2 different SSL certificates in the same weblogic.properties

  Hello,
  Can I reference 2 different SSL certificates in the same
  weblogic.properties
  file?
  Reason is we have 2 groups of users for a web application: one will use
  a
  French-language DNS to access
  the application, and the other will use English DNS. Both DNS will point
  to
  the same application on the same
  server.
  Example of what we require:
  weblogic.security.certificate.server=mycert1.pem
  weblogic.security.key.server=mykey1.der
  weblogic.security.certificate.authority=rootCertificate1.pem
  ----and---
  weblogic.security.certificate.server=mycert2.der
  weblogic.security.key.server=mykey2.der
  weblogic.security.certificate.authority=rootCertificate2.pem
  mycert1 will correspond to DNS1, and mcert2 will correspond to DNS2, and
  both
  DNS1 and DNS2 point to the same application on the same box.
  Thanks,
  Ragu

  I think that you can only have one server certificate per server currently
  since the certificate establishes the server's identity and there isn't
  support for a server to have two identities at the same time.
  "RAGUTAM BOMMAREDDY" <[email protected]> wrote in message
  news:[email protected]..
  Hello,
  Can I reference 2 different SSL certificates in the same
  weblogic.properties
  file?
  Reason is we have 2 groups of users for a web application: one will use
  a
  French-language DNS to access
  the application, and the other will use English DNS. Both DNS will point
  to
  the same application on the same
  server.
  Example of what we require:
  weblogic.security.certificate.server=mycert1.pem
  weblogic.security.key.server=mykey1.der
  weblogic.security.certificate.authority=rootCertificate1.pem
  ----and---
  weblogic.security.certificate.server=mycert2.der
  weblogic.security.key.server=mykey2.der
  weblogic.security.certificate.authority=rootCertificate2.pem
  mycert1 will correspond to DNS1, and mcert2 will correspond to DNS2, and
  both
  DNS1 and DNS2 point to the same application on the same box.
  Thanks,
  Ragu

• Problem in installation of free SSL certificate on Weblogic using keytool

  We tried to install SSL certificate on weblogic certificate using Keystore ..but it is giving error in console at startup and server shutdowns automatically...
  Steps followed:-
  1) To generate keystore and private key and digital cerficate:-
  keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword
  2) To generate CSR
  keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword
  3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem)
  4) Same certificate is put into same keystore using following command
  keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem
  5) Before step 4), we have also installed root /intermediate certificate to include chain using following command.
  (intermediateCa.cer file is downloaded from verisign site)
  keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer
  6) After this configuration we used weblogic admin module to configure Keystore and SSL.
  7) For KeyStore tab in weblogic admin module, we have select option “Custom Identity And Custom Trust” provided following details under Identity and Trust columns:-
  Private key alias: mykey2
  PassKeyphrase: webconkeystorepassword
  Location of keystore: location of webconkeystore.jks file on server
  8) For SSL tab in weblogic admin module, we have select option “KeyStores” for “Identity and Trust locations”.
  Error on console:
  <Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore.jks under alias mykey2 on server AdminServer.>
  <Nov 3, 2009 3:00:17 PM IST> <Emergency> <Security> <BEA-090087> <Server failed to bind to the configured Admin port. The port may already be used by another process.>
  <Nov 3, 2009 3:00:17 PM IST> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason: Server failed to bind to any usable port. See preceeding log message for details.>
  <Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
  <Nov 3, 2009 3:00:17 PM IST> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
  <Nov 3, 2009 3:00:17 PM IST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
  If anyone knows the solution ,please help us out.Thanx in advance.
  I was really happy to get reply yesterday from "mv".I was not expecting such instant response.

  Thanx all guys for your interest and support.
  I have solved this issue.
  We have weblogic 9 on unix env.
  Following steps which I followed:
  #generate private key
  keytool -genkey -v -alias uinbrdcsap01_apac_nsroot_net -keyalg RSA -keysize 1024 -dname "CN=linuxbox042, OU=ASIA, O=Citigroup, L=CALC, S=MH, C=IN" -validity 1068 -keypass "webconkeystorepassword" -keystore "cwebconkeystore"
  #generate csr
  keytool -certreq -v -alias uinbrdcsap01_apac_nsroot_net -file linuxbox042.csr -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass webconkeystorepassword
  Then we uploaded this csr on verisigns free ssl certificate to generate and receive certificate text.
  We copied that text file in "ert4nov2009.crt" rt file used below.
  Apart from that , mail which we received from verisign also contains links to download root ca certificate and intermediate ca certificate.We downloaded them.
  roo ca in "root4nov2009.cer" file.
  intermediate ca in "intermediateca4nov2009.cer"
  both these files used in
  #import root certificate
  keytool -import -alias rootca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "root4nov2009.cer"
  #import intermediate ca certificate
  keytool -import -alias intermediateca -keystore "cwebconkeystore" -storepass "webconkeystorepassword" -trustcacerts -file "intermediateca4nov2009.cer"
  #install free ssl certifiate
  keytool -import -alias uinbrdcsap01_apac_nsroot_net -file "cert4nov2009.crt" -trustcacerts -keypass "webconkeystorepassword" -keystore "cwebconkeystore" -storepass "webconkeystorepassword"
  #after this admin configuration
  In weblogic admin console module, we did following settings:-
  1. under Configuration tab
  a. Under KeyStore tab
  For keystore , we selected "Custom identity and Custom Trust"
  Under Identity,
  Custom Identity Keystore:location of keystore "webconkeystore" on weblogic server
  Custom Identity Keystore Type: JKS
  Custom Identity Keystore Passphrase:password for keystore mentioend above.In our case, webconkeystorepassword
  Same we copied Under "Trust", as we have not created separate keystore for trust.
  Save setting.
  b. Under SSL tab
  Identity and Trust Locations: select "Keystores"
  Private Key Alias: alias used while creating private keyi.e. in our case "uinbrdcsap01_apac_nsroot_net"
  Save setting.
  c. Under General tab
  Check checkbox "SSL Listen Port Enabled"
  and mention ssl port "SSL Listen Port"
  Save setting.
  After this activate changes.You might see error on admin module.
  Using command prompt, stop the server and again restart and then try to access using https and port ...
  you will definately get output...
  in our case issue might be due to key size..we used 1024 key size ..it solve problem.
  for your further reference plz find link below..it is also helpful.
  http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674

• Accepting runtime-specified SSL certificates in WebLogic 11g

  Hi all!
  In our application we need to call several Web Servervices based on URL's and trusted SSL certificates that are stored in database. Those certificates are self-signed but we cannot add them in the WebLogic truststore (we only want to accept them for those specific web service calls). This is 2-way SSL but our server refuses the remote certificate.
  What is the right way to do this?
  In WebLogic 10g we used to do the following:
      WlsSSLAdapter adapter = new WlsSSLAdapter();
      try {
          // setup for client certificate
          adapter.setKeystore(…);
          adapter.setClientCert(…);
          // setup for accepting the remote certificate
          adapter.setTrustManager(new TrustManager() {
              @Override
              public boolean certificateCallback(X509Certificate[] paramArrayOfX509Certificate, int paramInt) {
                  return paramArrayOfX509Certificate[0] == expectedCertificate;
      } catch (Exception e) {
          throw new RuntimeException(e);
      ((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(weblogic.wsee.jaxrpc.WLStub.SSL_ADAPTER, adapter);However in WebLogic 11g it appears that even if the <tt>TrustManager</tt> is called (which we checked by using a debugger), WebLogic refuses the certificate:
  <validationCallback: validateErr = 16>
  <  cert[0] = Serial number: 9232073310112809071929676484517784211
      Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
      Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
      Not Valid Before:Tue Nov 01 14:33:31 CET 2011
      Not Valid After:Sun Nov 02 14:33:31 CET 2031
      Signature Algorithm:MD5withRSA
      >
  <weblogic user specified trustmanager validation status 16>
  <Certificate chain received from mestoudi2 - 10.142.0.23 was not trusted causing SSL handshake failure.>
  <Validation error = 16>
  <Certificate chain is untrusted>
  <SSLTrustValidator returns: 16>
  <Trust status (16):  CERT_CHAIN_UNTRUSTED>
  <NEW ALERT with Severity: FATAL, Type: 42
      java.lang.Exception: New alert stack
        at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
        at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
        at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  …I think the first difference occurs on the line "+weblogic user specified trustmanager validation status 16+" where in WebLogic 10g the value was 0 instead of 16.
  If we check "Use JSSE SSL" in the WebLogic administration console (which switches the implementation to com.sun.net.ssl instead of com.certicom.tls), the <tt>TrustManager</tt> is not called at all.
  We also tried to configure the <tt>TrustManager</tt> by implementing a <tt>javax.net.ssl.X509TrustManager</tt> that we set on a <tt>weblogic.wsee.connection.transport.https.HttpsTransportInfo</tt> passed to the stub using
  ((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(TRANSPORT_INFO, transportInfo);But it is not called either – however it works for setting up a proxy for example. We are generating the stubs using the clientgen Ant task (<tt>weblogic.wsee.tools.anttasks.ClientGenTask</tt>).
  We are a little bit stuck, any idea of what we should do? Is the WebLogic 11g behavior a regression or is there something else we should configure to get back the old behavior?

  Hello,
  Weblogic has two keystores : identity (if you are doing 2 ways SSL) and trust. you should import your "external" certificate in the "trust" key store.
  look at your server config to know your config : Home >Summary of Servers >AdminServer-->configuration-->keystore
  I suggest that you change the default configuration (not using the demo one),
  then when you know where is yo key store use the command line to add your certificate to trusted store (this is a example) :
  opt/weblogic10_3_3/jdk160_18/jre/bin/keytool -import -noprompt -trustcacerts -alias BLCCertificateAuthority -file cacert2035.pem -keystore /opt/weblogic10_3_3/jdk160_18/jre/lib/security/cacerts
  once your certificated is added to your trust store it should work.
  I hope it will help.

• Godaddy SSL certificate on weblogic

  Hello,
  Recentally I purchased ssl certificate from godaddy, they send me 2 files (mydomain.crt) and (gd_bundle.crt).
  now I don't know how to create .pem file just to complete the installation. below the instruction I did.
  - keytool -genkey -alias client -keyalg RSA -keysize 2048 -keystore identity.jks -storepass password -keypass password
  - keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password
  here when I enter this I get an error ( keytool error: java.io.FileNotFoundException: CertChain.pem (No such file or directory not found). so how to create the CertChain.pem from the files I got from godaddy.
  - keytool -import -file CertChain.pem -alias client -keystore identity.jks -storepass password
  - keytool -import -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password
  Keytool –list –v –keystore <keystore-name> -storepass <keystore-password>

  I found out how to install godaddy ssl certificate on weblogic follow the link below.
  http://coreygilmore.com/blog/2009/06/02/install-a-go-daddy-ssl-certificate-for-use-with-jboss-or-the-bes-5-bas/
  but I still get This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

• Apache configuration for proxying requests to Weblogic SSL port

  Hello Everyone,
  I want to proxy requests from Apache to Weblogic server on its SSL Port 7002. I am using the default SSL demo version provided by Oracle/BEA.
  Both my Apache and Weblogic instances are running on same machine.
  This is the procedure I followed. I enabled SSL port on Weblogic. Added below configuration to Apache conf file. I am passing trusted.crt file inside WL_HOME/server/lib as parameter to TrustedCAFile .
  <Location "/">
  SetHandler weblogic-handler
  </Location>
  <IfModule mod_weblogic.c>
  SetHandler weblogic-handler
  WebLogicHost ServerHostMame
  WebLogicPort WLInstanceSSLPort
  SecureProxy ON
  TrustedCAFile "C:/trusted.crt"
  RequireSSLHostMatch false
  Debug ALL
  WLLogFile "C:/wl_proxy.log"
  </IfModule>
  When I start the Apache instance and try to access the webpage I see below exception in proxy log.
  Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[WL-Proxy-Client-IP]=[10.149.181.55]
  Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[Proxy-Client-IP]=[10.149.181.55]
  Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[X-Forwarded-For]=[10.149.181.55]
  Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[X-WebLogic-KeepAliveSecs]=[30]
  Thu Apr 09 10:38:05 2009 <735212392878852> Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
  Thu Apr 09 10:38:05 2009 <735212392878761> INFO: No session match found
  Thu Apr 09 10:38:05 2009 <735212392878852> INFO: SSL certificate chain validation failed: 3015
  Thu Apr 09 10:38:05 2009 <735212392878852> trusted certs = 0
  Thu Apr 09 10:38:05 2009 <735212392878852> dumping cert chain
  Thu Apr 09 10:38:05 2009 <735212392878852> commonName is testmachine-us
  Thu Apr 09 10:38:05 2009 <735212392878761> INFO: DeleteSessionCallback
  Thu Apr 09 10:38:05 2009 <735212392878852> ERROR: SSLWrite failed
  Thu Apr 09 10:38:05 2009 <735212392878852> SEND failed (ret=-1) at 789 of file ../nsapi/URL.cpp
  Thu Apr 09 10:38:05 2009 <735212392878852> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 790 of ../nsapi/URL.cpp
  Thu Apr 09 10:38:05 2009 <735212392878852> Marking 10.149.181.55:40011 as bad
  Thu Apr 09 10:38:05 2009 <735212392878852> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0,  line 790 of ../nsapi/URL.cpp]: at line 2994
  Thu Apr 09 10:38:05 2009 <735212392878852> INFO: Closing SSL context
  Thu Apr 09 10:38:05 2009 <735212392878852> INFO: Error after SSLClose, socket may already have been closed by peer
  Thu Apr 09 10:38:05 2009 <735212392878852> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
  Thu Apr 09 10:38:05 2009 <735212392878852> attempt #1 out of a max of 5
  Thu Apr 09 10:38:05 2009 <735212392878852> general list: trying connect to '10.149.181.55'/40011/40011 at line 2619 for '/'
  Thu Apr 09 10:38:05 2009 <735212392878852> New SSL URL: match = 0 oid = 22
  Thu Apr 09 10:38:05 2009 <735212392878852> Connect returns -1, and error no set to 10035, msg 'Unknown error'
  Thu Apr 09 10:38:05 2009 <735212392878852> EINPROGRESS in connect() - selecting
  Thu Apr 09 10:38:05 2009 <735212392878852> Setting peerID for new SSL connection
  Please advice if I am missing anything here?
  - - Tarun

  I'm using WL9 and Apache2.2
  I had exact same issue as above (which I solved with these directions) in additiion to another issue, that only showed once I enabled full logging, since it shows as warning/info, not as error
  First to enable full logging, add this
  Debug ALL
  WLLogFile "C:/wl_proxy.log"
  Then after a failure (even after fixing the above), look at the log, and if you see this INFO/WARN:
  Thu Apr 23 00:48:27 2009 <235612404369072> INFO: Host (comp1) doesn't match (192.168.0.229), validation failed
  Thu Apr 23 00:48:27 2009 <235612404368911> WARN: DeleteSessionCallback: No match found!!
  Thu Apr 23 00:48:27 2009 <235612404369072> ERROR: SSLWrite failed
  Thu Apr 23 00:48:27 2009 <235612404369072> SEND failed (ret=-1) at 795 of file ../nsapi/URL.cpp
  Thu Apr 23 00:48:27 2009 <235612404369072> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 796 of ../nsapi/URL.cpp
  Thu Apr 23 00:48:27 2009 <235612404369072> Marking 192.168.0.229:7002 as bad
  that means you have same problem as I do. The WeblogicHost inside the Location descriptor should match the actual host name for the machine. I believe it's easer because the certificate created by weblogic during its installation will encapsulate the machine host name, or because the SSL validation mechanism expects the machine host name, nothing else.
  Here's how the config would like (my hostname is comp1)
  <IfModule mod_weblogic.c>
  SecureProxy on
  TrustedCAFile "C:/tools/bea9/weblogic92/server/lib/CertGenCA.pem"
  Debug ALL
  WLLogFile "C:/wl_proxy.log"
  EnforceBasicConstraints off
  </IfModule>
  <Location /EnterpriseCMP>
  SetHandler     weblogic-handler
  WebLogicHost      comp1
  WebLogicPort     7002
  ConnectTimeoutSecs     1000
  ConnectRetrySecs     1000
  </Location>
  I believe the

• Web server type of standalone oc4j needed for SSL Certificate

  Hi,
  We have a standalone oc4j 10.1.3 that hosts an application whose many of its pages use https and so we need to buy SSL certificate from any of CAs like Verisign, GeoTrust, etc.. All of these CAs are asking us about the web server type that the standalone OC4J uses. I read the following statement from this url:
  http://download.oracle.com/docs/cd/B32110_01/web.1013/b28950/intro.htm#JICON100
  "communications in a standalone environment is provided through the built-in *_OC4J Web server_*, which supports HTTP and HTTPS communications natively without the use of the Oracle HTTP Server"
  On all of the SSL certificate systems of above CAs websites, they ask us to choose the web server type from a list of server types but I don't see OC4J web server listed and I am told that it is very important to make sure the web server type is correct otherwise the SSL Certificate that we buy may not be compatible with our web server type.
  So, I like to know the exact built in web server type name that goes with Standalone OC4J or one that is closest and for which SSL Certificate is compatible.
  Shown below is a list of web server types that I am asked to choose from on Verisign website.The closest to standalone oc4j according to below list is Oracle Wallet Manager but isn't this meant for Oracle Application Server (OAS) and not the standalone OC4J? we are using the java keytool to generate the CSR that we look to sign it via the verisign but again we are not sure about the web server type in the case of standalone OC4J that is not listed below. Please advice and thanks in advance to any of your responses in helping out.
  Webstar 4.x
  ApacheSSL mod_ssl
  WebLogic 6.0
  WebLogic 8.1
  Cisco
  ACS 3.2
  Covalent
  Apache ERS 2.4
  Apache ERS 3.0
  F5
  BIG-IP
  IBM
  Websphere MQ
  HTTP Server
  Lotus
  Domino 5.0
  Domino 6.0
  Domino 7.0
  Domino 8.0
  Windows NT - IIS 4.0
  Windows 2000 - IIS 5.0
  Windows 2003 - IIS 6.0
  Windows 2008 - IIS 7.0
  Exchange 2007
  iPlanet 4.x
  iPlanet 6.x
  ScreenOS
  SSL Accelerator
  Oracle Wallet Manager_
  Secure Web Server
  SSL Offloaders
  Stronghold
  Java Web Server 6.x
  Sun ONE
  AS Server w/IIS 4
  AS Server w/IIS 5
  EA Server
  Tomcat
  Zeus

  Hi Zeus,
  Type of certificate depends the method you will use to deploy the certificate on your application server.
  Please refer the links,
  http://download.oracle.com/docs/cd/B31017_01/web.1013/b28957/configssl.htm
  http://download.oracle.com/docs/cd/B14099_19/core.1012/b13995/wallets.htm#ASADM400
  http://download.oracle.com/docs/cd/B14099_19/web.1012/b14013/configssl.htm
  Regards,
  mYth

• SSL Certificate Install Problem

  To all Sun App Server Gurus,
  I face a major challenge trying to install an SSL certificate on our Application Server.
  The Manage Database was successful.
  I filled out the certificate request form in the Security > Certificate Management > Request section and forwared the information / CSR to the CA.
  The certificate is issued and validated by our CA.
  I follow the steps according the documentation to import the certificate.
  I specify the following to import the certificate
  1) Certificate for : o This Server
  2) Cryptographic Module: internal
  3) Key Pair File Password: **************
  4) Message Text (with headers):
  -----BEGIN CERTIFICATE-----
  U0UgT05MWSAtIE5PIFdBUlJBTlRZIEFUVEFDSE.....
  -----END CERTIFICATE-----
  5) Click OK
  The next screen shows the certificate information which are correct as well.
  After pressing "Add Server Certificate" it take about 20 seconds until I receive a pop error message. It says: "Incorrect Useage: No Private Key. The server could not find the private key associated with this certificate."
  After I click OK the Admin GUI displays the following error in the browser: "Not Found
  The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it. "
  Security > General
  Log Level: finest
  Audit Logging Enabled: unchecked
  Default Realm: file
  Anonymous Roule: ANYONE
  In the admin server log I get the following entry:
  WARNING ( 1182): for host x.x.x.x trying to GET /instance-server1/admin/bin/(null), cgi_start_exec reports: HTTP4049: cannot find CGI program /opt/SUNWappserver7/lib/admincgi/(null) (File not found)
  I checked the directories and they all exist and the admincgi even has files included. I don't know which one should be missing.
  I also reinstalled the App Server twice so far and used the default options.
  If anyone could please help me with this that would be extremly helpful.
  Thank you.
  Regards,
  Martin

  try converting your key from der2pem using
  java utils.der2pem {keyfile  in der} {keyfile out in pem}
  thanks
  kiran
  "eraldo" <[email protected]> wrote in message
  news:[email protected]..
  hi,
  I tried to install SSL certicate on a Weblogic 6.1 SP3 (running on a
  Solaris 8). Following the post 5457 (found in your newsgroup) I made
  this steps:
  - I generated CSR using web application /certificate
  - I sent CSR to Entrust.com obtaining a certicate and a chain
  certificate
  - I configured the server under "Configuration - SSL" with following
  parameters:
  - Enabled = true
  - Listen port = 8002
  - Server Key File Name = <path to private key ".der" file>
  - Server Certificate File Name = <path to Entrust CRT ".pem" file>
  - Server Certificate Chain File Name = <path to Entrust CA ".pem"
  file>
  - Key Encrypted = true
  - I changed startWebLogic.sh:
  - added "-Dweblogic.management.pkpassword=<my_pwd>" to JAVA command
  line
  Launchin' the script I got the following exception:
  <Nov 22, 2002 2:34:44 PM GMT-01:00> <Alert> <WebLogicServer> <Security
  configuration problem with ce
  rtificate file config/sdfdomain/H3MIS097_H3G_IT-key.der,
  java.io.IOException: weblogic.security.Ciph
  erException: Invalid padding length 48>
  java.io.IOException: weblogic.security.CipherException: Invalid
  padding length 48
  atweblogic.security.RSAPrivateKeyPKCS8.input(RSAPrivateKeyPKCS8.java:157)
  atweblogic.security.RSAPrivateKeyPKCS8.<init>(RSAPrivateKeyPKCS8.java:125)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:391)
  atweblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:301)
  atweblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1097)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:490)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:206)
  at weblogic.Server.main(Server.java:35)
  Any idea?
  Thanks in advance,
  Eraldo

• Error of SSL certificate

  "hi, all,
       I got your information from weblogic.developer.interest.security.
       I have a question about the SSL certificate
  1. I generate the private key file using Weblogic certificate servlet,
  2. get the request, then goto thawte get the response
  3. goto weblogic console -> server -> ssl, specify the filename, click "Enable", click "Key Encrypted"
  4. change the startWeblogic.cmd, adding -Dpkpassword=adminadmin
  But when I restart the weblogic, got the following error msg:
  Starting WebLogic Server ....
  <Sep 27, 2001 1:34:29 PM CST> <Notice> <Management> <Loading configuration file
  .\config\citi1\config.xml ...>
  <Sep 27, 2001 1:34:35 PM CST> <Notice> <WebLogicServer> <Starting WebLogic Admin
  Server "server1" for domain "citi1">
  <Sep 27, 2001 1:34:35 PM CST> <Alert> <WebLogicServer> <Security configuration p
  roblem with certificate file adamfeng-key.der, java.lang.NullPointerException>
  java.lang.NullPointerException
  at weblogic.security.PKCS5.setPassword(PKCS5.java:173)
  at weblogic.security.RSAPrivateKeyPKCS8.<init>(RSAPrivateKeyPKCS8.java:1
  24)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:390)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr

  Hi adam,
  I wish to let u know that your ****-key.der file is not generated correctly. I
  suppose you must have used Certificate Requeste Generator of WLS to generate the
  key file and the request file.
  please follow the following to get your system running:
  (1) Generate a new certificate request making sure that you enter "yourmachine.domain.com"
  in the Full Host name field within the certificate request generator. Fill all
  the required values like the state should be filled in full not with abreviations
  etc(do not fill the ones which are not required. That means do not fill the password
  field and random string field...etc )then u will get a key file and the request
  file..press the submit button on the same page to test the key file with Verisign..if
  all fields are filled correctly then it says so..if not it will bounce back saying
  an ERROR..so see to it that u get the right key file..i.e. ****;key.der file.
  (2) Save the certificate request in a text file. (including the ----BEGIN CERTIFICATE
  REQUEST-- and END CERTIFICATE REQUEST)
  (3) Go to https://www.thawte.com/cgi/server/test.exe and paste the above request.
  (4) Do NOT choose any other options as the default options are set correctly
  (unless you are using a domestic build of the weblogic server which requires a
  different license).
  (5) Save the certificate obtained in a text file and save it as a .pem file
  (6) Also save the root certificate obtained in the above URL (see the 2nd line
  from the top) in .pem format and use this file against the ServerCertChain name.
  (7) Make sure you enter the certificate key and server certificate fields with
  the correct path to the key and cert (inclusive of the file names).
  After having done the above steps restart the server and you should be able to
  get SSL to work. Hope the above information
  If not then mail me at [email protected].
  Sujit.
  adamfeng <[email protected]> wrote:
  "hi, all,
       I got your information from weblogic.developer.interest.security.
       I have a question about the SSL certificate
  1. I generate the private key file using Weblogic certificate servlet,
  2. get the request, then goto thawte get the response
  3. goto weblogic console -> server -> ssl, specify the filename, click
  "Enable", click "Key Encrypted"
  4. change the startWeblogic.cmd, adding -Dpkpassword=adminadmin
  But when I restart the weblogic, got the following error msg:
  Starting WebLogic Server ....
  <Sep 27, 2001 1:34:29 PM CST> <Notice> <Management> <Loading configuration
  file
  ..\config\citi1\config.xml ...>
  <Sep 27, 2001 1:34:35 PM CST> <Notice> <WebLogicServer> <Starting WebLogic
  Admin
  Server "server1" for domain "citi1">
  <Sep 27, 2001 1:34:35 PM CST> <Alert> <WebLogicServer> <Security configuration
  p
  roblem with certificate file adamfeng-key.der, java.lang.NullPointerException>
  java.lang.NullPointerException
  at weblogic.security.PKCS5.setPassword(PKCS5.java:173)
  at weblogic.security.RSAPrivateKeyPKCS8.<init>(RSAPrivateKeyPKCS8.java:1
  24)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:390)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr

• Problem installing SSL certificate for CPS

  I work at a medium-sized University, and we have used
  Contribute 3 with CPS1.11 for well over a year. Recently, however,
  the Contribute clients began having difficulty logging in to CPS.
  At first this was intermittent, but is now constant. Adobe support
  suggested replacing the CPS self-signed SSL certificate with a
  genuine one, because apparently the self-signed certificate is
  causing communication delays and timeouts.
  I have the certificate, and am trying to use keytool (see
  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html)
  to install it, but it is asking me for a keystore password, which I
  don't know. Apparently the standard defaults are "changeit" or
  "passphrase", but neither of these work.
  As a test, I created a fresh install of CPS and attempted to
  list the keys in the keystore, but again was asked for a keystore
  password and the defaults did not work. Adobe support suggested I
  ask here. Anybody have any experience installing a certificate for
  CPS?

  Are you sure that the certificate needs to be installed to all users? Can you provide more details about the certificate and its purposes?
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new:
  SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Inccorect Encrypted block when inserting SSL certificate

  Generated new SSL certificate for Weblogic Serer 6.1, inserted Server certificate, the Root Certificate Authority (Chain File), the Private key file but is getting the following error - can anyone assist?
  weblogic.security.AuthenticationException: Incorrect encrypted block possibly incorrect SSLServerCertificateChainFileName set for this server certificate at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:291)...

  This might be caused by an invalid/not specified private key password.
  Pavel.
  bibi <[email protected]> wrote:
  Generated new SSL certificate for Weblogic Serer 6.1, inserted Server
  certificate, the Root Certificate Authority (Chain File), the Private
  key file but is getting the following error - can anyone assist?
  weblogic.security.AuthenticationException: Incorrect encrypted block
  possibly incorrect SSLServerCertificateChainFileName set for this server
  certificate at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:291)...

• Verisign SSL certificate Encryption

  At present in our application, we are using weblogic server-7.0 with SSL Certificate of 40 bit minimum to 256 bit for SSL encryption. Does anyone know if our application can use the 128 - 256 bit encryption certificate instead of same weblogic server 7.0?

  Hi,
  by default Weblogic 7.0 does not supports only 56 bit of SSL encryption.
  At the highest WLS 7.0 can be enabled for 128 bit SSL encryption but for that there is a need for a separate license for which you need to contact Oracle Weblogic Support.
  The type of SSL encryption does not depends upon the SSL certificate because almost all of the SSL certificates available does support 256 bit encryption.
  The 128-256 SSL encryption generally depends upon the Client JDK and the Ciphers(JCE/ algorithms) being used at the client end because it is the client which always initiates the SSL communication and the client presents the list of ciphers it supports and the server has to only choose from that list of algorithms.
  So, to conclude WLS 7.0 uses by defaKult JDK 1.3_6 and JDK 1.3 by default does not have the algorithms to support 256 bit SSL encryption.
  WLS 7.0 will not support 256 bit SSL encryption.
  Hope this helps.
  Thanks,
  Sandeep

• Install SSL certificate for Oracle HTTP server

  I received a PFX file that contains an SSL wildcard certificate for our company *.xyz.com.
  I used this tool "xca" to extract two files: "server.crt" and "serverkey.pem".
  I want to install this on the oracle 11g HTTP server (OHS) installed as standalone based on apache 2.2
  With oracle, i have to create a wallet and point the SSL.CONF wallet directive to use that wallet.
  I used Oracle Wallet Manager to create it and import the certificate but this is where i am having a problems.
  First I could not restart the web server but the it worked but I got SSL handshake errors (Shown below).
  According to oracle steps, I have to create a CSR and then import the certificate into the wallet
  http://www.apache.com/resources/how-to-setup-an-ssl-certificate-on-apache/
  However, when I tried to use Oracle Wallet Manager, there were two options: import server certificate and trusted certificate.
  The import server certificate was greyed out. I had to create a CSR just to get it enabled but I did not use the CSR, i just imported the "server.crt" file.
  I also tried to import the "serverkey.pem" into the trused certificate option but was rejected (invalid certificate).
  Do you know how to create a successful wallet based on the files i have and not creating a CSR since i already have a certificate file?
  2013-05-04T20:11:40.2718-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
  [2013-05-04T20:11:40.2719-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1253263680] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
  [2013-05-04T20:11:40.4774-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
  [2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
  [2013-05-04T20:11:40.4776-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1263753536] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error
  [2013-05-04T20:11:40.6814-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] unusably short session_id provided (0 bytes)
  [2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] nzos handshake error, nzos_Handshake returned 29040(server ptp.xyz.xom:443, client 10.60.117.121)
  [2013-05-04T20:11:40.6816-04:00] [OHS] [ERROR:32] [] [core.c] [host_id: ptp.xyz.xom] [host_addr: 10.72.11.211] [pid: 11339] [tid: 1274243392] [user: root] [VirtualHost: ptp.xyz.xom:443] NZ Library Error: Unknown error

  I do not have weblogic installed. I only have standalone 11g HTTP server with mod_plsql.
  If i can get OWM working to create a successful certificate them the problem would be resolved.
  I am just not sure what is Root Certificate and Trustworthy Certificate and how to get that from the files i have.

• NEED TO REFERENCE 2 DIFFERENT SSL CERTIFICATES  BASED ON VIRTUAL HOST NAMES

  Hi,
  If you have a managed server in a cluster that has two virtual hosts running
  on it how can you intsall the ssl certificates for both virtual hosts, in
  the admin console.
  any help would be great!

  I think that you can only have one server certificate per server currently
  since the certificate establishes the server's identity and there isn't
  support for a server to have two identities at the same time.
  "RAGUTAM BOMMAREDDY" <[email protected]> wrote in message
  news:[email protected]..
  Hello,
  Can I reference 2 different SSL certificates in the same
  weblogic.properties
  file?
  Reason is we have 2 groups of users for a web application: one will use
  a
  French-language DNS to access
  the application, and the other will use English DNS. Both DNS will point
  to
  the same application on the same
  server.
  Example of what we require:
  weblogic.security.certificate.server=mycert1.pem
  weblogic.security.key.server=mykey1.der
  weblogic.security.certificate.authority=rootCertificate1.pem
  ----and---
  weblogic.security.certificate.server=mycert2.der
  weblogic.security.key.server=mykey2.der
  weblogic.security.certificate.authority=rootCertificate2.pem
  mycert1 will correspond to DNS1, and mcert2 will correspond to DNS2, and
  both
  DNS1 and DNS2 point to the same application on the same box.
  Thanks,
  Ragu

• Problem Installing Entrust SSL Certificate

  Hello:
  We are using BEA Weblogic 6.1 SP1. This year when we renew SSL certificate, we changed vendor from Verisign to Entrust. I just got the certificate from Entrust. Here's what happended:
  1. In the Entrust certificate email, it says "Entrust would like to inform you that as of January 1, 2004, the current GTE Corporation chain certificate that is distributed with all Entrust SSL certificates, will no longer be distributed with certificates that have an expiry date greater than January 1, 2006". However, I can't get Weblogic started on SSL without a valid ServerCertificateChainFileName. So I got the ServerChainFile from http://www.entrust.net/tech/weblogic6/removechain.cfm and saved the certificate into entrust-cert.pem file.
  2. It works on the server with BEA development license. However, when I move it to test web server with "SSL/Export" license, it gives this error "<License allows low strength (export) SSL.>" and Weblogic won't even start on both HTTP and SSL port.
  3. After trying all sorts of things and nothing helped, I'm wondering whether it's OK to use the same CSR request I generated using Weblogic certificate servlet last year, since no information has been changed since then?
  Does anybody have similar experience and can you shed some light on how to solve this issue. Should I contact Entrust to get a low strength SSL?
  Thanks in advance!
  Jenny

  It looks like you have the correct certificate but perhaps didn't import it the correct way. Did you create the Certificate Request on the same machine as you imported it? Otherwise you don't have the private key. If not them import the certificate on the
  same where you created the CR and then export the certificatye and make sure you select to export the private key as well and then import it on the RDS. If you followed the import steps correctly I suggest you contact GoDaddy to make sure the delivered
  a valid certificate.
  Kind regards,
  Freek Berson
  http://microsoftplatform.blogspot.com/