Sunday, April 10, 2016

WLS : Cannot Convert Identity Certificate

Recently we had an issue with expired Weblogic custom identity certificate and we used below commands to recreate the same.

Created New Identity Certificate:
keytool -genkey -alias client -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -keypass ******* -keystore identity.jks -storepass *******

Exported Certificate:
keytool -export -alias client -file root.cer -keystore identity.jks -storepass *******

Imported Certificate as Trusted:
keytool -import -alias client -trustcacerts -file root.cer -keystore trust.jks -storepass *******

Listed Keystores:
keytool -list -v -keystore identity.jks -storepass *******
keytool -list -v -keystore trust.jks -storepass *******

Later we faced one more error when we tried to start Admin Server and Node Manager.

Error: Cannot convert identity certificate

Cause: By default, WebLogic 11g doesn’t support the certificates with stronger signature algorithms like SHA256withRSA.

Fix: Enable JSSE support

1. Add below Java properties to setDomainEnv.sh file to enable JSSE across domain.

EXTRA_JAVA_PROPERTIES="${EXTRA_JAVA_PROPERTIES}
-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true"

Note:  '-Dweblogic.ssl.JSSEEnabled=true' is only valid for Weblogic 10.3.4 to 10.3.6

Follow below steps to enable JSSE for specific Managed Server:
Login weblogic console -> Click Servers -> Select the managed server -> lock&edit -> Configuration tab -> SSL subtab -> expand Advanced -> check “Use JSSE SSL” -> click Save button -> click 'Activate Changes' button -> Restart the managed server

2. Node Manager: Include below option in NodeManager.properties to support JSSE

JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true"
export JAVA_OPTIONS