If you use the SAS Deployment Wizard on a federated multi-tier WebLogic configuration, the WebLogic Managed Servers cannot be started because of a Secure Socket Layer exception error (SSLKeyException). This problem does not affect single-tier configurations.

You can identify this issue in the WebLobic Administration Server log and the Node Manager log, based upon the following error and warning messages.

In the AdminServer.log file:

####<May 19, 2009 10:27:49 AM EDT> <Error> <Management> 
<jdtsrv02> <AdminServer>
<[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'>
<<anonymous>> <> <> <1242743269192> <BEA–141145> <An attempt was 
made to connect to the administration server without credentials.>

####<May 19, 2009 11:30:34 AM EDT> <Warning> <Security> <jdtsrv02> <AdminServer>
<[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self–tuning)'>
<weblogic> <> <> <1242747034757> <BEA–090477> <Certificate chain received 
from jdtsrv02 – 10.12.16.214 was not trusted causing SSL handshake failure.>

In the nodemanager.log file:

<May 19, 2009 11:30:34 AM> <Warning> <Uncaught exception in 
server handler:
javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was
received from jdtsrv02.na.sas.com – 10.12.16.214. Check the peer to determine
why it rejected the certificate chain (trusted CA configuration, hostname
verification). SSL debug tracing may be required to determine the exact reason
the certificate was rejected.>

In addition, if you attempt to stop and the restart the managed servers, the following error appears in the AdminServer.log file:

<> <1242840639286> <BEA–000297> <Inconsistent security 
configuration,
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the
AlgorithmIdentifier object: 1.2.840.113549.1.1.11>
####<May 20, 2009 1:30:39 PM EDT> <Emergency> <Security> <jdtsrv02>
<AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self–tuning)'> <<WLS Kernel>> <> <> <1242840639302> <BEA–090034> <Not listening
for SSL, java.io.IOException: PKIX: Unsupported OID in the AlgorithmIdentifier
object: 1.2.840.113549.1.1.11.>

This problem occurs because Weblogic 10.3 does not support the 1.2.840.113549.1.1.11. - SHA1 with RSA signature encryption. This encryption is part of defined algorithms of the Open Systems Environment Implementers' Workshop (OIW) Security Special Interest Group. (See 1.2.840.113549.1.1.11 - sha256WithRSAEncryption).

To resolve this issue, remove the certificates ttelesecglobalrootclass2ca and ttelesecglobalrootclass3ca, which use the unsupported algorithm sha256RSA from JDK-home-directory/jre/lib/cacerts. Follow these steps to remove the certficates.

1. Back up the original cacerts file with the following command:
   copy JDK–home–directory\jre\lib\security\cacerts JDK–home–directory\jre\lib\security\cacerts.original
2. Delete ttelesecglobalrootclass2ca by submitting this command:
   JDK–home–directory\bin\keytool –delete –alias ttelesecglobalrootclass2ca –keystore JDK–home–directory\jre\lib\security\cacerts
3. Delete ttelesecglobalrootclass3ca by submitting this command:
   JDK–home–directory\bin\keytool –delete –alias ttelesecglobalrootclass3ca –keystore JDK–home–directory\jre\lib\security\cacerts

Operating System and Release Information