If you use the SAS Deployment Wizard on a federated multi-tier WebLogic
configuration, the WebLogic Managed Servers cannot be started because of a Secure Socket Layer exception
error (SSLKeyException). This problem does not affect
single-tier configurations.
You can identify this issue in the WebLobic Administration Server log and the Node Manager log, based upon the following error and warning messages.
In the AdminServer.log file:
####<May 19, 2009 10:27:49 AM EDT> <Error> <Management>
<jdtsrv02> <AdminServer>
<[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'>
<<anonymous>> <> <> <1242743269192> <BEA–141145> <An attempt was
made to connect to the administration server without credentials.>
####<May 19, 2009 11:30:34 AM EDT> <Warning> <Security> <jdtsrv02> <AdminServer>
<[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self–tuning)'>
<weblogic> <> <> <1242747034757> <BEA–090477> <Certificate chain received
from jdtsrv02 – 10.12.16.214 was not trusted causing SSL handshake failure.>
In the nodemanager.log file:
<May 19, 2009 11:30:34 AM> <Warning> <Uncaught exception in
server handler:
javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was
received from jdtsrv02.na.sas.com – 10.12.16.214. Check the peer to determine
why it rejected the certificate chain (trusted CA configuration, hostname
verification). SSL debug tracing may be required to determine the exact reason
the certificate was rejected.>
In addition, if you attempt to stop and the restart the managed servers, the following error appears in the AdminServer.log file:
<> <1242840639286> <BEA–000297> <Inconsistent security
configuration,
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the
AlgorithmIdentifier object: 1.2.840.113549.1.1.11>
####<May 20, 2009 1:30:39 PM EDT> <Emergency> <Security> <jdtsrv02>
<AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default
(self–tuning)'> <<WLS Kernel>> <> <> <1242840639302> <BEA–090034> <Not listening
for SSL, java.io.IOException: PKIX: Unsupported OID in the AlgorithmIdentifier
object: 1.2.840.113549.1.1.11.>
This problem occurs because Weblogic 10.3 does not support the
1.2.840.113549.1.1.11. - SHA1 with RSA signature encryption. This encryption is part of defined algorithms of the Open Systems Environment Implementers' Workshop (OIW) Security Special Interest Group. (See 1.2.840.113549.1.1.11 - sha256WithRSAEncryption).
To resolve this issue, remove the certificates ttelesecglobalrootclass2ca and
ttelesecglobalrootclass3ca, which use the unsupported algorithm sha256RSA from JDK-home-directory/jre/lib/cacerts. Follow these steps to remove the certficates.
- Back up the original cacerts file with the following command:
copy JDK–home–directory\jre\lib\security\cacerts
JDK–home–directory\jre\lib\security\cacerts.original
- Delete ttelesecglobalrootclass2ca by submitting this command:
JDK–home–directory\bin\keytool –delete –alias ttelesecglobalrootclass2ca
–keystore JDK–home–directory\jre\lib\security\cacerts
- Delete ttelesecglobalrootclass3ca by submitting this command:
JDK–home–directory\bin\keytool –delete –alias ttelesecglobalrootclass3ca
–keystore JDK–home–directory\jre\lib\security\cacerts
Operating System and Release Information
SAS System | BEA WebLogic Server | HP-UX IPF | 10.3 | | 9.2 TS2M2 | |
64-bit Enabled Solaris | 10.3 | | 9.2 TS2M2 | |
64-bit Enabled AIX | 10.3 | | 9.2 TS2M2 | |
Microsoft Windows XP Professional | 10.3 | | 9.2 TS2M2 | |
Microsoft Windows Server 2008 | 10.3 | | 9.2 TS2M2 | |
Microsoft Windows Server 2003 Standard Edition | 10.3 | | 9.2 TS2M2 | |
Microsoft Windows Server 2003 Enterprise Edition | 10.3 | | 9.2 TS2M2 | |
Microsoft Windows Server 2003 Datacenter Edition | 10.3 | | 9.2 TS2M2 | |
Microsoft Windows XP 64-bit Edition | 10.3 | | 9.2 TS2M2 | |
Microsoft Windows Server 2003 Enterprise 64-bit Edition | 10.3 | | 9.2 TS2M2 | |
Microsoft Windows Server 2003 Datacenter 64-bit Edition | 10.3 | | 9.2 TS2M2 | |
Microsoft® Windows® for 64-Bit Itanium-based Systems | 10.3 | | 9.2 TS2M2 | |
Linux for x64 | 10.3 | | 9.2 TS2M2 | |
Solaris for x64 | 10.3 | | 9.2 TS2M2 | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.