2 Replies Latest reply: Aug 12, 2012 2:07 PM by anjhawar - oracle RSS

    Weblogic and SAN certificates with hostname verification disabled

    954352
      Hi all,

      My first post here in the forums, hope it's in the right spot. I'm trying to implement a Load Balancer in our environment and as such I need to use SAN certs for our web application. I created the certs using keytool from JKD7 and imported them into the keystore no problem. I'm familiar with this process having done the server certs before, the only difference was the extra arguments for the SAN DNS values. Here are the commands I used:

      ----------------------------
      ./keytool -genkey -alias bruce04 -keyalg RSA -keysize 1024 -dname "CN=bruce04.nakinasys.local, O=Nakina Systems, L=Ottawa, ST=Ontario, C=CA" -validity 7000 -keypass KungFuPass -keystore bruce04Identity.jks -storepass KungFuPass -genkey -ext "SAN=DNS:bruce04,DNS:norris,DNS:norris.nakinsys.local,DNS:kungfu,DNS:kungfu.nakinasys.local"

      ./keytool -export -v -alias bruce04 -file bruce04.cert -keystore bruce04Identity.jks -storepass KungFuPass
      -----------------------------

      I repeated the process for all the servers, copied the certs and updated the config settings. When I start nodemanager, I get the following error:

      -----------------------------
      <Aug 7, 2012 4:34:17 PM GMT+00:00> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
      <Aug 7, 2012 4:34:17 PM GMT+00:00> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
      Aug 7, 2012 4:34:21 PM weblogic.nodemanager.server.NMServer main
      SEVERE: Fatal error in node manager server
      java.lang.RuntimeException: Cannot convert identity certificate
      at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
      at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
      at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
      at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)
      at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)
      at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
      at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)
      at weblogic.NodeManager.main(NodeManager.java:31)
      [ Aug  7 16:34:21 Stopping because all processes in service exited. ]
      [ Aug  7 16:34:21 Executing stop method ("/opt/nakina/bus/bea/bin/nakinanodemgr-smf stop") ]
      pkill: illegal option -- P
      Usage: pkill [-signal] [-fnovx] [-P ppidlist] [-g pgrplist] [-s sidlist]
      [-u euidlist] [-U uidlist] [-G gidlist] [-J projidlist]
      [-T taskidlist] [-t termlist] [-z zonelist] [-c ctidlist] [pattern]
      [ Aug  7 16:34:21 Method "stop" exited with status 0 ]
      [ Aug  7 16:34:21 Executing start method ("/opt/nakina/bus/bea/bin/nakinanodemgr-smf start") ]
      starting /opt/nakina/bus/bea/weblogic10.3/domains/NakinaCluster/startNodeManager.sh
      [ Aug  7 16:34:21 Method "start" exited with status 0 ]
      ---------------------------

      I found the following two articles on the subject however hostname verification is disabled.
      https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1075505.1
      https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1311673.1


      Any thoughts on this?
      Thanks,
      ryan.