5 Replies Latest reply on Jul 7, 2014 2:49 PM by ssine

    <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable


      Hi Guys,

      I'm trying to renew SSL Cert.s (recevied from Verisign) in my Weblogic env. but it is failing with below error message all the time


      <Jun 19, 2014 10:06:47 AM> <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from ServerName - Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>

      What I did?

      Identkeystore is created (with its CSR)

      keytool -genkey -keyalg RSA -keysize 2048 -alias sslkey -dname "CN=ServerName,O=x,OU=x,C=x, L=x, ST=x" -validity 3650 -keystore IdentKeystore.jks

      Enter keystore password:

      Re-enter new password:

      Enter key password for <sslkey>

              (RETURN if same as keystore password):

      Re-enter new password:



      keytool -certreq -keyalg RSA -keysize 2048 -alias sslkey -sigalg MD5WithRSA -keystore IdentKeystore.jks -file NEWSSL.csr


      After that, I applied to Verisign and received my Digital ID Class 3 SSL Certificate


      I imported;

      - Intermediate Cert: "RSA Primary Intermediate CA Certificate" into IdentKeystore.jks and TrustKeystore.jks as intermediate Cert.

      - Root CA Cert: "Intermediate" into IdentKeystore and TrustKeystore as intermediate Cert. (from : https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1735)

      - sslkey : New/Procured SSL Cert into only IdentKeystore.jks file.

      - "RSA Primary Intermediate CA Certificate", "RSA Secondary Intermediate CA Certificate", "sslkey" and "Intermediate" into JAVA cacerts

      Edit both Nodemanager startup script and weblogic startup script and add following lines.


      Then, I edited startNodeManager.sh and startWeblogic.sh script

      1. Nodemanager startup script under $WLS_HOME/wlserver_10.3/server/bin

      Took a backup of startNodeManager.sh script and edit it


      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false"

      export JAVA_OPTIONS


      Add it between the "export CLASSPATH" line and cd "${NODEMGR_HOME}" line as shown below


      export CLASSPATH

      export PATH

      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false"

      export JAVA_OPTIONS

      cd "${NODEMGR_HOME}"



      2. Similarly take a backup of startWeblogic.sh script under $DOMAIN_HOME/bin and add following entry


      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"

      export JAVA_OPTIONS


      Add it between the SAVE_CLASSPATH and trap 'stopAll' line as shown below





      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"

      export JAVA_OPTIONS


      trap 'stopAll' 1 2 3 15


      Nodemanager.properties file index




      CustomIdentityKeyStorePassPhrase={3DES}bla bla bla


      CustomIdentityPrivateKeyPassPhrase={3DES}bla bla bla



      ListenAddress=           (right now, here is empty but I tried with IP and FQDN name of server, but it is again failed with same err. notification)





      And lastly, in Weblogic GUI, hostname verification is "NONE" for all Admin and Mngd Servers


      Any idea to resolve this issue?

      Also, may be RootCA is wrong, does anybody know where to download Root CA of Verisign Digital ID Class 3 SSL Certificate which is valid for RSA/SHA encryption?


      Thank you

        • 1. Re: <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable

          First you need to check if the chaining of certificates in identity keystore is valid.


          Try the following command :


          java utils.ValidateCertChain -jks sslkey /opt/oracle/middleware/wlserver_10.3/server/lib/IdentKeystore.jks

          • 3. Re: <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable

            [xxx]$ java utils.ValidateCertChain -jks sslkey /xxx/oracle/middleware/wlserver_10.3/server/lib/IdentKeystore_new_cert_june20.jks

            Cert[0]: CN=xxx,OU=xxx,O=xxx,L=xxx,ST=xxx,C=xxx

            Cert[1]: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US

            Cert[2]: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US

            Certificate chain appears valid

            [xxx]$ id

            uid=500(oracle) gid=502(oinstall) groups=500(dba),501(oper),502(oinstall)

            • 4. Re: <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable



              Thanks for replies, after following the guide: Oracle DB and MW Blog: handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert in Weblogic cluster


              but I got below error:

              <Jul 7, 2014 10:12:53 AM> <SEVERE> <Fatal error in node manager server>

              java.lang.RuntimeException: Cannot convert identity certificate

                at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)

                at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)

                at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)

                at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:144)

                at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)

                at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

                at weblogic.nodemanager.server.NMServer.main(NMServer.java:377)

                at weblogic.NodeManager.main(NodeManager.java:31)


              then I followed this guide [ &amp;raquo; WebLogic SSL configuration : Inconsistent security configuration Cannot convert identity certificate Online… and  SSL issue caused by stronger signature algorithms | Oralce Fusion Middleware] to overcome this but


              Then, I got below err. notification:


              <Jul 7, 2014 11:34:25 AM> <SEVERE> <Fatal error in node manager server>

              java.io.IOException: Unsupported cypher suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5

                at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:82)

                at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

                at weblogic.nodemanager.server.NMServer.main(NMServer.java:377)

                at weblogic.NodeManager.main(NodeManager.java:31)


              And finally, to fix the latest issue seen as in above, I found below reply from [ OBIEE 11g ( - Issue with starting Node Manager ]


              There are Two types of Cipher suites --- Certicom Cipher Suite and SunJSSE Equivalent Cipher Suite. And with Weblogic 10.3.5, you are using Sun JSSE Cipher Suite, and by default Node Manager uses the Certicom Cipher Suite.


              In the nodemanager.properties, Add CipherSuite=SSL_RSA_EXPORT_WITH_RC4_40_MD5, save and restart Node Manager.

              Now, my nodemanager.properites file looks like this:














              • 5. Re: <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable

                Guys, now having below error on Second Managed Server


                <Jul 7, 2014 12:31:47 PM> <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?>

                javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

                       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)

                       at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1429)

                       at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1397)

                       at com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1336)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngine$7.run(JaSSLEngine.java:174)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngine.closeInbound(JaSSLEngine.java:172)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngineRunner$Context.fillBufferNetIn(JaSSLEngineRunner.java:337)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngineRunner$Transition_NeedUnwrap.getNextState(JaSSLEngineRunner.java:822)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngineRunner.doTransitions(JaSSLEngineRunner.java:763)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngineRunner.unwrap(JaSSLEngineRunner.java:1122)

                       at weblogic.security.SSL.jsseadapter.JaApplicationReadableByteChannel.read(JaApplicationReadableByteChannel.java:40)

                       at weblogic.security.SSL.jsseadapter.JaChannelInputStream.read(JaChannelInputStream.java:71)

                       at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:264)

                       at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:306)

                       at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:158)

                       at java.io.InputStreamReader.read(InputStreamReader.java:167)

                       at java.io.BufferedReader.fill(BufferedReader.java:136)

                       at java.io.BufferedReader.readLine(BufferedReader.java:299)

                       at java.io.BufferedReader.readLine(BufferedReader.java:362)

                       at weblogic.nodemanager.server.Handler.run(Handler.java:71)

                       at java.lang.Thread.run(Thread.java:662)


                I found below topic, is that the only way?

                SSL Exception within the Node Manager logs


                This is a known issue.

                Apply patch for BUG 13351178.


                Patches are available for WLS 1035 and 1036.

                Fixed Version : 12.1.2


                Does anybody know how to resolve this issue? (without applying patches, just tweaking)