5 Replies Latest reply on May 7, 2015 8:32 AM by 2679672

    Weblogic 10.0 - Certicom SSL - SHA256


      Hi All,


      We have a problem with our Weblogic 10.0 and SSL certificates with SHA256.

      It seems this Weblogic server version uses Certicom SSL implementation  which does not trust certificates stronger that 128-bit, and stronger certificates are ignored.


      A workaround would be to enable JSSE SSL, but this is possible from Weblogic 10.3.5. (and of course upgrade the WL server, this is the next step )


      Is there a solution to add JSSE (or solve somehow the SHA256 issue) in Weblogic 10.0?



        • 1. Re: Weblogic 10.0 - Certicom SSL - SHA256

          Weblogic Server by default implements Certicom SSL. We support the usage of JSSE from WLS 10.3.3 onwards and Certicom is deprecated (i.e. we do support it, but we do not recommend its usage), but anything below WLS 10.3.2 (inclusive) JVM JSSE Stack workaround applies as an unsupported action only (thus hasn't got this option available in the console, we can implement the following parameters to enable Java SSL implementation instead of certicom):












          -Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)




          Add the above parameters as a java option and then start the server.




          Check if it helps.




          -- Puneeth



          • 2. Re: Weblogic 10.0 - Certicom SSL - SHA256

            Hi Puneeth,


            Thanks for the answer. Actually I found myself also these options, added them as java options, they show up when the weblogic starts, but when the cacerts (which contains the SHA256 certificate) is loaded, the error is still there: "

            <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11> ".


            I mention that BEA jrockit_150_11 is used as java_home. Maybe because of this the above settings are not taken into consideration? It should be some SUN JDK for the settings to work?



            • 3. Re: Weblogic 10.0 - Certicom SSL - SHA256

              No it is not specific to JRockit / Sun JDK.


              If you are not using SHA2 certificates for any kind of SSL communication then we can apply a patch which will make Weblogic to ignore the SHA2 certificate.


              From the above error trace I believe your wls is going down due to the SHA2 certificates.


              There are two ways we can fix this issue :


              - remove the sha2 certificates from cacerts

              - or apply the patch


              check ---  SHA2 Certificate Throws Log Message "Ignoring The Trusted CA Certificate" (Doc ID 1538488.1)

              • 4. Re: Weblogic 10.0 - Certicom SSL - SHA256

                Thanks for these.

                The actual problem is that we do need the SHA2 certificates for SSL communication (some external clients/partners just changed their certificates, and the new ones use SHA2).


                The patch you mentioned will resolve the SSL communication with the SHA2 certificates, or it will just suppress the errors/warnings?

                Googling around for the patch I found that it is for WebLogic Server 10.3.3, while we have 10.0 MP1. It will work for us too?

                Or the only solution is the wls upgrade?  (which we will do anyway, just we are trying to find a short-term solution till the upgrade).



                • 5. Re: Weblogic 10.0 - Certicom SSL - SHA256



                  Did you find any other solution to fix this issue other than migrating to wlp10.3.3+ versions?