Weblogic Server by default implements Certicom SSL. We support the usage of JSSE from WLS 10.3.3 onwards and Certicom is deprecated (i.e. we do support it, but we do not recommend its usage), but anything below WLS 10.3.2 (inclusive) JVM JSSE Stack workaround applies as an unsupported action only (thus hasn't got this option available in the console, we can implement the following parameters to enable Java SSL implementation instead of certicom):
-Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)
Add the above parameters as a java option and then start the server.
Check if it helps.
Thanks for the answer. Actually I found myself also these options, added them as java options, they show up when the weblogic starts, but when the cacerts (which contains the SHA256 certificate) is loaded, the error is still there: "
<Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.1135188.8.131.52> ".
I mention that BEA jrockit_150_11 is used as java_home. Maybe because of this the above settings are not taken into consideration? It should be some SUN JDK for the settings to work?
No it is not specific to JRockit / Sun JDK.
If you are not using SHA2 certificates for any kind of SSL communication then we can apply a patch which will make Weblogic to ignore the SHA2 certificate.
From the above error trace I believe your wls is going down due to the SHA2 certificates.
There are two ways we can fix this issue :
- remove the sha2 certificates from cacerts
- or apply the patch
check --- SHA2 Certificate Throws Log Message "Ignoring The Trusted CA Certificate" (Doc ID 1538488.1)
Thanks for these.
The actual problem is that we do need the SHA2 certificates for SSL communication (some external clients/partners just changed their certificates, and the new ones use SHA2).
The patch you mentioned will resolve the SSL communication with the SHA2 certificates, or it will just suppress the errors/warnings?
Googling around for the patch I found that it is for WebLogic Server 10.3.3, while we have 10.0 MP1. It will work for us too?
Or the only solution is the wls upgrade? (which we will do anyway, just we are trying to find a short-term solution till the upgrade).
Did you find any other solution to fix this issue other than migrating to wlp10.3.3+ versions?