Configure Nodemanager for SSL: - nodemanager error — Oracle Analytics

Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Configure Nodemanager for SSL: - nodemanager error

Received Response
216
Views
7
Comments
makin
makin Rank 3 - Community Apprentice

Hi,

I'm trying to configure nodemanager for SSL (as part of the entire SSL configuration) in OBIEE 11g.  Here are the steps I have followed:

1. Stop the Nodemanager service
2. Update the nodemanager.properties in <MW_HOME>\wlserver_10.3\common\nodemanager folder with Custom Identity Keystore and Custom Trust Keystore information based on Step 1.

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=<Path to the Keystore>
CustomIdentityAlias=<Keystore Alias>
CustomIdentityPrivateKeyPassPhrase=<Key Passphrase>
CustomTrustKeyStoreFileName=<Path to the Keystore

Ex:
KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=c:\\Oracle\\Middleware\\ssl\\mykeystore.jks
CustomIdentityAlias=testserver
CustomIdentityPrivateKeyPassPhrase=Welcome1
CustomTrustKeyStoreFileName=c:\\Oracle\\Middleware\\ssl\\keystore.jks

My actual changes:

KeyStores=CustomIdentityAndCustomTrust

CustomIdentityKeyStoreFileName=D\:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

CustomIdentityAlias=rnadbi

CustomIdentityPrivateKeyPassPhrase={3DES}tr4UdwfKpKGCyZrfDn7Myw==

CustomTrustKeyStoreFileName=D\:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

I also changed:

ListenPort=9556

to

ListenPort=5556
3. Restart the NodeManager.

I can not restart the nodemanager.  Here is the log:

<May 19, 2016 4:38:09 PM> <INFO> <Loading domains file: D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.domains>

<May 19, 2016 4:38:11 PM> <INFO> <Loading identity key store: FileName=D:\oramw\user_projects\domains\bifoundation_domain\mykeystore.jks, Type=jks, PassPhraseUsed=false>

<May 19, 2016 4:38:11 PM> <INFO> <Loaded node manager configuration properties from 'D:\oramw\WLSERV~1.3\common\nodemanager\nodemanager.properties'>

<May 19, 2016 4:38:11 PM> <INFO> <bifoundation_domain> <bi_server1> <Startup configuration properties loaded from "D:\oramw\user_projects\domains\bifoundation_domain\servers\bi_server1\data\nodemanager\startup.properties">

<May 19, 2016 4:38:11 PM> <WARNING> <Configuration error while reading domain directory: D:\oramw\user_projects\domains\bifoundation_domain>

java.io.IOException: Invalid state file format. State file contents:

  at weblogic.nodemanager.common.StateInfo.load(StateInfo.java:135)

  at weblogic.nodemanager.server.AbstractServerMonitor.loadStateInfo(AbstractServerMonitor.java:497)

  at weblogic.nodemanager.server.AbstractServerMonitor.isCleanupAfterCrashNeeded(AbstractServerMonitor.java:156)

  at weblogic.nodemanager.server.ServerMonitor.isCleanupAfterCrashNeeded(ServerMonitor.java:25)

  at weblogic.nodemanager.server.AbstractServerManager.recoverServer(AbstractServerManager.java:147)

  at weblogic.nodemanager.server.ServerManager.recoverServer(ServerManager.java:23)

  at weblogic.nodemanager.server.DomainManager.initialize(DomainManager.java:105)

  at weblogic.nodemanager.server.DomainManager.<init>(DomainManager.java:60)

  at weblogic.nodemanager.server.NMServer.initDomains(NMServer.java:225)

  at weblogic.nodemanager.server.NMServer.start(NMServer.java:197)

  at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

  at weblogic.NodeManager.main(NodeManager.java:31)

<May 19, 2016 4:38:12 PM> <SEVERE> <Fatal error in node manager server>

java.lang.RuntimeException: Cannot convert identity certificate

  at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)

  at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)

  at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)

  at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)

  at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)

  at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

  at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

  at weblogic.NodeManager.main(NodeManager.java:31)

----------------------------------------

I also added this:

JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"

to the end of the startNodeManager.sh

I have been researching and reading blogs for a few days to no avail.  If you have a suggestion, I'd happy to try it or change any of my settings.  I appreciate the time you are taking to assist!

Answers

  • handat
    handat Rank 5 - Community Champion
    My actual changes:
    KeyStores=CustomIdentityAndCustomTrust
    CustomIdentityKeyStoreFileName=D\:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks
    CustomIdentityAlias=rnadbi
    CustomIdentityPrivateKeyPassPhrase={3DES}tr4UdwfKpKGCyZrfDn7Myw==
    CustomTrustKeyStoreFileName=D\:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks
    

    Two things that is wrong. It is D:\\, not D\:\\

    Also, you need to provide the plain text password, not the encrypted password.

  • makin
    makin Rank 3 - Community Apprentice

    Thanks!  I changed the D\:\\ to the D:\\  (I was following the format of the file path the script had used for the log file).  I also type in the actual password and not the encrypted password and save.  But when I open it back up to copy and paste here, it is encrypted in the script.  However, I still get errors. 

    KeyStores=CustomIdentityAndCustomTrust

    CustomIdentityKeyStoreFileName=D:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

    CustomIdentityAlias=rnadbi

    CustomIdentityPrivateKeyPassPhrase={3DES}tr4UdwfKpKGCyZrfDn7Myw==

    CustomTrustKeyStoreFileName=D:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

    nodemanager.log:

    <May 20, 2016 8:53:36 AM> <INFO> <Loading domains file: D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.domains>

    <May 20, 2016 8:53:38 AM> <INFO> <Loading identity key store: FileName=D:\oramw\user_projects\domains\bifoundation_domain\mykeystore.jks, Type=jks, PassPhraseUsed=false>

    <May 20, 2016 8:53:38 AM> <INFO> <Loaded node manager configuration properties from 'D:\oramw\WLSERV~1.3\common\nodemanager\nodemanager.properties'>

    <May 20, 2016 8:53:38 AM> <INFO> <Upgrade> <Encrypting node manager property: CustomIdentityPrivateKeyPassPhrase>

    <May 20, 2016 8:53:38 AM> <INFO> <Upgrade> <Saving upgraded node manager properties to 'D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.properties'>

    <May 20, 2016 8:53:38 AM> <INFO> <bifoundation_domain> <bi_server1> <Startup configuration properties loaded from "D:\oramw\user_projects\domains\bifoundation_domain\servers\bi_server1\data\nodemanager\startup.properties">

    <May 20, 2016 8:53:38 AM> <WARNING> <Configuration error while reading domain directory: D:\oramw\user_projects\domains\bifoundation_domain>

    java.io.IOException: Invalid state file format. State file contents:

      at weblogic.nodemanager.common.StateInfo.load(StateInfo.java:135)

      at weblogic.nodemanager.server.AbstractServerMonitor.loadStateInfo(AbstractServerMonitor.java:497)

      at weblogic.nodemanager.server.AbstractServerMonitor.isCleanupAfterCrashNeeded(AbstractServerMonitor.java:156)

      at weblogic.nodemanager.server.ServerMonitor.isCleanupAfterCrashNeeded(ServerMonitor.java:25)

      at weblogic.nodemanager.server.AbstractServerManager.recoverServer(AbstractServerManager.java:147)

      at weblogic.nodemanager.server.ServerManager.recoverServer(ServerManager.java:23)

      at weblogic.nodemanager.server.DomainManager.initialize(DomainManager.java:105)

      at weblogic.nodemanager.server.DomainManager.<init>(DomainManager.java:60)

      at weblogic.nodemanager.server.NMServer.initDomains(NMServer.java:225)

      at weblogic.nodemanager.server.NMServer.start(NMServer.java:197)

      at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

      at weblogic.NodeManager.main(NodeManager.java:31)

    <May 20, 2016 8:53:39 AM> <SEVERE> <Fatal error in node manager server>

    java.lang.RuntimeException: Cannot convert identity certificate

      at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)

      at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)

      at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)

      at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)

      at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)

      at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

      at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

      at weblogic.NodeManager.main(NodeManager.java:31)

  • handat
    handat Rank 5 - Community Champion

    Your passphrase got automatically encrypted, so that is ok. However, you have two problems that need to be resolved. It is complaining about an invalid state file. Remove it. Its a file with a .state extension in your nodemanager directory. The second problem is your certificate. You need to include the intermediate CA certificate in your keystore. Import it as well.

  • makin
    makin Rank 3 - Community Apprentice

    Thank you!  I appreciate your expertise!  I was able to remove the .state file and that error is gone.  I've been looking at my intermediate certificates (I have 2) and I believe they are loaded into the keystore and chained correctly.keystoreload.PNG

    keystorechain.PNG

    I do actually have a smaller log flie now.  YAY!  I am still researching and trying different changes, but if anyone has suggestions they are welcomed and appreciated!

    nodemanager.log

    May 23, 2016 3:44:21 PM> <INFO> <Loading domains file: D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.domains>

    <May 23, 2016 3:44:22 PM> <INFO> <Loading identity key store: FileName=D:\oramw\user_projects\domains\bifoundation_domain\mykeystore.jks, Type=jks, PassPhraseUsed=false>

    <May 23, 2016 3:44:22 PM> <INFO> <Loaded node manager configuration properties from 'D:\oramw\WLSERV~1.3\common\nodemanager\nodemanager.properties'>

    <May 23, 2016 3:44:22 PM> <INFO> <bifoundation_domain> <bi_server1> <Startup configuration properties loaded from "D:\oramw\user_projects\domains\bifoundation_domain\servers\bi_server1\data\nodemanager\startup.properties">

    <May 23, 2016 3:44:23 PM> <SEVERE> <Fatal error in node manager server>

    java.lang.RuntimeException: Cannot convert identity certificate

      at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)

      at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)

      at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)

      at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)

      at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)

      at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

      at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

      at weblogic.NodeManager.main(NodeManager.java:31)

  • handat
    handat Rank 5 - Community Champion

    You are still using the certicom classes for ssl. That could be the problem. Try adding the following: -Dweblogic.ssl.JSSEEnabled=true

  • makin
    makin Rank 3 - Community Apprentice

    I am very slowly getting somewhere, I think.  I believe I added the -Dweblogic.ssl.JSSEEnabled=true to the correct spot. 

    Now, I start the nodemanager using the startnodemanager.cmd and I get the following:

    <May 25, 2016 11:59:32 AM> <INFO> <Loading domains file: D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.domains>

    <May 25, 2016 11:59:34 AM> <INFO> <Loading identity key store: FileName=D:\oramw\user_projects\domains\bifoundation_domain\mykeystore.jks, Type=jks, PassPhraseUsed=false>

    <May 25, 2016 11:59:34 AM> <INFO> <Loaded node manager configuration properties from 'D:\oramw\WLSERV~1.3\common\NODEMA~1\nodemanager.properties'>

    <May 25, 2016 11:59:34 AM> <INFO> <bifoundation_domain> <bi_server1> <Startup configuration properties loaded from "D:\oramw\user_projects\domains\bifoundation_domain\servers\bi_server1\data\nodemanager\startup.properties">

    <May 25, 2016 11:59:35 AM> <INFO> <Secure socket listener started on port 5556>

    <May 25, 2016 12:00:38 PM> <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLHandshakeException: no cipher suites in common>

    javax.net.ssl.SSLHandshakeException: no cipher suites in common

      at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1348)

      at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)

      at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)

      at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1169)

    This is what I see in the monitoring of the Node Manager Status in the WLS:

    nodemanagermonitor.PNG

  • handat
    handat Rank 5 - Community Champion
    <May 25, 2016 12:00:38 PM> <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLHandshakeException: no cipher suites in common>
    

    That's your current problem. Which JDK are you using? Do you maybe have two different JDKs installed with different versions?