OBIEE 12c : NodeManager fails to strat with "Key store identity alias does not contain a certificate — Oracle Analytics

Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE 12c : NodeManager fails to strat with "Key store identity alias does not contain a certificate

Received Response
244
Views
5
Comments
OracleUser_PQM2U
OracleUser_PQM2U Rank 1 - Community Starter

Hello,

We are following the Doc ID 2188982.1 in order to configure SSL communication OBIEE 12c but when attempting to start the NodeManger, it doesnt start, the log show the following error :

<23 déc. 2019 10 h 31 CET> <INFO> <Loading domains file: D:\APPS\Oracle\OBIEE_HYBDXX02\user_projects\domains\hybdxx02_bifoundation_domain\nodemanager\nodemanager.domains>

<23 déc. 2019 10 h 31 CET> <INFO> <Loading identity key store: FileName=D:\APPS\Oracle\OBIEE_HYBDXX02\ssl\int1_answers_caa_group_gca.jks, Type=jks, PassPhraseUsed=false>

<23 déc. 2019 10 h 31 CET> <SEVERE> <Fatal error in NodeManager server>

  1. weblogic.nodemanager.common.ConfigException: Key store identity alias does not contain a certificate chain: int1_answers_caa_group_gca

            at weblogic.nodemanager.server.SSLConfig.loadKeyStoreConfig(SSLConfig.java:239)

            at weblogic.nodemanager.server.SSLConfig.access$000(SSLConfig.java:33)

Could you please help us to fix this issue ?

Thank you in advance for your help

Answers

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    Did you check whether "int1_answers_caa_group_gca.jks" really contains a key? And is it called "int1_answers_caa_group_gca" as the alias?

  • OracleUser_PQM2U
    OracleUser_PQM2U Rank 1 - Community Starter

    Yes the "int1_answers_caa_group_gca.jks" contains already a key, see Bellow

    keytool -list -keystore int1_answers_caa_group_gca.jks


    Keystore type: PKCS12
    Keystore provider: SUN

    Your keystore contains 3 entries

    int1_answers_caa_group_gca, 20 déc. 2019, PrivateKeyEntry,
    Certificate fingerprint (SHA1): DE:19:46:7C:F0:7E:B1:56:79:E6:C8:1C:AC:3C:42:7D:DD:0F:30:DF
    mycacert, 23 déc. 2019, trustedCertEntry,
    Certificate fingerprint (SHA1): C3:A1:92:0A:24:2E:3E:6B:68:A4:23:C4:8B:20:A1:73:45:1E:91:6F
    interca, 23 déc. 2019, trustedCertEntry,
    Certificate fingerprint (SHA1): 68:1A:0F:7D:0A:C4:A2:E7:6A:B0:8C:06:EB:B5:7E:CA:3B:2A:D3:40

    Thank you for your reply

  • [Deleted User]
    [Deleted User] Rank 2 - Community Beginner

    Does it contain the chain  up to the root? Impossible to sy with just the fingerprint.

    Impossible to say with just a -list without -v.

  • OracleUser_PQM2U
    OracleUser_PQM2U Rank 1 - Community Starter

    Yes

    keytool -list -v -keystore int1_answers_caa_group_gca.jks


    Enter keystore password:
    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: int1_answers_caa_group_gca
    Creation date: 23 déc. 2019
    Entry type: PrivateKeyEntry
    Certificate chain length: 3
    Certificate[1]:
    Owner: CN=int1_ans......, OU=ca, OU=....., OU=Private Group PKI, O=...., C=....
    Issuer: CN=....., OU=0002 784608416, OU=Private Group PKI, O=......, C=...
    Serial number: b90d1172ad11408caefd473f
    Valid from: Thu Dec 05 15:31:54 CET 2019 until: Mon Dec 04 15:32:54 CET 2023
    Certificate fingerprints:
             MD5:  E9:07:17:87:E1:F9:6E:B0:EB:8E:CA:C9:AD:1C:D7:3F
             SHA1: DE:19:46:7C:F0:7E:B1:56:79:E6:C8:1C:AC:3C:42:7D:DD:0F:30:DF
             SHA256: CC:2E:F7:4F:4C:33:6B:B6:6F:2F:7F:38:55:70:D0:C1:47:13:D5:5E:D8:DE:F6:E7:1A:3F:E2:39:AA:B6:A3:F7
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3

    Extensions:

    #1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
    AuthorityInfoAccess [
      [
       accessMethod: caIssuers
       accessLocation: URIName:
    ,
       accessMethod: ocsp
       accessLocation: URIName:
    ]
    ]

    #2: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 94 F9 7A 6B CB 4F 97 63   61 81 05 23 6A C8 19 2F  ..zk.O.ca..#j../
    0010: BE 0B 79 EC                                        ..y.
    ]
    ]

    #3: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
      [DistributionPoint:
         [URIName: ]
    ]]

    #4: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
      [CertificatePolicyId: [1.2.250.1.316.1.1.6.1]
    []  ]
    ]

    #5: ObjectId: 2.5.29.37 Criticality=true
    ExtendedKeyUsages [
      clientAuth
      serverAuth
    ]

    #6: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
      DigitalSignature
      Key_Encipherment
    ]

    #7: ObjectId: 2.5.29.17 Criticality=false
    SubjectAlternativeName [
      DNSName: int1.answers.caa.group.gca
    ]

    #8: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 9B 17 2B 2B 38 0C 3C 3D   86 A5 AF 22 79 B4 57 69  ..++8.<=..."y.Wi
    0010: B7 D1 48 F5                                        ..H.
    ]
    ]

    Certificate[2]:
    Owner: CN=CA ...., OU=0002 784608416, OU=Private Group PKI, O=...., C=FR
    Issuer: CN=RCA ....., OU=0002 784608416, OU=Private Group PKI, O=...., C=FR
    Serial number: 1120b61e37c12e9c8d5a9f77552e810db73c
    Valid from: Tue Feb 24 01:00:00 CET 2015 until: Wed Feb 24 01:00:00 CET 2027
    Certificate fingerprints:
             MD5:  99:4F:10:19:99:C3:B5:36:35:E0:D5:CE:3F:51:5C:9A
             SHA1: 68:1A:0F:7D:0A:C4:A2:E7:6A:B0:8C:06:EB:B5:7E:CA:3B:2A:D3:40
             SHA256: 1D:C5:2B:42:9B:E1:C6:66:44:E6:C4:DC:71:2E:99:DA:B7:B7:F7:10:F5:E3:B0:CE:D8:04:AC:94:B9:E8:FA:46
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3

    Extensions:

    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: FD 82 8C 94 B2 AD F3 DD   85 21 5A 79 05 86 CF 77  .........!Zy...w
    0010: 85 65 2F 63                                        .e/c
    ]
    ]

    #2: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
      CA:true
      PathLen:0
    ]

    #3: ObjectId: 2.5.29.31 Criticality=false
    CRLDistributionPoints [
      [DistributionPoint:
         [URIName: ]
    ]]

    #4: ObjectId: 2.5.29.32 Criticality=false
    CertificatePolicies [
      [CertificatePolicyId: [2.5.29.32.0]
    []  ]
    ]

    #5: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
      Key_CertSign
      Crl_Sign
    ]

    #6: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 94 F9 7A 6B CB 4F 97 63   61 81 05 23 6A C8 19 2F  ..zk.O.ca..#j../
    0010: BE 0B 79 EC                                        ..y.
    ]
    ]

    Certificate[3]:
    Owner: CN=RCA , OU=0002 784608416, OU=Private Group PKI, O=...., C=...
    Issuer: CN=RCA .... , OU=0002 784608416, OU=Private Group PKI, O=....., C=...
    Serial number: 11200e177bff2b10aeb99cd9a59347a3b397
    Valid from: Tue Feb 24 01:00:00 CET 2015 until: Fri Feb 24 01:00:00 CET 2045
    Certificate fingerprints:
             MD5:  2B:E4:CB:46:8F:CE:54:5C:DC:54:8D:01:7A:76:5D:A9
             SHA1: C3:A1:92:0A:24:2E:3E:6B:68:A4:23:C4:8B:20:A1:73:45:1E:91:6F
             SHA256: 58:1C:84:90:0D:1B:F4:4C:B2:7A:B2:8E:ED:79:39:D7:36:B0:85:73:D2:76:C2:84:23:7C:61:63:6D:8E:F9:D5
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 4096-bit RSA key
    Version: 3

    Extensions:

    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: FD 82 8C 94 B2 AD F3 DD   85 21 5A 79 05 86 CF 77  .........!Zy...w
    0010: 85 65 2F 63                                        .e/c
    ]
    ]

    #2: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]

    #3: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
      Key_CertSign
      Crl_Sign
    ]

    #4: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: FD 82 8C 94 B2 AD F3 DD   85 21 5A 79 05 86 CF 77  .........!Zy...w
    0010: 85 65 2F 63                                        .e/c
    ]
    ]

    *******************************************
    *******************************************

    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore int1_answers_caa_group_gca.jks -destkeystore int1_answers_caa_group_gca.jks -deststoretype pkcs12".

  • Shams Abbasi
    Shams Abbasi Rank 5 - Community Champion

    Did you get a fix for this issue?