This content has been marked as final. Show 28 replies
Thanks for your response.
In response to your questions :
1. Are you using any custom trust store for your adminserver.?
Yes we are pointing to custom trust store and keystore(containing ca-2,ca-27) in admin server. So under the settings for keystore and ssl we have pointed to our custom certs.
I don't see the entry for demo trust store being loaded in admin server logs anywhere.
Then you need to import the below root certificate to your custom keystore or configure admin server to use the Demo Certificates and check it.
Alias name: wlscertgencab
Creation date: Jan 25, 2003
Entry type: trustedCertEntry
Owner: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Serial number: 234b5559d1fa0f3ff5c82bdfed032a87
Valid from: Thu Oct 24 21:24:45 IST 2002 until: Tue Oct 25 21:24:45 IST 2022
Signature algorithm name: MD5withRSA
So I changed admin server to demo cert setting in weblogic console. It does make my node manager reachable now.
But this just shows that my node manager is loading the demo cert and thats why this is working and instead we want to use custom cert everywhere.
if you want to use custom certificate everywhere,then figure out why in your case NodeManager is unable to load the custom Identity & trust keystone but using the default keystore.
You can cross check the nodemanager.properties again and also turn on the FINEST level debug for your NodeManager by setting LogLevel=FINEST in the properties file.
SSL Requirements for the Node Manager
Yes, I am trying to figure out where I messed up.
Do you think it can be problem if custom identity and truststore certs are the same for SSL ?
Why do you want to have the same certs on both the stores?
However,we can have the same name for both the keystores but You cant have the same cert in both the store.
Identity Keystore contains the server certificates
Trust Keystore contains the root CA certificates.
The reason I asked was the cert part was done by someone else and I don't have a good knowledge of that. But when I noticed that same cert is used for identity and trust it made me in doubt that maybe that is the reason for all this failing.
So now I am thinking to generate two self signed certs one for identity and one for trust and test. This way I will know that its really the cert issue. The only thing I am not sure how to generate those certs. If you know of a good reference that I can follow which has exact commands then I can try to test it this way before we go on changing our original certs and requesting from CAs.
You can check the below blog
the admin servers and the managed servers all have been configured to use SSL, however, it is the the nodemanager that is not connecting to the Admin Server b/c the node manager is still loading the demo certificate.
The settings in the nodemanager.properties file where i have set the custom keystore settings doesn't seem to get the node manager to load the custom keystore.
How do you change the node manager settings so that it'll use the custom keystore?
You can check the below blog for the properties that needs to be changed in your nodemanger
Moreover,you can cross check if you are using the correct nodemanger home for your domain in case of the demo certificates still getting loaded
When you said "Moreover,you can cross check if you are using the correct nodemanger home for your domain in case of the demo certificates still getting loaded". What do you mean?
The nodemanager.properties files that I am adding the properties for cert is under \Oracle\middleware\wlserver_10.3\common\nodemanager.... nodemanager.properties.
I just found another nodemanager folder under \Oracle\middleware\user_projects\domains\idam\config\nodemanager
Am I suppose to do anything in the second folder under domains for ssl setting for nodemanager?
Nope,that folder contains the nm_password.properties.You can ignore that and I suggest you to start over again in configuring the custom keystores for your nodemanager.
Its funny you said. We actually did implementation in development on brand new VM. I even created self signed certs for it and reconfigured. After doing all that got into the same exact issue and error. Trying to work with Oracle support as well since today
in nodemanager.properties, put
(note the capital S in 'keystores' and capital A in 'and')