5 Replies Latest reply: Dec 11, 2012 8:20 PM by Jeets RSS

    OBIEE on Weblogic 10.3 : Unable to import server certs into keystore

    Turbokat
      Hello All,

      We are trying to configure OBIEE application on Weblogic 10.3 with SSL using Windows server 2003 (IIS) and facing some issues with that.

      Followed the document : OBIEE11g SSL Setup and Configuration [1326781.1]

      We are configuration SSL for OBIEE 11g on Unix environment.

      Following are the steps we have done,
      1. Generated CSR using Middleware/Oracle_BI1/jdk/bin/keytool and provided to CA ( Admin ) and got the RootCA and OBISRV.CER ( Server Certificate ), below are the commands we have used to generate the keystore and CSR.

      [obisrv@srv bin]$./keytool -genkey -alias mckserver -keyalg RSA -keysize 2048 -keypass Welcome1 -keystore mckkeystore.jks -storepass Welcome1

      [obisrv@srv bin]$./keytool -certreq -v -alias mckserver -file server.csr -keypass Welcome1 -storepass Welcome1 -keystore mckkeystore.jks

      2. We were able to import the RootCA using the command from MOS article successfully into keystore.

      [obisrv@srv bin]$./keytool -import -trustcacerts -alias "root ca" -file /d01/oracle/OBISRV/Middleware/SSL/RootCA.cer -keystore /d01/oracle/OBISRV/Middleware/SSL/mckkeystore.jks -storepass Welcome1
      Certificate reply was installed in keystore

      3. My question now is do we need to import the server certificate as well since i have not seen this in your document from the blog.

      I am importing the Root CA Certificate first which is successfully added to the keystore.

      Below are the commands I am using to import into to the keystore using the keytool comannd.

      However when i am trying to import the server certificate into the keystore we get the error below.

      [obisrv@srv bin]$./keytool -import -v -alias mckserver -file /d01/oracle/OBISRV/Middleware/SSL/OBISRV.cer -keystore /d01/oracle/OBISRV/Middleware/SSL/mckkeystore.jks -keypass Welcome1 -storepass Welcome1
      keytool error: java.lang.Exception: Failed to establish chain from reply
      java.lang.Exception: Failed to establish chain from reply
      at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2662)
      at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
      at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
      at sun.security.tools.KeyTool.run(KeyTool.java:172)
      at sun.security.tools.KeyTool.main(KeyTool.java:166)

      Please advice and let me know if you have any questions.

      Read many forums and tried to convert it to the PKCS#7 format and import the cert to the identity keystore, but was not successful in that either. I have also checked with the IT Admin team and found there is only one RootCA and no other intermediate CA's.

      MOS notes reffered : Keytool says : "Failed to establish chain from reply" when importing the signed cert into a keystore [775609.1]

      E-WL: Error Importing SSL Certificate using "pskeymanager -import": Error "keytool error: java.lang.Exception: Failed to establish chain from reply" [635805.1]

      Please advice if any one has similar issues or suggestions.

      Thanks in advance,
      SVS
        • 1. Re: OBIEE on Weblogic 10.3 : Unable to import server certs into keystore
          Jeets
          Hello

          Why dont you try using -trustcacerts in the import command as below?


          keytool -import -trustcacerts -alias <alias> -file <cacert_file> -keystore <keystore> -storepass <password>

          And what all certs have you got from CA?

          Please provide them here, if it can be shared.

          Should not be issue with certificates, I believe the issue is with command.

          Please check.
          • 2. Re: OBIEE on Weblogic 10.3 : Unable to import server certs into keystore
            Kalyan Pasupuleti-Oracle
            Hi,

            One obvious reason would be that you did not specify -trustcacerts, and the root CA is not included in the present server keystore. In that case, using the -trustcacerts option would solve the problem, if the root CA is indeed in the JDK cacerts.

            To print out the certificates present in the JDK cacerts, use the following command:
            keytool -list -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -v

            Then check if the root CA that signed your server certificate is present, and has not expired (in which case,you would need to re-import a newer one into cacerts).

            Another common reason for that error message is when you have used a proprietary CA to sign your server certificate. Then it would obviously not be in the JDK cacerts. The solution in that case is to import your proprietary root CA into the JDK cacerts, using the following command:
            keytool -import -keystore <JAVA_HOME>/jre/lib/security/cacerts -file yourRootCA.pem -storepass changeit -alias youralias

            A third reason for that error message is when your server was signed by an intermediate certificate. In that case, you would have received from your CA a chain of certificates. One way to solve this (not the only one, but this one works well): Prepend your intermediate CA file to your server cert file, and import the obtained concatenated file into the server keystore. Be careful, the intermediate CA must be BEFORE the server cert. Example:
            copy rootca.cer certchain.p7b
            type server.cer >> certchain.p7b

            The file certchain.p7b will be the concatenation of the intermediate CA and the signed server cert. Then import the newly created file under the key alias as follows:
            keytool -import -keystore serverks.jks -file certchain.p7b -alias yourkey -trustcacerts

            If you only prepend the intermediate root CA, you must make sure the the final root CA is in cacerts. But you can also prepend your whole chain of trust inside the server keystore.

            Regards,
            Kal
            • 3. Re: OBIEE on Weblogic 10.3 : Unable to import server certs into keystore
              Turbokat
              Hello Jeets,

              I have tried using the -trustcacerts but that did not work either, below is the command I have used :

              ./keytool -import -v -trustcacerts -alias mckserver -file /d01/oracle/OBISRV/Middleware/SSL/OBISRV.cer -keystore /d01/oracle/OBISRV/Middleware/SSL/mckkeystore.jks -keypass Welcome1 -storepass Welcome1

              Please let me know if you have any other suggestions.

              Thanks,
              SVS
              • 4. Re: OBIEE on Weblogic 10.3 : Unable to import server certs into keystore
                Turbokat
                Hello Kalyan,

                Appreciate your help one this, I have tried all the options below.

                --> I have imported the root CA to present server keystore under <JAVA_HOME>/jre/lib/security/cacert .However even after that, using the -trustcacerts option did not solve the problem, even though root CA is in the JDK cacerts. Also verified that it is imported into the JDK cacerts.

                --> The file certchain.p7b will be the concatenation of the intermediate CA and the signed server cert. Then import the newly created file under the key alias as follows:
                keytool -import -keystore serverks.jks -file certchain.p7b -alias yourkey -trustcacerts

                It give me the error below:
                keytool error: java.lang.Exception: Input not an X.509 certificate

                I also verified with the Network admin team and found that there are no intermediate CA's certificate paths and there is only root CA.

                Please advice.

                Thanks,
                SVS
                • 5. Re: OBIEE on Weblogic 10.3 : Unable to import server certs into keystore
                  Jeets
                  Hello SSV,

                  Is there any ways you can mail me the certificates you have?

                  See there are three ways we can create certificates:

                  1. From trusted CA - Thrid party

                  2. Self signed

                  3. Default ( Demo certificates)

                  In case 1: We require three certificates, which are provided by CA.

                  Public, intermediate and root. Not sure if you have all the three and using the same one.

                  In case 2 and three all these(Public, intermediate and root) are not mandatory.

                  How did you generate CSR?

                  Please provide me the steps and certificates if you have, we will try to test it locally.

                  Or support ticket would be advisable.

                  Cheers,
                  Jeets