This discussion is archived
4 Replies Latest reply: Jan 29, 2013 5:14 AM by the_assface RSS

LDAP SSL Issue

the_assface Explorer
Currently Being Moderated
We have a 2 test environments that gets the message below. We can turn off SSL and WebLogic sees the user/group names for LDAP (AD and ADAM) but with SSL turned on it doesn't see them and gets the error. Our cert has not changed and is good until 2024. Our SiteMinder server connects to the LDAP schemas fine securely. We have rebooted all LDAP servers, cert server and the WebLogic server and still no joy. I don't think there is any issue with WL as these 2 environments both have the issue. However, with the SiteMinder server using the SSL certs without issue then our NetOps group is pushing it back to us. Would deleting the admin server cache be a possible fix? If so, which folders? (Just don't want to have domain boot issues)

Thanks


####<Nov 30, 2012 2:11:58 PM CST> <Info> <Socket> <SITPORTAL3> <Admin_Server> <ListenThread.Default> <<WLS Kernel>> <> <BEA-000436> <Allocating 2 reader threads.>
####<Nov 30, 2012 2:11:58 PM CST> <Info> <Socket> <SITPORTAL3> <Admin_Server> <ListenThread.Default> <<WLS Kernel>> <> <BEA-000440> <NativeIO Enabled>
####<Nov 30, 2012 2:11:58 PM CST> <Notice> <Management> <SITPORTAL3> <Admin_Server> <Main Thread> <<WLS Kernel>> <> <BEA-141030> <Starting discovery of the managed server. This feature is on by default. You can turn this off by passing -Dweblogic.management.discover=false.>
####<Nov 30, 2012 2:11:58 PM CST> <Info> <Management> <SITPORTAL3> <Admin_Server> <Main Thread> <<WLS Kernel>> <> <BEA-141031> <Attempting managed server discovery for server WebUserAdmin running at SITPORTAL3.fcdev.com:8031.>
####<Nov 30, 2012 2:11:58 PM CST> <Notice> <WebLogicServer> <SITPORTAL3> <Admin_Server> <ListenThread.Default> <<WLS Kernel>> <> <BEA-000355> <Thread "ListenThread.Default" listening on port 8098, ip address *.*>
####<Nov 30, 2012 2:11:58 PM CST> <Notice> <WebLogicServer> <SITPORTAL3> <Admin_Server> <SSLListenThread.Default> <<WLS Kernel>> <> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
####<Nov 30, 2012 2:11:58 PM CST> <Info> <Management> <SITPORTAL3> <Admin_Server> <Main Thread> <<WLS Kernel>> <> <BEA-141059> <The admin server sucessfully contacted the managed server, for server WebUserAdmin running at SITPORTAL3.fcdev.com:8031. See the managed server log to ensure that it was able to connect back to the admin server.>
####<Nov 30, 2012 2:11:58 PM CST> <Notice> <WebLogicServer> <SITPORTAL3> <Admin_Server> <Main Thread> <<WLS Kernel>> <> <BEA-000329> <Started WebLogic Admin Server "Admin_Server" for domain "portalDomainSIT" running in Production Mode>
####<Nov 30, 2012 2:11:58 PM CST> <Notice> <WebLogicServer> <SITPORTAL3> <Admin_Server> <Main Thread> <<WLS Kernel>> <> <BEA-000360> <Server started in RUNNING mode>
####<Nov 30, 2012 2:12:51 PM CST> <Info> <WebLogicServer> <SITPORTAL3> <Admin_Server> <ListenThread.Default> <<WLS Kernel>> <> <BEA-000213> <Adding address: 10.10.35.123 to licensed client list>
####<Nov 30, 2012 2:12:58 PM CST> <Info> <HTTP> <SITPORTAL3> <Admin_Server> <ExecuteThread: '0' for queue: 'weblogic.admin.HTTP'> <<anonymous>> <> <BEA-101047> <[ServletContext(id=24428199,name=console,context-path=/console)] actions: init>
####<Nov 30, 2012 2:12:59 PM CST> <Info> <HTTP> <SITPORTAL3> <Admin_Server> <ExecuteThread: '0' for queue: 'weblogic.admin.HTTP'> <<anonymous>> <> <BEA-101047> <[ServletContext(id=24428199,name=console,context-path=/console)] FileServlet: init>
####<Nov 30, 2012 2:12:59 PM CST> <Info> <HTTP> <SITPORTAL3> <Admin_Server> <ExecuteThread: '0' for queue: 'weblogic.admin.HTTP'> <<anonymous>> <> <BEA-101047> <[ServletContext(id=24428199,name=console,context-path=/console)] FileServlet: Using standard I/O>
####<Nov 30, 2012 2:13:06 PM CST> <Notice> <Security> <SITPORTAL3> <Admin_Server> <ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <<WLS Kernel>> <> <BEA-090169> <Loading trusted certificates from the jks keystore file E:\bea\weblogic81\server\lib\DemoTrust.jks.>
####<Nov 30, 2012 2:13:06 PM CST> <Notice> <Security> <SITPORTAL3> <Admin_Server> <ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <<WLS Kernel>> <> <BEA-090169> <Loading trusted certificates from the jks keystore file E:\bea\JROCKI~1\jre\lib\security\cacerts.>
####<Nov 30, 2012 2:13:06 PM CST> <Warning> <Security> <SITPORTAL3> <Admin_Server> <ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <beaadmin> <> <BEA-090477> <Certificate chain received from sitadmserver1.fcdev.com - 10.10.110.116 was not trusted causing SSL handshake failure.>
####<Nov 30, 2012 2:13:06 PM CST> <Warning> <Security> <SITPORTAL3> <Admin_Server> <ExecuteThread: '1' for queue: 'weblogic.admin.HTTP'> <beaadmin> <> <BEA-090477> <Certificate chain received from SITADSERVER1.fcdev.com - 10.10.110.118 was not trusted causing SSL handshake failure.>
####<Nov 30, 2012 2:16:57 PM CST> <Info> <Management> <SITPORTAL3> <Admin_Server> <ExecuteThread: '13' for queue: 'default'> <<WLS Kernel>> <> <BEA-140009> <Configuration changes for the domain have been saved to the repository.>
  • 1. Re: LDAP SSL Issue
    Faisal Khan Expert
    Currently Being Moderated
    Certificate chain received from SITADSERVER1.fcdev.com - 10.10.110.118 was not trusted causing SSL handshake failure

    You will have to import the root ca of the ldap server certification into wls truststore.

    -Faisal
  • 2. Re: LDAP SSL Issue
    the_assface Explorer
    Currently Being Moderated
    Thanks! That certificate has already been imported into the root cacerts. To shed a bit more light on it, this environment was working just fine for years with these same cacerts, no change. Suddenly they just stopped working. I took it a step further today and reimported the cert into the cacerts file and still have the issue. Non-ssl LDAP works just fine so the configuration of LDAP is good. I took it even further and took the cacerts from another environment that works and then imported the cert into that working cacerts and still has the issue so it appears to be a problem with this particular WL environment but have no clue what it could be. I did delete the admin server cache and try again but the results were the same. Any ideas would be greatly appreciated.
  • 3. Re: LDAP SSL Issue
    Faisal Khan Expert
    Currently Being Moderated
    where are you importing the certificates? are you using custom identity custom trust?

    try to import the certs in jre/lib/security/cacerts file...

    the exception clearly means the certs are not present..

    u can get more information by enabling ssl debug

    -Dssl.debug=true
  • 4. Re: LDAP SSL Issue
    the_assface Explorer
    Currently Being Moderated
    To follow up....what happened is that the cacerts was correct on the weblogic server, it had never changed and was good until 2023. The certificate on the LDAP server was correct and had the same contents. What seemed to be the problem was the the certificate server itself had been rebuilt and somehow when it was setup the second time someone changed some parameter on it's doman info. So, one year later the cacert did not authenticate with cert info. We had to endup importing the machine certificate of the certificate server into our cacerts and it worked. The group that maintains that server is now looking into a permanent solution. Much appreciated on the assistance.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points