14 Replies Latest reply on Jul 17, 2013 5:13 PM by delhi

    Adding server certs to WLS and OAM server

    OldGuy
      We are running OAM Suite 11g (11.1.1.5), WLS 10.3.5, DB 11.2.0.1 on RHEL5.6.

      We are getting an error in our AdminServer logfile concerning the certs we installed.

      "The peer is rejecting the certificate chain as being untrusted or incomplete"
      "WLS cannot retrieve identity certificate and private key on server oam_server, because keystore entry alias not specified"

      These errors are perplexing since the keystore alias does exist -- although we want to make sure we followed the correct steps.

      We have received certs from our client that need to be installed on our OAM server host. We have tried to follow the instructions in Metalink 1368211.1, but within these they are also talking about self-signed certs and requiring a cert key. What we have received from the client are 2 certs 1) BASE64 which they list can be used to install into a server (in x509 format) and 2) BASE64 with CA Cert Chain in pkcs7 format. We placed these files into server.crt and cacert.crt, respectively.

      We have executed the following commands to create our jks files:
      keystore.jks:
      keytool -genkey -alias keystoreAlias -keyalg RSA -keystore keystore.jks -keysize 1024
      keytool -import -trustcacerts -alias root -file server.crt -keystore keystore.jks

      openssl pkcs7 -in cacert.crt -print_certs | openssl x509 > server.x509
      keytool -import -trustcacerts -alias server -file server.x509 -keystore keystore.jks

      trust.jks
      keytool -genkey -alias trust -keyalg RSA -keystore trust.jks -keysize 1024
      keytool -import -trustcacerts -alias root -file server.crt -keystore trust.jks

      We then updated the oam_server in WLS to make sure the SSL port was enabled, set the keystores based on the metalink doc, set the private key alias/pwd, etc and then restarted the AdminServer and the oam_server...

      When we attempt to simply access the OAM console, an error is displayed that it cannot connect to <server>:14101 and the errors listed above were in the AdminServer log. Nothing in the oam-server log seemed to be out of place.