5 Replies Latest reply: Jul 7, 2014 9:49 AM by ssine RSS

    <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable

    ssine

      Hi Guys,

      I'm trying to renew SSL Cert.s (recevied from Verisign) in my Weblogic env. but it is failing with below error message all the time

       

      <Jun 19, 2014 10:06:47 AM> <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from ServerName - 10.10.10.100. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>


      What I did?

      Identkeystore is created (with its CSR)

      keytool -genkey -keyalg RSA -keysize 2048 -alias sslkey -dname "CN=ServerName,O=x,OU=x,C=x, L=x, ST=x" -validity 3650 -keystore IdentKeystore.jks

      Enter keystore password:

      Re-enter new password:

      Enter key password for <sslkey>

              (RETURN if same as keystore password):

      Re-enter new password:

       

      CSR

      keytool -certreq -keyalg RSA -keysize 2048 -alias sslkey -sigalg MD5WithRSA -keystore IdentKeystore.jks -file NEWSSL.csr

       

      After that, I applied to Verisign and received my Digital ID Class 3 SSL Certificate

       

      I imported;

      - Intermediate Cert: "RSA Primary Intermediate CA Certificate" into IdentKeystore.jks and TrustKeystore.jks as intermediate Cert.

      - Root CA Cert: "Intermediate" into IdentKeystore and TrustKeystore as intermediate Cert. (from : https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1735)

      - sslkey : New/Procured SSL Cert into only IdentKeystore.jks file.

      - "RSA Primary Intermediate CA Certificate", "RSA Secondary Intermediate CA Certificate", "sslkey" and "Intermediate" into JAVA cacerts

      Edit both Nodemanager startup script and weblogic startup script and add following lines.

       

      Then, I edited startNodeManager.sh and startWeblogic.sh script

      1. Nodemanager startup script under $WLS_HOME/wlserver_10.3/server/bin

      Took a backup of startNodeManager.sh script and edit it

       

      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false"

      export JAVA_OPTIONS

       

      Add it between the "export CLASSPATH" line and cd "${NODEMGR_HOME}" line as shown below

       

      export CLASSPATH

      export PATH

      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false"

      export JAVA_OPTIONS

      cd "${NODEMGR_HOME}"

       

       

      2. Similarly take a backup of startWeblogic.sh script under $DOMAIN_HOME/bin and add following entry

       

      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"

      export JAVA_OPTIONS

       

      Add it between the SAVE_CLASSPATH and trap 'stopAll' line as shown below

       

      CLASSPATH="${SAVE_CLASSPATH}"

      SAVE_CLASSPATH=""

       

      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"

      export JAVA_OPTIONS

       

      trap 'stopAll' 1 2 3 15

       

      Nodemanager.properties file index

      KeyStores=CustomIdentityAndCustomTrust

      CustomIdentityAlias=sslkey

      CustomIdentityKeyStoreFileName=/opt/oracle/middleware/wlserver_10.3/server/lib/IdentKeystore.jks

      CustomIdentityKeyStorePassPhrase={3DES}bla bla bla

      CustomIdentityKeyStoreType=JKS

      CustomIdentityPrivateKeyPassPhrase={3DES}bla bla bla

       

      AuthenticationEnabled=true

      ListenAddress=           (right now, here is empty but I tried with IP and FQDN name of server, but it is again failed with same err. notification)

      ListenPort=5556

      SecureListener=true

      StartScriptEnabled=true

       

      And lastly, in Weblogic GUI, hostname verification is "NONE" for all Admin and Mngd Servers

       

      Any idea to resolve this issue?

      Also, may be RootCA is wrong, does anybody know where to download Root CA of Verisign Digital ID Class 3 SSL Certificate which is valid for RSA/SHA encryption?

       

      Thank you

        • 1. Re: <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable
          Puneeth-Oracle

          First you need to check if the chaining of certificates in identity keystore is valid.

           

          Try the following command :

           

          java utils.ValidateCertChain -jks sslkey /opt/oracle/middleware/wlserver_10.3/server/lib/IdentKeystore.jks

          • 3. Re: <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable
            ssine

            [xxx]$ java utils.ValidateCertChain -jks sslkey /xxx/oracle/middleware/wlserver_10.3/server/lib/IdentKeystore_new_cert_june20.jks

            Cert[0]: CN=xxx,OU=xxx,O=xxx,L=xxx,ST=xxx,C=xxx

            Cert[1]: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US

            Cert[2]: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US

            Certificate chain appears valid

            [xxx]$ id

            uid=500(oracle) gid=502(oinstall) groups=500(dba),501(oper),502(oinstall)

            • 4. Re: <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable
              ssine

              Guys,

               

              Thanks for replies, after following the guide: Oracle DB and MW Blog: handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert in Weblogic cluster

               

              but I got below error:

              <Jul 7, 2014 10:12:53 AM> <SEVERE> <Fatal error in node manager server>

              java.lang.RuntimeException: Cannot convert identity certificate

                at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)

                at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)

                at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)

                at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:144)

                at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)

                at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

                at weblogic.nodemanager.server.NMServer.main(NMServer.java:377)

                at weblogic.NodeManager.main(NodeManager.java:31)

               

              then I followed this guide [ &amp;raquo; WebLogic SSL configuration : Inconsistent security configuration Cannot convert identity certificate Online… and  SSL issue caused by stronger signature algorithms | Oralce Fusion Middleware] to overcome this but

               

              Then, I got below err. notification:

               

              <Jul 7, 2014 11:34:25 AM> <SEVERE> <Fatal error in node manager server>

              java.io.IOException: Unsupported cypher suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5

                at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:82)

                at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

                at weblogic.nodemanager.server.NMServer.main(NMServer.java:377)

                at weblogic.NodeManager.main(NodeManager.java:31)

               

              And finally, to fix the latest issue seen as in above, I found below reply from [ OBIEE 11g (11.1.1.5.0) - Issue with starting Node Manager ]

               

              There are Two types of Cipher suites --- Certicom Cipher Suite and SunJSSE Equivalent Cipher Suite. And with Weblogic 10.3.5, you are using Sun JSSE Cipher Suite, and by default Node Manager uses the Certicom Cipher Suite.

               

              In the nodemanager.properties, Add CipherSuite=SSL_RSA_EXPORT_WITH_RC4_40_MD5, save and restart Node Manager.


              Now, my nodemanager.properites file looks like this:


              KeyStores=CustomIdentityAndCustomTrust

              CustomIdentityAlias=sslkey

              CustomIdentityKeyStoreFileName=/xxx/xxx/xxx/wlserver_10.3/server/lib/IdentKeystore.jks

              CustomIdentityKeyStorePassPhrase={3DES}xxx

              CustomIdentityKeyStoreType=JKS

              CustomIdentityPrivateKeyPassPhrase={3DES}xxx

               

              AuthenticationEnabled=true

              ListenAddress=

              ListenPort=5556

              SecureListener=true

              StartScriptEnabled=true

              CipherSuite=SSL_RSA_EXPORT_WITH_RC4_40_MD5

              • 5. Re: <Security> <BEA-090482> <BAD_CERTIFICATE - Managed Servers' NodeMngr is unreachable
                ssine

                Guys, now having below error on Second Managed Server

                 

                <Jul 7, 2014 12:31:47 PM> <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?>

                javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

                       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)

                       at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1429)

                       at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1397)

                       at com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1336)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngine$7.run(JaSSLEngine.java:174)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngine.closeInbound(JaSSLEngine.java:172)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngineRunner$Context.fillBufferNetIn(JaSSLEngineRunner.java:337)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngineRunner$Transition_NeedUnwrap.getNextState(JaSSLEngineRunner.java:822)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngineRunner.doTransitions(JaSSLEngineRunner.java:763)

                       at weblogic.security.SSL.jsseadapter.JaSSLEngineRunner.unwrap(JaSSLEngineRunner.java:1122)

                       at weblogic.security.SSL.jsseadapter.JaApplicationReadableByteChannel.read(JaApplicationReadableByteChannel.java:40)

                       at weblogic.security.SSL.jsseadapter.JaChannelInputStream.read(JaChannelInputStream.java:71)

                       at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:264)

                       at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:306)

                       at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:158)

                       at java.io.InputStreamReader.read(InputStreamReader.java:167)

                       at java.io.BufferedReader.fill(BufferedReader.java:136)

                       at java.io.BufferedReader.readLine(BufferedReader.java:299)

                       at java.io.BufferedReader.readLine(BufferedReader.java:362)

                       at weblogic.nodemanager.server.Handler.run(Handler.java:71)

                       at java.lang.Thread.run(Thread.java:662)

                 

                I found below topic, is that the only way?

                SSL Exception within the Node Manager logs

                 

                This is a known issue.

                Apply patch for BUG 13351178.

                https://updates.oracle.com/download/13351178.html

                Patches are available for WLS 1035 and 1036.

                Fixed Version : 12.1.2

                 

                Does anybody know how to resolve this issue? (without applying patches, just tweaking)