7 Replies Latest reply on May 26, 2016 12:12 AM by handat

    Configure Nodemanager for SSL: - nodemanager error

    makin

      Hi,

       

      I'm trying to configure nodemanager for SSL (as part of the entire SSL configuration) in OBIEE 11g.  Here are the steps I have followed:

       

      1. Stop the Nodemanager service
      2. Update the nodemanager.properties in <MW_HOME>\wlserver_10.3\common\nodemanager folder with Custom Identity Keystore and Custom Trust Keystore information based on Step 1.

       

       

      KeyStores=CustomIdentityAndCustomTrust
      CustomIdentityKeyStoreFileName=<Path to the Keystore>
      CustomIdentityAlias=<Keystore Alias>
      CustomIdentityPrivateKeyPassPhrase=<Key Passphrase>
      CustomTrustKeyStoreFileName=<Path to the Keystore

       

      Ex:
      KeyStores=CustomIdentityAndCustomTrust
      CustomIdentityKeyStoreFileName=c:\\Oracle\\Middleware\\ssl\\mykeystore.jks
      CustomIdentityAlias=testserver
      CustomIdentityPrivateKeyPassPhrase=Welcome1
      CustomTrustKeyStoreFileName=c:\\Oracle\\Middleware\\ssl\\keystore.jks

       

      My actual changes:

      KeyStores=CustomIdentityAndCustomTrust

      CustomIdentityKeyStoreFileName=D\:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

      CustomIdentityAlias=rnadbi

      CustomIdentityPrivateKeyPassPhrase={3DES}tr4UdwfKpKGCyZrfDn7Myw==

      CustomTrustKeyStoreFileName=D\:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

       

      I also changed:

      ListenPort=9556

      to

      ListenPort=5556
      3. Restart the NodeManager.

       

      I can not restart the nodemanager.  Here is the log:

      <May 19, 2016 4:38:09 PM> <INFO> <Loading domains file: D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.domains>

      <May 19, 2016 4:38:11 PM> <INFO> <Loading identity key store: FileName=D:\oramw\user_projects\domains\bifoundation_domain\mykeystore.jks, Type=jks, PassPhraseUsed=false>

      <May 19, 2016 4:38:11 PM> <INFO> <Loaded node manager configuration properties from 'D:\oramw\WLSERV~1.3\common\nodemanager\nodemanager.properties'>

      <May 19, 2016 4:38:11 PM> <INFO> <bifoundation_domain> <bi_server1> <Startup configuration properties loaded from "D:\oramw\user_projects\domains\bifoundation_domain\servers\bi_server1\data\nodemanager\startup.properties">

      <May 19, 2016 4:38:11 PM> <WARNING> <Configuration error while reading domain directory: D:\oramw\user_projects\domains\bifoundation_domain>

      java.io.IOException: Invalid state file format. State file contents:

        at weblogic.nodemanager.common.StateInfo.load(StateInfo.java:135)

        at weblogic.nodemanager.server.AbstractServerMonitor.loadStateInfo(AbstractServerMonitor.java:497)

        at weblogic.nodemanager.server.AbstractServerMonitor.isCleanupAfterCrashNeeded(AbstractServerMonitor.java:156)

        at weblogic.nodemanager.server.ServerMonitor.isCleanupAfterCrashNeeded(ServerMonitor.java:25)

        at weblogic.nodemanager.server.AbstractServerManager.recoverServer(AbstractServerManager.java:147)

        at weblogic.nodemanager.server.ServerManager.recoverServer(ServerManager.java:23)

        at weblogic.nodemanager.server.DomainManager.initialize(DomainManager.java:105)

        at weblogic.nodemanager.server.DomainManager.<init>(DomainManager.java:60)

        at weblogic.nodemanager.server.NMServer.initDomains(NMServer.java:225)

        at weblogic.nodemanager.server.NMServer.start(NMServer.java:197)

        at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

        at weblogic.NodeManager.main(NodeManager.java:31)

       

       

      <May 19, 2016 4:38:12 PM> <SEVERE> <Fatal error in node manager server>

      java.lang.RuntimeException: Cannot convert identity certificate

        at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)

        at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)

        at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)

        at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)

        at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)

        at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

        at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

        at weblogic.NodeManager.main(NodeManager.java:31)

       

      ----------------------------------------

      I also added this:

      JAVA_OPTIONS="-Dweblogic.security.SSL.enableJSSE=true ${JAVA_OPTIONS}"

      to the end of the startNodeManager.sh

       

      I have been researching and reading blogs for a few days to no avail.  If you have a suggestion, I'd happy to try it or change any of my settings.  I appreciate the time you are taking to assist!

        • 1. Re: Configure Nodemanager for SSL: - nodemanager error
          handat

          My actual changes:

          KeyStores=CustomIdentityAndCustomTrust

          CustomIdentityKeyStoreFileName=D\:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

          CustomIdentityAlias=rnadbi

          CustomIdentityPrivateKeyPassPhrase={3DES}tr4UdwfKpKGCyZrfDn7Myw==

          CustomTrustKeyStoreFileName=D\:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

           

          Two things that is wrong. It is D:\\, not D\:\\

          Also, you need to provide the plain text password, not the encrypted password.

          • 2. Re: Configure Nodemanager for SSL: - nodemanager error
            makin

            Thanks!  I changed the D\:\\ to the D:\\  (I was following the format of the file path the script had used for the log file).  I also type in the actual password and not the encrypted password and save.  But when I open it back up to copy and paste here, it is encrypted in the script.  However, I still get errors. 

             

            KeyStores=CustomIdentityAndCustomTrust

            CustomIdentityKeyStoreFileName=D:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

            CustomIdentityAlias=rnadbi

            CustomIdentityPrivateKeyPassPhrase={3DES}tr4UdwfKpKGCyZrfDn7Myw==

            CustomTrustKeyStoreFileName=D:\\oramw\\user_projects\\domains\\bifoundation_domain\\mykeystore.jks

             

            nodemanager.log:

            <May 20, 2016 8:53:36 AM> <INFO> <Loading domains file: D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.domains>

            <May 20, 2016 8:53:38 AM> <INFO> <Loading identity key store: FileName=D:\oramw\user_projects\domains\bifoundation_domain\mykeystore.jks, Type=jks, PassPhraseUsed=false>

            <May 20, 2016 8:53:38 AM> <INFO> <Loaded node manager configuration properties from 'D:\oramw\WLSERV~1.3\common\nodemanager\nodemanager.properties'>

            <May 20, 2016 8:53:38 AM> <INFO> <Upgrade> <Encrypting node manager property: CustomIdentityPrivateKeyPassPhrase>

            <May 20, 2016 8:53:38 AM> <INFO> <Upgrade> <Saving upgraded node manager properties to 'D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.properties'>

            <May 20, 2016 8:53:38 AM> <INFO> <bifoundation_domain> <bi_server1> <Startup configuration properties loaded from "D:\oramw\user_projects\domains\bifoundation_domain\servers\bi_server1\data\nodemanager\startup.properties">

            <May 20, 2016 8:53:38 AM> <WARNING> <Configuration error while reading domain directory: D:\oramw\user_projects\domains\bifoundation_domain>

            java.io.IOException: Invalid state file format. State file contents:

              at weblogic.nodemanager.common.StateInfo.load(StateInfo.java:135)

              at weblogic.nodemanager.server.AbstractServerMonitor.loadStateInfo(AbstractServerMonitor.java:497)

              at weblogic.nodemanager.server.AbstractServerMonitor.isCleanupAfterCrashNeeded(AbstractServerMonitor.java:156)

              at weblogic.nodemanager.server.ServerMonitor.isCleanupAfterCrashNeeded(ServerMonitor.java:25)

              at weblogic.nodemanager.server.AbstractServerManager.recoverServer(AbstractServerManager.java:147)

              at weblogic.nodemanager.server.ServerManager.recoverServer(ServerManager.java:23)

              at weblogic.nodemanager.server.DomainManager.initialize(DomainManager.java:105)

              at weblogic.nodemanager.server.DomainManager.<init>(DomainManager.java:60)

              at weblogic.nodemanager.server.NMServer.initDomains(NMServer.java:225)

              at weblogic.nodemanager.server.NMServer.start(NMServer.java:197)

              at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

              at weblogic.NodeManager.main(NodeManager.java:31)

             

             

            <May 20, 2016 8:53:39 AM> <SEVERE> <Fatal error in node manager server>

            java.lang.RuntimeException: Cannot convert identity certificate

              at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)

              at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)

              at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)

              at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)

              at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)

              at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

              at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

              at weblogic.NodeManager.main(NodeManager.java:31)

            • 3. Re: Configure Nodemanager for SSL: - nodemanager error
              handat

              Your passphrase got automatically encrypted, so that is ok. However, you have two problems that need to be resolved. It is complaining about an invalid state file. Remove it. Its a file with a .state extension in your nodemanager directory. The second problem is your certificate. You need to include the intermediate CA certificate in your keystore. Import it as well.

              1 person found this helpful
              • 4. Re: Configure Nodemanager for SSL: - nodemanager error
                makin

                Thank you!  I appreciate your expertise!  I was able to remove the .state file and that error is gone.  I've been looking at my intermediate certificates (I have 2) and I believe they are loaded into the keystore and chained correctly.keystoreload.PNG

                keystorechain.PNG

                I do actually have a smaller log flie now.  YAY!  I am still researching and trying different changes, but if anyone has suggestions they are welcomed and appreciated!

                 

                nodemanager.log

                May 23, 2016 3:44:21 PM> <INFO> <Loading domains file: D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.domains>

                <May 23, 2016 3:44:22 PM> <INFO> <Loading identity key store: FileName=D:\oramw\user_projects\domains\bifoundation_domain\mykeystore.jks, Type=jks, PassPhraseUsed=false>

                <May 23, 2016 3:44:22 PM> <INFO> <Loaded node manager configuration properties from 'D:\oramw\WLSERV~1.3\common\nodemanager\nodemanager.properties'>

                <May 23, 2016 3:44:22 PM> <INFO> <bifoundation_domain> <bi_server1> <Startup configuration properties loaded from "D:\oramw\user_projects\domains\bifoundation_domain\servers\bi_server1\data\nodemanager\startup.properties">

                <May 23, 2016 3:44:23 PM> <SEVERE> <Fatal error in node manager server>

                java.lang.RuntimeException: Cannot convert identity certificate

                  at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)

                  at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)

                  at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)

                  at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)

                  at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)

                  at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)

                  at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)

                  at weblogic.NodeManager.main(NodeManager.java:31)

                • 5. Re: Configure Nodemanager for SSL: - nodemanager error
                  handat

                  You are still using the certicom classes for ssl. That could be the problem. Try adding the following: -Dweblogic.ssl.JSSEEnabled=true

                  • 6. Re: Configure Nodemanager for SSL: - nodemanager error
                    makin

                    I am very slowly getting somewhere, I think.  I believe I added the -Dweblogic.ssl.JSSEEnabled=true to the correct spot. 

                     

                    Now, I start the nodemanager using the startnodemanager.cmd and I get the following:

                     

                    <May 25, 2016 11:59:32 AM> <INFO> <Loading domains file: D:\oramw\wlserver_10.3\common\nodemanager\nodemanager.domains>

                    <May 25, 2016 11:59:34 AM> <INFO> <Loading identity key store: FileName=D:\oramw\user_projects\domains\bifoundation_domain\mykeystore.jks, Type=jks, PassPhraseUsed=false>

                    <May 25, 2016 11:59:34 AM> <INFO> <Loaded node manager configuration properties from 'D:\oramw\WLSERV~1.3\common\NODEMA~1\nodemanager.properties'>

                    <May 25, 2016 11:59:34 AM> <INFO> <bifoundation_domain> <bi_server1> <Startup configuration properties loaded from "D:\oramw\user_projects\domains\bifoundation_domain\servers\bi_server1\data\nodemanager\startup.properties">

                    <May 25, 2016 11:59:35 AM> <INFO> <Secure socket listener started on port 5556>

                    <May 25, 2016 12:00:38 PM> <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLHandshakeException: no cipher suites in common>

                    javax.net.ssl.SSLHandshakeException: no cipher suites in common

                      at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1348)

                      at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)

                      at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)

                      at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1169)

                     

                    This is what I see in the monitoring of the Node Manager Status in the WLS:

                     

                    nodemanagermonitor.PNG

                    • 7. Re: Configure Nodemanager for SSL: - nodemanager error
                      handat

                      <May 25, 2016 12:00:38 PM> <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLHandshakeException: no cipher suites in common>

                      That's your current problem. Which JDK are you using? Do you maybe have two different JDKs installed with different versions?