2 Replies Latest reply on Sep 22, 2003 8:42 PM by 3004

    SSL private key password

    3004
      Hello everyone,

      I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
      with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
      SSL certificate. By defaul the private key is not encrypted with password
      (SSL.KeyEncrypted = false by default, according to the documentations) in
      both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
      following error:

      <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
      <Inconsistent se
      curity configuration, java.lang.Exception: Cannot read private key from file
      C:\
      bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
      sure pa
      ssword specified in environment property weblogic.management.pkpassword is
      valid
      .>
      java.lang.Exception: Cannot read private key from file
      C:\bea7\user_projects\age
      ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
      in en
      vironment property weblogic.management.pkpassword is valid.
      at
      weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
      ava:434)
      at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
      at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
      at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
      at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
      at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
      at weblogic.Server.main(Server.java:32)

      Is this happening because the private key is actually encrypted with the
      password? It was working, although the KeyEncrypted is not set to true and
      the startup script for WLS 6.1 instance did have a line
      with -Dweblogic.management.pkpassword. Or could this error be result of
      something else? The physical machine the instances are located is the same
      and IP address and the DNS entry hasn't been changed, either.

      Any insight will be greatly appreciated. Thanks!

      Makoto



        • 1. Re: SSL private key password
          3004
          It may be because the private key is both unprotected and in DER format.

          There are some things to try:
          1) Convert the private key file from a DER file to a PEM file and try
          that:
          a) Follow the for converting an unprotected private key at:

          http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
          b) Look at the resulting PEM file, it should look something like
          this:
          -----BEGIN RSA PRIVATE KEY-----
          ...
          -----END RSA PRIVATE KEY-----
          (Be sure there is no extra lines or whitespace after the footer)

          c) Change your configuration to point at the PEM file


          If that doesn work, then you can try protecting the key with a password
          using
          the wlkeytool utility (It should be in the server/bin directory). The
          tool should prompt
          for a password to use to protect it:

          wlkeytool inputkey.pem outputkey.pem
          Then change your configuration to use the protected private key, and set
          the passwod to use.

          Tony



          "Makoto Suzuki" <msuzuki@hoike.net> wrote in message
          news:3f69242d@newsgroups.bea.com...
          Hello everyone,

          I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0
          SP2
          with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
          SSL certificate. By defaul the private key is not encrypted with password
          (SSL.KeyEncrypted = false by default, according to the documentations) in
          both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
          following error:

          <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
          <Inconsistent se
          curity configuration, java.lang.Exception: Cannot read private key from
          file
          C:\
          bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
          sure pa
          ssword specified in environment property weblogic.management.pkpassword is
          valid
          .>
          java.lang.Exception: Cannot read private key from file
          C:\bea7\user_projects\age
          ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
          in en
          vironment property weblogic.management.pkpassword is valid.
          at
          weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
          ava:434)
          at
          weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
          at
          weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
          at
          weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
          at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
          at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
          at weblogic.Server.main(Server.java:32)

          Is this happening because the private key is actually encrypted with the
          password? It was working, although the KeyEncrypted is not set to true and
          the startup script for WLS 6.1 instance did have a line
          with -Dweblogic.management.pkpassword. Or could this error be result of
          something else? The physical machine the instances are located is the same
          and IP address and the DNS entry hasn't been changed, either.

          Any insight will be greatly appreciated. Thanks!

          Makoto

          • 2. Re: SSL private key password
            3004
            Thanks Tony - it worked!!


            "Tony" <TonyV> wrote in message news:3f6aea06@newsgroups.bea.com...
            It may be because the private key is both unprotected and in DER format.

            There are some things to try:
            1) Convert the private key file from a DER file to a PEM file and try
            that:
            a) Follow the for converting an unprotected private key at:

            http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
            b) Look at the resulting PEM file, it should look something like
            this:
            -----BEGIN RSA PRIVATE KEY-----
            ...
            -----END RSA PRIVATE KEY-----
            (Be sure there is no extra lines or whitespace after the
            footer)
            >
            c) Change your configuration to point at the PEM file


            If that doesn work, then you can try protecting the key with a
            password
            using
            the wlkeytool utility (It should be in the server/bin directory). The
            tool should prompt
            for a password to use to protect it:

            wlkeytool inputkey.pem outputkey.pem
            Then change your configuration to use the protected private key, and
            set
            the passwod to use.

            Tony



            "Makoto Suzuki" <msuzuki@hoike.net> wrote in message
            news:3f69242d@newsgroups.bea.com...
            Hello everyone,

            I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0
            SP2
            with WLP 7.0 SP2. Everythng is fine except for that we cannot use the
            same
            SSL certificate. By defaul the private key is not encrypted with
            password
            (SSL.KeyEncrypted = false by default, according to the documentations)
            in
            both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results
            the
            following error:

            <Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
            <Inconsistent se
            curity configuration, java.lang.Exception: Cannot read private key from
            file
            C:\
            bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
            sure pa
            ssword specified in environment property weblogic.management.pkpassword
            is
            valid
            .>
            java.lang.Exception: Cannot read private key from file
            C:\bea7\user_projects\age
            ncyPortal\portal_islandinsurance_com-key.der. Make sure password
            specified
            in en
            vironment property weblogic.management.pkpassword is valid.
            at
            weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
            ava:434)
            at
            weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
            at
            weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
            at
            weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
            at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
            at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
            at weblogic.Server.main(Server.java:32)

            Is this happening because the private key is actually encrypted with the
            password? It was working, although the KeyEncrypted is not set to true
            and
            the startup script for WLS 6.1 instance did have a line
            with -Dweblogic.management.pkpassword. Or could this error be result of
            something else? The physical machine the instances are located is the
            same
            and IP address and the DNS entry hasn't been changed, either.

            Any insight will be greatly appreciated. Thanks!

            Makoto