0 Replies Latest reply on Sep 29, 2002 8:22 PM by 3004

    self-signed certificate generated by keytool doesn't work in Weblogic 7

    3004

      We have a keystore file generated by keytool, which includes a private key and
      a self-signed certificate. It works fine in JBoss, but never works in Weblogic,
      the version we are using is 7.
      The procedure is as follows:
      1. Generate a keystore file test.keystore by "keytool -genkey -keystore test.keystore
      -alias weblogic -keypass test.123".
      2. Rename it to wlDefaultKeyStore.jks and put it under domain home directory,
      since this is the default file used by weblogic to get private key.
      3. Since weblogic only gets private key from keystore file, I need to provide
      the server certificate file.(Mentioned in http://edocs.bea.com/wls/docs70/secmanage/ssl.html#1167401)
      What I did is export the certificate file from keystore file by "keytool -export
      -keystore test.keystore -alias weblogic -keypass test.123 -file testcert.der".
      4. Then I go to admin console, specify the alias as "weblogic", server private
      key passphase as "test.123", server certificate file name as "testcert.der". However,
      I don't know how to specify the "Trust CA File Name" since I'm using a self-signed
      certificate.
      5. Then I reboot server, the following exception comes out on the server console:
      ---------------------------------------------------------
      <Sep 27, 2002 8:14:51 PM PDT> <Notice> <Security> <090092> <SSL will load trusted
      CAs from the JDK cacerts KeyStore: c:\jdk1.3.1\jre\lib\security\cacerts for realm
      myrealm on server insight.>
      weblogic.security.CipherException: java.lang.NullPointerException
      at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:251)
      at weblogic.security.RSAMDSignature.verifyRSAMDSignature.java:89)
      at weblogic.security.X509.verifySignature(X509.java:246)
      at weblogic.t3.srvr.SSLListenThread.<init>SSLListenThread.java:559)
      at weblogic.t3.srvr.SSLListenThread.<init>SSLListenThread.java:288)
      at weblogic.t3.srvr.T3Srvr.initializeListenThreadsT3Srvr.java:1519)
      at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:858)
      at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:294)
      at weblogic.Server.main(Server.java:31)
      <Sep 27, 2002 8:14:52 PM PDT> <Alert> <WebLogicServer> <000297> <Inconsistent
      security configuration, weblogic.security.AuthenticationException: java.lang.NullPointerException
      possibly incorrect SSLServerCertificateChainFileName set for this server certificate>weblogic.security.AuthenticationException:
      java.lang.NullPointerException possibly incorrect SSLServerCertificateChainFileName
      set for this server certificate at weblogic.security.X509.verifySignature(X509.java:254)
      at weblogic.t3.srvr.SSLListenThread.<init>SSLListenThread.java:559)
      at weblogic.t3.srvr.SSLListenThread.<init>SSLListenThread.java:288)
      at weblogic.t3.srvr.T3Srvr.initializeListenThreadsT3Srvr.java:1519)
      at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:858)
      at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:294)
      at weblogic.Server.main(Server.java:31)
      <Sep 27, 2002 8:14:52 PM PDT> <Emergency> <Security> <090034> <Not listening for
      SSL, java.io.IOException: Inconsistent security configuration, weblogic.security.AuthenticationException:
      java.lang.NullPointerException possibly incorrect SSL
      ServerCertificateChainFileName set for this server certificate.>
      -----------------------------------------------------------
      From the exception, it says I provided incorrect CertificateChainFileName, which
      is never mentioned in the manual. I do try to point it to the certificate file,
      but get failed again.
      I suspect in Step3, the way I used to generate certificate file is not accepted
      by weblogic, cause I used tools provided by bea, CertGen and ImportPrivateKey,
      to generate a Keystore, it never give me the same complaint.
      Could anyboby point out what's wrong with those steps? I've already spent almost
      one week on this issue, and it made me crazy already. Any input will be greatly
      appreciated.

      Ryan