While implementing SSL in Oracle Weblogic, you might see the error <Cannot convert identity certificate>, mostly when your Weblogic version is either 10.3.2 or lower than this.
<Jan 28, 2025 8:33:06 AM CET> <Debug> <SecuritySSL> <BEA-000000> <Cannot convert identity certificate java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11 at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source) at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source) at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source) at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source) at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:147) at weblogic.security.utils.SSLContextManager.createServerSSLContext(SSLContextManager.java:410) at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLContextManager.java:356) at weblogic.security.utils.SSLContextManager.getSSLServerSocketFactory(SSLContextManager.java:94 at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:59) at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:296) at weblogic.server.channels.DynamicListenThreadManager.start(DynamicListenThreadManager.java:133) at weblogic.t3.srvr.ListenerService.bindListeners(ListenerService.java:46) at weblogic.t3.srvr.EnableListenersHelper.start(EnableListenersHelper.java:47) at weblogic.t3.srvr.EnableListenersService.start(EnableListenersService.java:20) at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263) at weblogic.work.ExecuteThread.run(ExecuteThread.java:221) > <Jan 28, 2025 8:33:06 AM CET> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate> <Jan 28, 2025 8:33:06 AM CET> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: Cannot convert identity certificate.> <Jan 28, 2025 8:33:06 AM CET> <Info> <Server> <BEA-002610> <Dynamic Listener Service initialized.>
Cause:
Older WebLogic versions (10.3.2 and below) use the "Certicom SSL" library, which has a 128-bit encryption limit. This means certificates with stronger encryption will fail to work. Newer versions (10.3.3 to 12.1.1) provide the JSEE option, but Certicom SSL is still the default.
Solution:
The Solution is simple. You need to enable JSSE option when implementing SSL with Weblogic. Just follow the below steps:
1) Login to your admin console: http://localhost:7001/console OR https://localhost:7002/console
2) Navigate to Servers, choose the server you were trying to enable SSL.
3) Go to "SSL" tab. Within that, go to Advanced Settings.
4) Click on "Lock and Edit" and check "Use JSSE SSL" option.
5) Save your changes and restart the component. It should work fine afterwards.
I hope this helps !!
No comments:
Post a Comment