Disable hostname verification in WLS

You may encountered this error:

WARNING: Uncaught exception in server handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from soa11g – 192.168.2.20. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from soa11g – 192.168.2.20. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)

This due to the fact that your default (generated) certificate is a test certificate. You can disable the hostname verification (on your *development* platform only) on each Environment / server / Configuration / SSL and click Advanced.

Official Solution: http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/security/DisableHostNameVerification.html

Image

After restarting the WLS Admin Server, you will see in the AdminServer log file, the following warning :

<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file /data/middleware/mid70/wlserver_10.3/server/lib/DemoIdentity.jks.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /data/middleware/mid70/wlserver_10.3/server/lib/DemoTrust.jks.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /usr/java/jdk1.7.0_15/jre/lib/security/cacerts.>
<Oct 19, 2013 3:45:19 PM CEST> <Alert> <Security> <BEA-090152> <Demo trusted CA certificate is being used in production mode: [
[
Version: V3
Subject: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Key:  Sun RSA public key, 512 bits
modulus: 9550192877869244258838480703390456015046425375252278279190673063544122510925482179963329236052146047356415957587628011282484772458983977898996276815440753
public exponent: 65537
Validity: [From: Thu Mar 21 21:12:27 CET 2002,
To: Tue Mar 22 21:12:27 CET 2022]
Issuer: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
SerialNumber: [    33f10648 fcde0deb 4199921f d64537f4]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
]

]
Algorithm: [MD5withRSA]
Signature:
0000: 9D 26 4C 29 C8 91 C3 A7   06 C3 24 6F AE B4 F8 82  .&L)……$o….
0010: 80 4D AA CB 7C 79 46 84   81 C4 66 95 F4 1E D8 C4  .M…yF…f…..
0020: E9 B7 D9 7C E2 23 33 A4   B7 21 E0 AA 54 2B 4A FF  …..#3..!..T+J.
0030: CB 21 20 88 81 21 DB AC   90 54 D8 7D 79 63 23 3C  .! ..!…T..yc#<

] The system is vulnerable to security attacks, since it trusts certificates signed by the demo trusted CA.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust\, Inc. – for authorized use only,OU=See http://www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=thawte Primary Root CA – G3,OU=(c) 2008 thawte\, Inc. – For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=thawte Primary Root CA – G2,OU=(c) 2007 thawte\, Inc. – For authorized use only,O=thawte\, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.10045.4.3.3.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=VeriSign Class 3 Public Primary Certification Authority – G4,OU=(c) 2007 VeriSign\, Inc. – For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.10045.4.3.3.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA – R3”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. – For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=GeoTrust Primary Certification Authority – G3,OU=(c) 2008 GeoTrust Inc. – For authorized use only,O=GeoTrust Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=GeoTrust Primary Certification Authority – G2,OU=(c) 2007 GeoTrust Inc. – For authorized use only,O=GeoTrust Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.10045.4.3.3.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Server> <BEA-002613> <Channel “DefaultSecure” is now listening on 192.168.2.20:7702 for protocols iiops, t3s, ldaps, https.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <Server> <BEA-002613> <Channel “Default” is now listening on 192.168.2.20:7701 for protocols iiop, t3, ldap, snmp, http.>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <WebLogicServer> <BEA-000329> <Started WebLogic Admin Server “AdminServer” for domain “mid70_domain” running in Production Mode>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<Oct 19, 2013 3:45:19 PM CEST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>

 

Advertisements

About Chenda Mok

19 years of hands on experience in software design and development with emphasis on Enterprise Application Integration (EAI), Services Oriented Architecture (SOA) and Identity Management (IDM) solutions. I’m a software engineer, member of the professional service delivery team working for Salesforce. Prior to this, I worked for Oracle as Solution Architect, through SeeBeyond(06/2005), then SUN’s acquisition (04/2009). After my master’s degree in computer science in 1997; I always delivered consulting on architecture, design, implementation on integration’s field. I’m interested in architecture using EAI/SOA/IDM/BPM/Cloud technologies, software development and Java’s related technologies. I may blog about my work/activities at Salesforce, but I do not speak for my employer, past, present or future.
This entry was posted in Administration, Weblogic Server. Bookmark the permalink.