Weblogic启用SSLDemo证书签名算法问题

由于项目需要将传输的http报文进行加密，考虑采用128位SSL安全传输协议，即https。

 

因应用使用Weblogic容器，故到console控制台启用了其SSL监听，并使用Weblogic自带的Demo证书，在Windows和Redhat Linux下均无问题，但在AIX系统下部署却遇到了问题，问题如下：

 

<Oct 10, 2011 2:35:37 PM CDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /bea/wls103/wlserver_10.3/server/lib/DemoTrust.jks.> 
<Oct 10, 2011 2:35:37 PM CDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /usr/java6_64/jre/lib/security/cacerts.> 
<Oct 10, 2011 2:35:37 PM CDT> <Alert> <Security> <BEA-090152> <Demo trusted CA certificate is being used in production mode: [
[
  Version: V3
  Subject: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

  Key:  IBMJCE RSA Public Key:
modulus:
9550192877869244258838480703390456015046425375252278279190673063544122510925482179963329236052146047356415957587628011282484772458983977898996276815440753
public exponent:
65537

  Validity: [From: Thu Mar 21 14:12:27 CST 2002,
               To: Tue Mar 22 15:12:27 CDT 2022]
  Issuer: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
  SerialNumber: [69042098805081595651034369680212310004]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
]

]
  Algorithm: [MD5withRSA]
  Signature:
0000: 9d 26 4c 29 c8 91 c3 a7  06 c3 24 6f ae b4 f8 82  ..L........o....
0010: 80 4d aa cb 7c 79 46 84  81 c4 66 95 f4 1e d8 c4  .M...yF...f.....
0020: e9 b7 d9 7c e2 23 33 a4  b7 21 e0 aa 54 2b 4a ff  ......3.....T.J.
0030: cb 21 20 88 81 21 db ac  90 54 d8 7d 79 63 23 3c  .........T..yc..

] The system is vulnerable to security attacks, since it trusts certificates signed by the demo trusted CA.> 
<Oct 10, 2011 2:35:37 PM CDT> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11> 
<Oct 10, 2011 2:35:37 PM CDT> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.> 

 

 

问题原因：

查询了网上，得到原因是由于AIX上使用了IBM的JDK，jre/lib/security/cacerts中某些ca根证书的签名算法方式不被weblogic所支持，也可以说是JDK和weblogic不配套。如果在Linux或Windows下的weblogic版本，由于自身就带有jdk，故是配套的，所以不存在签名算法的问题。因此也不能说一定是IBM的JDK问题，JDK版本和Weblogic不配套也会出现此类问题。

 

解决方法：

删除cacerts下不被weblogic支持的签名算法的证书。

查询OID为1.2.840.113549.1.1.11的是sha256WithRSA算法，故删除sha256WithRSA算法的ca证书。

 

keytool -delete -keystore ../lib/security/cacerts -alias ttelesecglobalrootclass2ca -storepass changeit
keytool -delete -keystore ../lib/security/cacerts -alias ttelesecglobalrootclass3ca -storepass changeit

keytool -delete -keystore ../lib/security/cacerts -alias keynectisrootca -storepass changeit