nodemanager启动报Cannot convert identity certificate
最近在配置weblogic的集群服务器。启动nodemanager报以下错误:
<2014-9-26 10:46:42> <SEVERE> <Fatal error in node manager server>
java.lang.RuntimeException: Cannot convert identity certificate
at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)
at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)
at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)
at weblogic.NodeManager.main(NodeManager.java:31)
打开ssl的调试功能:
windows下这么设置:set JAVA_OPTIONS=-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true %JAVA_OPTIONS%
linux下这样设置:JAVA_OPTIONS="-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true ${JAVA_OPTIONS}"
重启服务发现有以下错误:
<2014-9-26 上午10时46分41秒 CST> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true>
<2014-9-26 上午10时46分42秒 CST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Use Certicom SSL with Domestic strength>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Empty CA List is enabled :false>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE KeyAgreement: SunJCE version 1.6 for algorithm DiffieHellman>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm DiffieHellman>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm ECDH>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm DESede/CBC/NoPadding>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm DES/CBC/NoPadding>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm AES/CBC/NoPadding>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <SSL Session TTL :90000>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <HostnameVerifier: using default hostnameverifier>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <HostnameVerifier: allowReverseDNS=false>
<2014-9-26 上午10时46分42秒 CST> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.>
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Cannot convert identity certificate
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:147)
at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:54)
at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)
at weblogic.NodeManager.main(NodeManager.java:31)
>
<2014-9-26 10:46:42> <SEVERE> <Fatal error in node manager server>
java.lang.RuntimeException: Cannot convert identity certificate
at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)
at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)
at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)
at weblogic.NodeManager.main(NodeManager.java:31)
2014-9-26 10:46:42 weblogic.nodemanager.server.NMServer main
严重: Fatal error in node manager server
java.lang.RuntimeException: Cannot convert identity certificate
at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)
at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)
at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)
at weblogic.NodeManager.main(NodeManager.java:31)
这说明weblogic不支持OID为1.2.840.113549.1.1.11的算法,即SHA256withRSA算法; 就是因为CA链中有SHA256withRSA算法的证书
因此,我们需要把使用SHA256withRSA算法的证书统统删掉,好在使用JDK1.6以上版本的keytools命令可以列出各个证书的算法。
我们列出所有的证书,把结果保存到文本文件里,然后通过查找工具,找出所有包含SHA256withRSA算法的证书别名。
有了别名,我们就可以使用如下命令逐个删除之:
keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias entrustrootcag2 -storepass changeit
keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias thawteprimaryrootcag3 -storepass changeit
keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias ttelesecglobalrootclass3ca -storepass changeit
keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias ttelesecglobalrootclass2ca -storepass changeit
keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias globalsignr3ca -storepass changeit
keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias secomscrootca2 -storepass changeit
keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias verisignuniversalrootca -storepass changeit
keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias keynectisrootca -storepass changeit
keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias geotrustprimarycag3 -storepass changeit
参考:http://t8500071.iteye.com/blog/1591659