November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Categories

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  

Improve SSL Support

introduction

Every WebLogic Server installation comes with SSL support. But for some reason many installations get this interesting error message at startup:

Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.

This looks odd and many people ignore these error messages. However, if your strategy is to show real error messages only, you are quickly looking for a solution. The Internet is full of possible solutions. Some recommend to remove the certificates from the JDK trust store, some recommend to use a different trust store. But is this the best solution and what are the side effects?

Main Article

Our way to the solution starts by understanding the error message. Here it is again.

Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.

The first sentence is the result while the second sentence explains the reason. Looking at the reason, we quickly find the “certificate parsing exception“. But what does “PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11” tell us?

  • PKIX stands for the Public Key Infrastructure (X.509). X.509 is the standard used to export, exchange, and import SSL certificates.
  • OID stands for the Object Identifier. Object Identifiers are globally unique and organized in a hierarchy. This hierarchy is maintained by the standards bodies in every country. Every standards body is responsible for a specific branch and can define and assign entries into the hierarchy.

With this background information we can lookup the number 1.2.840.113549.1.1.11 in the OID Repository (see References for the link) and get this result “iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha256WithRSAEncryption(11)“.

Combining the certificate information in the first sentence and the information from the OID lookup we have the following result:

The certificate from CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust, Inc.,C=US uses SHA256WithRSAEncryption which is not supported by the JDK!

You will probably see more messages for similar or different encryption algorithms used in other certificates.

The Root Cause

These factors cause this (and similar) error messages:

  • By default the Java Cryptography Extension (JCE), that comes with the JDK, implements only limited strength jurisdication policy files.
  • The default trust store of the JDK that holds this and other certificates can be found in JAVA_HOME/jre/lib/security/cacerts.
  • WebLogic Server versions before 12c come with the Certicom SSL implementation. The Certicom implementation will not be updated because the required JDK already comes with the standard SunJSSE implementation.

The Problem

The Certicom implementation works perfectly with many SSL certificates but does not support newer and stronger algorithms. Removing certificates from the default trust store or using a new trust store works only if you do not need to install third party certificates, for example from well known Certificate Authorities.

The Solution

To remove these error messages and support newer SSL certificates we have to do these steps:

  • Upgrade the jurisdication policy files with the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files. You can download the Unlimites Strength Jurisdication files that fit for your JDK version from the Oracle Technology Network (see References). Follow the installation instructions that come with the distribution.
  • Enable SunJSSE Support in WebLogic Server
    • Login to Weblogic console
    • Go to [Select your Server] -> SSL -> Advance
    • Set “Enable JSSE” to true.
  • Restart your domain completely (including NodeManager)
    • If you start your domains with a WLST script:

      CONFIG_JVM_ARGS=’-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true’

    • If you start your domains with the scripts startWebLogic.sh, startManagedServer.sh, or startNodeManager.sh:

      JAVA_OPTIONS=’-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true’

Your Java and WebLogic environment is now ready to support newer SSL certificates!

 

PKIX: Unsupported OID in the AlgorithmIdentifier
POSTED ON FRIDAY, OCTOBER 28, 2011 BY BUNTY RAY
Important Notice Regarding Recent JDK Updates and Oracle WebLogic Server SSL
<Oct 27, 2011 12:25:39 AM IST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=T-TeleSec Globa
lRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certifica
te list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1
.1.11.>
Recent updates to the Sun JDK (Java Developer Kit) (versions: 1.6.0_13 and 1.5.0_18) are incompatible with the SSL (Secure Socket Layer) implementation in the following versions of Oracle WebLogic Server:
* 11gR1 (10.3.1)
* 10gR3 (10.3.0)
* 10.0 and all maintenance releases of 10.0
* 9.0, 9.1, 9.2 and all maintenance releases of 9.2 prior to 9.2 MP4
Oracle JRockit versions from R27.6.4 (1.6.0_13 and 1.5.0_18) and higher also exhibit this issue.
Workaround
1) Use an earlier version of JDK – JDK1.6.0_12 and earlier will be ok.
or
2)  Replace the trust store file of \jdk\jre\lib\security\cacerts with one from earlier JDK
Reference: Oracle Doc ID 952078.1
Resolve Oracle Weblogic SSL error: The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
If you encounter SSL error in Oracle Weblogic similar to the following, see a possible tip below.
May 15, 2013 12:11:07 PM PDT Notice Security BEA-090898 Ignoring the trusted CA certificate “CN=Go Daddy Root Certificate Authority – G2,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
May 15, 2013 12:11:10 PM PDT Error oracle.soa.bpel.engine BEA-000000 Unhandled exception for ComponentDN=default/bpel-110-REST!1.0*soa_d1825dc6-95b8-4efc-9028-cbf58b7efcd4/RestProcess CompositeInstanceId=6860398 ComponentInstanceId=6820014
May 15, 2013 12:11:10 PM PDT Error oracle.soa.bpel.engine BEA-000000 This exception occurred because the fault thrown in the BPEL flow was not handled by any fault handlers and reached the top-level scope. Root cause :
javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE – A corrupt or unuseable certificate was received.
1. Login to Weblogic console
2. Go to [Select your Server] -> SSL -> Advance
3. Set “Enable JSSE” to true.
4. Restart your weblogic.

Symptoms


When using Weblogic Scripting Tool (WLST) nmConnect() to connect to the node manager, notice warnings are seen for unsupported certificates (after running setWLSEnv.cmd or .sh)

 

Connecting to Node Manager …
CA certificate “CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certificate list raised a certificate parsing exceptionPKIX: Unsupported OID in the AlgorithmIdentifier object: 
1.2.840.113549.1.1.11.>
<Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA – R3”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
Successfully Connected to Node Manager.

 

Steps

The issue can be reproduced at will with the following steps:

1. Start node manager
2. Open a command line window (or terminal window) and run setDomainEnv.cmd (or .sh)
3. Run java weblogic.WLST
4.nmConnect(‘weblogic’,’weblogic1′,’test.comain.com’,’5556′,’testDomain’,’D:\Oracle\Middleware\user_projects\domains\testDomain’,’plain’)


Cause

This is caused because of Certicom which is WLS default SSL implementation until Oracle Weblogic Server 10.3.5, does not support sha256WithRSAEncryption based certificates. Due to this reason, some certificates with that algorithm as signature are ignored and thus, the reason why those warnings are seen.

Solution

Solution 1

You can make a copy of cacerts file before removing these trusted certificates. First you need to find out alias for each of these certificates it is complaining.

keytool -list -keystore cacerts -v


(If it prompts for password, the default password is changeit most of the times).


For each of the certificate it is complaining, find the alias name from output of above command and execute following command

keytool -delete -keystore cacerts -alias keynectisrootca


(When it prompt for the password, the default password is changeit)”

This took care of the notice warnings on invalid certs. For example.

After running the setWLSEnv.cmd (or .sh, changed the directory to %JAVA_HOME%\jre\lib\security, made a backup copy of cacerts and ran the scripts: 

1. List out certificates to match them with unsupported ones (default password is changeit):

keytool -list -keystore cacerts -v > certlist.txt

This must be done in a command window that is started with “Run as Administrator” or the file cannot be read/updated. 

Redirect this to a file, as the output is large and can overflow cmd window buffer. You can search the certlist file for the owner CN or OU and get the alias name for the cert that precedes it. For example:

Alias name: ttelesecglobalrootclass3ca
Creation date: Feb 10, 2009
Entry type: trustedCertEntry

Owner: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE

These five notice warnings correspond to these aliases:

ttelesecglobalrootclass3ca
ttelesecglobalrootclass2ca
globalsignr3ca
secomscrootca2
keynectisrootca

2. Then, use these commands to remove the unsupported certificates from the keystore (default password is changeit):

keytool -delete -keystore cacerts -alias ttelesecglobalrootclass3ca
keytool -delete -keystore cacerts -alias ttelesecglobalrootclass2ca
keytool -delete -keystore cacerts -alias globalsignr3ca
keytool -delete -keystore cacerts -alias secomscrootca2
keytool -delete -keystore cacerts -alias keynectisrootca

If you then connect to the node manager with nmConnect, no warnings occur.

Solution 2

You can enable the JSSE SSL provider instead of Certicom to support the SHA256 algorithm. To enable JSSE, modify the startNodeManager script and add this java option to the JAVA_OPTIONS variable:

-Dweblogic.security.SSL.enableJSSE=true

This correction would also reduce log file occurrences of the same notice warning messages. Most likely within the node manager log file. There is potential that other processes that communicate with the node manager or when more parts of the WLS/FMW environment are configured to run on SSL ports that similar reduction in certificate warning messages would be reduced by this procedure.
Additionally, add the following line to the nodemanager.properties file:

CipherSuite=SSL_RSA_EXPORT_WITH_RC4_40_MD5

 

 

vironmental Information: JDK6_24, weblogic10.3 

On weblogic10.3 applications, and integrated cas single sign-on login problems, 
Specific performance: 

1 access to the new application 
Jump to a unified login page 
Log can not jump to the new application page 
4 new application logs in the background continuously output 

  1. <Security> <BEA-090477> <Certificate chain received from testserver1.gmcc.net – 10.201.37.41 was not trusted causing SSL handshake failure.>  

Process (the process can be applied to check with the initial installation of the new access SSO): 

Check for new applications CAS configuration 
Check web.xml whether to join the CAS filter 
(2) Check whether the certificate is successfully imported JRE 

  1. ?   
  2. keytool -list -v ?alias testserver1 -storepass changeit -keystore ${JRE_HOME}/lib/security/cacerts  

Check the WebLogic SSL configuration 

Enter Home> Summary of the AdminServer the Servers> General Tab, ensure that the SSL Listen Port Enabled “check status; 

Into the the Keystores Tab, ensure that the Java Standard Trust keystore “for $ {the JRE_HOME} / lib / security / cacerts (should be the same with to add jvm parameters the-Dweblogic.security.TrustKeyStore the effect) 

In addition to the problem in Step 3, the other had no problems, after performing step 3 still. 

So open the SSL debugging information (startup script add jvm parameter-Dssl.debug = the true-Dweblogic.StdoutDebugEnabled = true “) 

Start and can see the following log: 

  1. <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11>   
  2. <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>   

Jump after logging exception log as follows: 

  1. <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>   
  2. <Debug> <SecuritySSL> <BEA-000000> <Failure loading trusted CA list   
  3. java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11   
  4. at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)   
  5. ??????   
  6. <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>   
  7. <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>   
  8. <Debug> <SecuritySSL> <BEA-000000> <Trust status (16):  CERT_CHAIN_UNTRUSTED>   
  9. <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42   
  10. java.lang.Exception: New alert stack   
  11. ??????   

This shows that WebLogic does not support OID 1.2.840.113549.1.1.11 algorithm, namely SHA256withRSA, algorithm; 
Is because the the CA chain certificate of SHA256withRSA algorithm, authentication fails. 

This is a bug in JDK1.6.0_13 appear in the official bug database on the 

When they JDK1.6.0_13 several certificate 

Therefore, we need to delete all the certificates use SHA256withRSA algorithm Fortunately the JDK1.6 version keytools command to list the certificate algorithm. 

We list all certificates, save the results to a text file, and then search tool to find the certificate alias contains SHA256withRSA algorithm. 

With an alias, we can use the following command to delete one by one: 

  1. keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias entrustrootcag2 -storepass changeit   
  2. keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias thawteprimaryrootcag3 -storepass changeit   
  3. keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias ttelesecglobalrootclass3ca -storepass changeit   
  4. keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias ttelesecglobalrootclass2ca -storepass changeit   
  5. keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias globalsignr3ca -storepass changeit   
  6. keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias secomscrootca2 -storepass changeit   
  7. keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias verisignuniversalrootca -storepass changeit   
  8. keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias keynectisrootca -storepass changeit   
  9. keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias geotrustprimarycag3 -storepass changeit   

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>