Every WebLogic Server installation comes with SSL support. But for some reason many installations get this interesting error message at startup:<\/p>\n
Ignoring the trusted CA certificate \u201cCN=Entrust Root Certification Authority \u2013 G2,OU=(c) 2009 Entrust, Inc. \u2013 for authorized use only,OU=See www.entrust.net\/legal-terms,O=Entrust, Inc.,C=US\u201d. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.<\/p>\n
This looks odd and many people ignore these error messages. However, if your strategy is to show real error messages only, you are quickly looking for a solution. The Internet is full of possible solutions. Some recommend to remove the certificates from the JDK trust store, some recommend to use a different trust store. But is this the best solution and what are the side effects?<\/p>\n
Our way to the solution starts by understanding the error message. Here it is again.<\/p>\n
Ignoring the trusted CA certificate \u201cCN=Entrust Root Certification Authority \u2013 G2,OU=(c) 2009 Entrust, Inc. \u2013 for authorized use only,OU=See www.entrust.net\/legal-terms,O=Entrust, Inc.,C=US\u201d. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.<\/p>\n
The first sentence is the result while the second sentence explains the reason. Looking at the reason, we quickly find the \u201ccertificate parsing exception<\/em>\u201c. But what does \u201cPKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11<\/em>\u201d tell us?<\/p>\n With this background information we can lookup the number\u00a01.2.840.113549.1.1.11<\/em>\u00a0<\/span>in the OID Repository (see References for the link) and get this result \u201ciso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) sha256WithRSAEncryption(11)<\/em>\u201c.<\/p>\n Combining the certificate information in the first sentence and the information from the OID lookup we have the following result:<\/p>\n The certificate from\u00a0<\/span>CN=Entrust Root Certification Authority \u2013 G2,OU=(c) 2009 Entrust, Inc. \u2013 for authorized use only,OU=See www.entrust.net\/legal-terms,O=Entrust, Inc.,C=US<\/em>\u00a0<\/span>uses\u00a0SHA256WithRSAEncryption<\/em>\u00a0<\/span>which is not supported by the JDK!<\/p>\n You will probably see more messages for similar or different encryption algorithms used in other certificates.<\/p>\n These factors cause this (and similar) error messages:<\/p>\n The Certicom implementation works perfectly with many SSL certificates but does not support newer and stronger algorithms. Removing certificates from the default trust store or using a new trust store works only if you do not need to install third party certificates, for example from well known Certificate Authorities.<\/p>\n To remove these error messages and support newer SSL certificates we have to do these steps:<\/p>\n CONFIG_JVM_ARGS=\u2019-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true\u2019<\/p>\n<\/li>\n JAVA_OPTIONS=\u2019-Dweblogic.ssl.JSSEEnabled=true -Dweblogic.security.SSL.enableJSSE=true\u2019<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n Your Java and WebLogic environment is now ready to support newer SSL certificates!<\/p>\n <\/p>\n <\/p>\n <\/p>\n Steps<\/p>\n The issue can be reproduced at will with the following steps:<\/p>\n This is caused because of\u00a0<\/span>Certicom<\/a>\u00a0<\/span>which is WLS default SSL implementation\u00a0until\u00a0Oracle Weblogic Server\u00a010.3.5, does not support sha256WithRSAEncryption based certificates. Due to this reason, some certificates with that algorithm as signature are ignored and thus, the reason why those warnings are seen. <\/a><\/span><\/p>\n You can make a copy of cacerts file before removing these trusted certificates. First you need to find out alias for each of these certificates it is complaining. This took care of the notice warnings on invalid certs. For example.<\/p>\n After running the setWLSEnv.cmd (or .sh, changed the directory to %JAVA_HOME%\\jre\\lib\\security, made a backup copy of cacerts and ran the scripts:\u00a0<\/span><\/p>\n 1. List out certificates to match them with unsupported ones (default password is changeit):<\/p>\n This must be done in a\u00a0<\/span>command window<\/a>\u00a0<\/span>that is started with “Run as Administrator<\/a>” or the file cannot be read\/updated.\u00a0<\/span><\/p>\n Redirect this to a file, as the output is large and can overflow cmd window buffer. You can search the certlist file for the owner CN or OU and get the alias name for the cert that precedes it. For example:<\/p>\n Alias name: ttelesecglobalrootclass3ca Owner: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE These five notice warnings correspond to these aliases:<\/p>\n ttelesecglobalrootclass3ca 2. Then, use these commands to remove the unsupported certificates from the keystore (default password is changeit):<\/p>\n\n
The Root Cause<\/h2>\n
\n
The Problem<\/h2>\n
The Solution<\/h2>\n
\n
\n
\n
\nPOSTED ON FRIDAY, OCTOBER 28, 2011 BY BUNTY RAY<\/div>\n
\n<Oct 27, 2011 12:25:39 AM IST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=T-TeleSec Globa
\nlRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certifica
\nte list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1
\n.1.11.>
\nRecent updates to the Sun JDK (Java Developer Kit) (versions: 1.6.0_13 and 1.5.0_18) are incompatible with the SSL (Secure Socket Layer) implementation in the following versions of Oracle WebLogic Server:<\/div>\n
\n* 10gR3 (10.3.0)
\n* 10.0 and all maintenance releases of 10.0
\n* 9.0, 9.1, 9.2 and all maintenance releases of 9.2 prior to 9.2 MP4
\nOracle JRockit versions from R27.6.4 (1.6.0_13 and 1.5.0_18) and higher also exhibit this issue.
\nWorkaround
\n1) Use an earlier version of JDK – JDK1.6.0_12 and earlier will be ok.
\nor
\n2)\u00a0 Replace the trust store file of \\jdk\\jre\\lib\\security\\cacerts with one from earlier JDK
\nReference: Oracle Doc ID 952078.1<\/div>\n
\nMay 15, 2013 12:11:07 PM PDT Notice Security BEA-090898 Ignoring the trusted CA certificate “CN=Go Daddy Root Certificate Authority – G2,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
\nMay 15, 2013 12:11:10 PM PDT Error oracle.soa.bpel.engine BEA-000000 Unhandled exception for ComponentDN=default\/bpel-110-REST!1.0*soa_d1825dc6-95b8-4efc-9028-cbf58b7efcd4\/RestProcess CompositeInstanceId=6860398 ComponentInstanceId=6820014
\nMay 15, 2013 12:11:10 PM PDT Error oracle.soa.bpel.engine BEA-000000 This exception occurred because the fault thrown in the BPEL flow was not handled by any fault handlers and reached the top-level scope. Root cause :<\/div>\n
\n2. Go to [Select your Server] -> SSL -> Advance
\n3. Set \u201cEnable JSSE\u201d to true.
\n4. Restart your weblogic.<\/div>\nSymptoms<\/span><\/h2>\n
\nWhen using Weblogic Scripting Tool (WLST<\/a>) nmConnect() to connect to the node manager, notice warnings are seen for unsupported certificates (after running setWLSEnv.cmd or .sh)<\/span><\/p>\n
\nCA certificate “CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services\u00a0<\/span>GmbH<\/a>,C=DE”. The loading of the trusted certificate list raised a certificate parsing exceptionPKIX<\/a>: Unsupported OID in the AlgorithmIdentifier object:\u00a0<\/span><\/span>
\n<\/a>1.2.840.113549.1.1.11.><\/span>
\n<Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.><\/span>
\n<Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA – R3”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.><\/span>
\n<Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\\,LTD.,C=JP”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.><\/span>
\n<Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate “CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.><\/span>
\nSuccessfully Connected to Node Manager.<\/span><\/div>\n
\n2. Open a command line window (or terminal window) and run setDomainEnv.cmd (or .sh)<\/span>
\n3. Run java weblogic.WLST<\/span>
\n4.nmConnect(‘weblogic’,’weblogic1′,’test.comain.com’,’5556′,’testDomain’,’D:\\Oracle\\Middleware\\user_projects\\domains\\testDomain’,’plain’)<\/span><\/div>\n
\n<\/span><\/p>\n<\/a>Cause<\/span><\/h2>\n
\n<\/span><\/p>\n<\/a>Solution<\/span><\/h2>\n
Solution 1<\/span><\/h4>\n
\n<\/span><\/p>\n
\n<\/span><\/p>\n
\nFor each of the certificate it is complaining, find the alias name from output of above command and execute following command
\n<\/span><\/p>\n
\n<\/span><\/p>\n
\nCreation date: Feb 10, 2009
\nEntry type: trustedCertEntry<\/p>\n
\nIssuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE<\/p>\n
\nttelesecglobalrootclass2ca
\nglobalsignr3ca
\nsecomscrootca2
\nkeynectisrootca<\/p>\n
\nkeytool -delete -keystore cacerts -alias ttelesecglobalrootclass2ca
\nkeytool -delete -keystore cacerts -alias globalsignr3ca
\nkeytool -delete -keystore cacerts -alias secomscrootca2
\nkeytool -delete -keystore cacerts -alias keynectisrootca<\/div>\n