Using the SAS® SDW fails with a Secure Socket Layer (SSL) in Weblogic10.3
2012-11-21 09:53
597 查看
If you use the SAS Deployment Wizard on a federated multi-tier WebLogic configuration, the WebLogic Managed Servers cannot be started because of a Secure Socket Layer exception error (SSLKeyException).
This problem does not affect single-tier configurations.
You can identify this issue in the WebLobic Administration Server log and the Node Manager log, based upon the following error and warning messages.
In the AdminServer.log file:
In the nodemanager.log file:
In addition, if you attempt to stop and the restart the managed servers, the following error appears in the AdminServer.log file:
This problem occurs because Weblogic 10.3 does not support the
1.2.840.113549.1.1.11. - SHA1 with RSA signature encryption. This encryption is part of defined algorithms of the Open Systems Environment Implementers' Workshop (OIW) Security Special Interest Group. (See
1.2.840.113549.1.1.11 - sha256WithRSAEncryption).
To resolve this issue, remove the certificates ttelesecglobalrootclass2ca and
ttelesecglobalrootclass3ca, which use the unsupported algorithm
sha256RSA from JDK-home-directory/jre/lib/cacerts. Follow these steps to remove the certficates.
Back up the original cacerts file with the following command:
copy JDK–home–directory\jre\lib\security\cacerts
JDK–home–directory\jre\lib\security\cacerts.original
Delete ttelesecglobalrootclass2ca by submitting this command:
JDK–home–directory\bin\keytool –delete –alias ttelesecglobalrootclass2ca –keystore
JDK–home–directory\jre\lib\security\cacerts
Delete ttelesecglobalrootclass3ca by submitting this command:
JDK–home–directory\bin\keytool –delete –alias ttelesecglobalrootclass3ca –keystore
JDK–home–directory\jre\lib\security\cacerts
Detail info, please check the following URL:
http://support.sas.com/kb/36/497.html
This problem does not affect single-tier configurations.
You can identify this issue in the WebLobic Administration Server log and the Node Manager log, based upon the following error and warning messages.
In the AdminServer.log file:
####<May 19, 2009 10:27:49 AM EDT> <Error> <Management> <jdtsrv02> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <> <1242743269192> <BEA–141145> <An attempt was made to connect to the administration server without credentials.> ####<May 19, 2009 11:30:34 AM EDT> <Warning> <Security> <jdtsrv02> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self–tuning)'> <weblogic> <> <> <1242747034757> <BEA–090477> <Certificate chain received from jdtsrv02 – 10.12.16.214 was not trusted causing SSL handshake failure.>
In the nodemanager.log file:
<May 19, 2009 11:30:34 AM> <Warning> <Uncaught exception in server handler: javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from jdtsrv02.na.sas.com – 10.12.16.214. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
In addition, if you attempt to stop and the restart the managed servers, the following error appears in the AdminServer.log file:
<> <1242840639286> <BEA–000297> <Inconsistent security configuration, java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11> ####<May 20, 2009 1:30:39 PM EDT> <Emergency> <Security> <jdtsrv02> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self–tuning)'> <<WLS Kernel>> <> <> <1242840639302> <BEA–090034> <Not listening for SSL, java.io.IOException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
This problem occurs because Weblogic 10.3 does not support the
1.2.840.113549.1.1.11. - SHA1 with RSA signature encryption. This encryption is part of defined algorithms of the Open Systems Environment Implementers' Workshop (OIW) Security Special Interest Group. (See
1.2.840.113549.1.1.11 - sha256WithRSAEncryption).
To resolve this issue, remove the certificates ttelesecglobalrootclass2ca and
ttelesecglobalrootclass3ca, which use the unsupported algorithm
sha256RSA from JDK-home-directory/jre/lib/cacerts. Follow these steps to remove the certficates.
Back up the original cacerts file with the following command:
copy JDK–home–directory\jre\lib\security\cacerts
JDK–home–directory\jre\lib\security\cacerts.original
Delete ttelesecglobalrootclass2ca by submitting this command:
JDK–home–directory\bin\keytool –delete –alias ttelesecglobalrootclass2ca –keystore
JDK–home–directory\jre\lib\security\cacerts
Delete ttelesecglobalrootclass3ca by submitting this command:
JDK–home–directory\bin\keytool –delete –alias ttelesecglobalrootclass3ca –keystore
JDK–home–directory\jre\lib\security\cacerts
Detail info, please check the following URL:
http://support.sas.com/kb/36/497.html
相关文章推荐
- mysql5.0 Using a password on the command line interface can be insecure.最简单的解决办法
- SSL(Secure Socket Layer) 介绍
- The new SFCB broker fails to start with a SSL-related error: Failure setting ECDH curve name (secp22
- mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication
- How to access the features in an in-memory output layer using an IFeatureCursor
- mysql-mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication
- cmd命令行下 Warning: Using a password on the command line interface can be insecure.
- MySQL Warning: Using a password on the command line interface can be insecure.解决办法
- BI Java 补丁错误处理 :Cannot login to the SAP J2EE Engine using user and password as provided in the Filesystem Secure Store. Enter va
- eclipse cvs 错误:the specfied Secure is layer(SSl) port is not allowde.isa server is not configured to ....
- How to access the features in an in-memory output layer using an IFeatureCursor
- trouble shoot about using BindLayer in MapX with C# [原创]
- Along with all the above benefits, you cannot overlook the space efficiency and performance gains in using DataFrames and Dataset APIs for two reasons.
- 在万网虚拟主机上连接数据库出错mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication
- WCF Could not establish trust relationship for the SSL/TLS secure channel with authority
- DataStage job monitor fails with out of memory error in the javacore file
- mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication解决办法
- mysqlnd cannot connect to MySQL 4.1+ using the old insecure authentication解决办法
- zabbix监控mysql之Warning: Using a password on the command line interface can be insecure.
- SSL (Secure Socket Layer)