Thursday, May 5, 2011

SSL Exceptions in Admin Server and Node Manager


SSL EXCEPTIONS IN ADMIN SERVER AND NODE MANAGER.

javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from oracle.test.com – xx.xxx.xx.xx. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
The above exception is one of the most common exception encountered during the setup of Weblogic Server in an environment. The stack does suggest what could be the reasons but the diagnostics are not mentioned.
To debug this issue -

 First we need to check the certificates used by Admin Server and the Node Manager.

(1) 

 If we have Admin and the Node Manager using demo certificates -

1->Then the issue can be due to improper DNS mapping. We can use the nslookup to check the DNS entry.
2-> For testing purpose we can provide the ip address as the listen address for the admin server and the node
       manager and see if the issue is still occurring.
3-> Also we will have to turn of host name verification and the basic validation check of the certificates. We
      can do it by specifying the following flag in startWeblogic.sh
     -Dssl.debug=true -Dweblogic.security.SSL.ignoreHostnameVerification=true  \
     -Dweblogic.security.SSL.enforceConstraints=off
       And the following flag in startNodeManager.sh
      -Dssl.debug=true -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false \
      -Dweblogic.security.SSL.enforceConstraints=off

(2)
If the Admin Server is using Custom Identity and Custom trust, then its better to configure the node manger with custom identity and custom trust as well.
By default the Node Manager is configured with Demo Identity and Demo Trust. To change it to custom identity and custom trust, we need to specify the following values in the nodemanager.properties file present in nodemanager home
Keystores=CustomIdentityandCustomTrust
CustomIdentityAlias=
CustomIdentityKeyStoreFileName=
CustomIdentityKeyStorePassPhrase = xxxxxx
CustomIdentityKeyStoreType = JKS
CustomIdentityPrivateKeyPassPhrase = xxxxxxx
Apply the same flags as above in the startup script of Admin Server and Node Manger.
Check from the console whether Node Manager is reachable or not.
(3)

Another option can be to use PLAIN communication between Admin Server and Node Manager.
We can change the Listen Type to PLAIN for the Node Manager from the console and set the secureListener=false in the nodemanager.properties file present in nodemanager home.

No comments:

Post a Comment