Thursday, May 5, 2011

SSL Exceptions in Admin Server and Node Manager

SSL EXCEPTIONS IN ADMIN SERVER AND NODE MANAGER. [Security:090482]BAD_CERTIFICATE alert was received from – Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
The above exception is one of the most common exception encountered during the setup of Weblogic Server in an environment. The stack does suggest what could be the reasons but the diagnostics are not mentioned.
To debug this issue -

 First we need to check the certificates used by Admin Server and the Node Manager.


 If we have Admin and the Node Manager using demo certificates -

1->Then the issue can be due to improper DNS mapping. We can use the nslookup to check the DNS entry.
2-> For testing purpose we can provide the ip address as the listen address for the admin server and the node
       manager and see if the issue is still occurring.
3-> Also we will have to turn of host name verification and the basic validation check of the certificates. We
      can do it by specifying the following flag in
     -Dssl.debug=true  \
       And the following flag in
      -Dssl.debug=true -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false \

If the Admin Server is using Custom Identity and Custom trust, then its better to configure the node manger with custom identity and custom trust as well.
By default the Node Manager is configured with Demo Identity and Demo Trust. To change it to custom identity and custom trust, we need to specify the following values in the file present in nodemanager home
CustomIdentityKeyStorePassPhrase = xxxxxx
CustomIdentityKeyStoreType = JKS
CustomIdentityPrivateKeyPassPhrase = xxxxxxx
Apply the same flags as above in the startup script of Admin Server and Node Manger.
Check from the console whether Node Manager is reachable or not.

Another option can be to use PLAIN communication between Admin Server and Node Manager.
We can change the Listen Type to PLAIN for the Node Manager from the console and set the secureListener=false in the file present in nodemanager home.

No comments:

Post a Comment