nodemanager启动报Cannot convert identity certificate

于 2014-09-26 10:56:11 发布
阅读量5.3k 收藏
点赞数
CC 4.0 BY-SA版权
分类专栏: weblogic
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/rznice/article/details/39577547
配置weblogic集群服务器时遇到nodemanager启动问题,错误提示为Cannot convert identity certificate。通过设置JAVA_OPTIONS增加调试选项,并使用JDK1.6以上版本的keytool列出证书算法。发现需删除使用SHA256withRSA算法的证书,通过查找别名并使用keytool命令逐个删除。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

最近在配置weblogic的集群服务器。启动nodemanager报以下错误:

<2014-9-26 10:46:42> <SEVERE> <Fatal error in node manager server>
java.lang.RuntimeException: Cannot convert identity certificate
        at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
        at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
        at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
        at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)
        at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)
        at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
        at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)
        at weblogic.NodeManager.main(NodeManager.java:31)

打开ssl的调试功能:

windows下这么设置:set JAVA_OPTIONS=-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true  %JAVA_OPTIONS%

linux下这样设置:JAVA_OPTIONS="-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true  ${JAVA_OPTIONS}"


重启服务发现有以下错误:

<2014-9-26 上午10时46分41秒 CST> <Info> <Security> <BEA-090905> <Disabling CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true> 
<2014-9-26 上午10时46分42秒 CST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Use Certicom SSL with Domestic strength> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Empty CA List is enabled :false> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE KeyAgreement: SunJCE version 1.6 for algorithm DiffieHellman> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm DiffieHellman> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default KeyAgreement for algorithm ECDH> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm DESede/CBC/NoPadding> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm DES/CBC/NoPadding> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm AES/CBC/NoPadding> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <SSL Session TTL :90000> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <HostnameVerifier: using default hostnameverifier> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <HostnameVerifier: allowReverseDNS=false> 
<2014-9-26 上午10时46分42秒 CST> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.> 
<2014-9-26 上午10时46分42秒 CST> <Debug> <SecuritySSL> <BEA-000000> <Cannot convert identity certificate
java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
        at com.certicom.security.cert.internal.x509.X509V3CertImpl.<init>(Unknown Source)
        at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
        at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
        at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
        at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:147)
        at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:54)
        at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
        at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)
        at weblogic.NodeManager.main(NodeManager.java:31)
> 
<2014-9-26 10:46:42> <SEVERE> <Fatal error in node manager server>
java.lang.RuntimeException: Cannot convert identity certificate
        at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
        at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
        at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
        at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)
        at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)
        at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
        at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)
        at weblogic.NodeManager.main(NodeManager.java:31)

2014-9-26 10:46:42 weblogic.nodemanager.server.NMServer main
严重: Fatal error in node manager server
java.lang.RuntimeException: Cannot convert identity certificate
        at com.certicom.tls.interfaceimpl.CertificateSupport.addAuthChain(Unknown Source)
        at com.certicom.net.ssl.SSLContext.addAuthChain(Unknown Source)
        at com.bea.sslplus.CerticomSSLContext.addIdentity(Unknown Source)
        at weblogic.security.utils.SSLContextWrapper.addIdentity(SSLContextWrapper.java:146)
        at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:53)
        at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
        at weblogic.nodemanager.server.NMServer.main(NMServer.java:382)
        at weblogic.NodeManager.main(NodeManager.java:31)

这说明weblogic不支持OID为1.2.840.113549.1.1.11的算法,即SHA256withRSA算法; 就是因为CA链中有SHA256withRSA算法的证书

因此,我们需要把使用SHA256withRSA算法的证书统统删掉,好在使用JDK1.6以上版本的keytools命令可以列出各个证书的算法。
我们列出所有的证书,把结果保存到文本文件里,然后通过查找工具,找出所有包含SHA256withRSA算法的证书别名。
有了别名,我们就可以使用如下命令逐个删除之: 

keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias entrustrootcag2 -storepass changeit 

keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias thawteprimaryrootcag3 -storepass changeit 

keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias ttelesecglobalrootclass3ca -storepass changeit 

keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias ttelesecglobalrootclass2ca -storepass changeit 

keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias globalsignr3ca -storepass changeit 

keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias secomscrootca2 -storepass changeit 

keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias verisignuniversalrootca -storepass changeit 

keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias keynectisrootca -storepass changeit 

keytool -delete -keystore ${JRE_HOME}/lib/security/cacerts -alias geotrustprimarycag3 -storepass changeit

参考:http://t8500071.iteye.com/blog/1591659

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值