This error can occur for two reasons:
Reason#1: Using a non-compliant certificate such as wildcard
------------------------------------------------------------------------
Older WebLogic versions, such as WebLogic 8.1 and 9.2, do not support wildcard certificates as per the RFC3280 specifications. Although even though the wild card certificates are not supported on older WebLogic versions, they often function without issues. However, we do know that there are issues with wildcards on WebLogic 8.1SP6 and we occasionally see issues on other WebLogic versions as well. In addition, there can be problems with using wildcard certificates on a PeopleSoft Gateway server as noted in bug 11607478.
------------------------------------------------------------------------
Older WebLogic versions, such as WebLogic 8.1 and 9.2, do not support wildcard certificates as per the RFC3280 specifications. Although even though the wild card certificates are not supported on older WebLogic versions, they often function without issues. However, we do know that there are issues with wildcards on WebLogic 8.1SP6 and we occasionally see issues on other WebLogic versions as well. In addition, there can be problems with using wildcard certificates on a PeopleSoft Gateway server as noted in bug 11607478.
Reason#2: Using a SHA2 certificate
------------------------------------------------
SHA2 is a newer hash algorithm and is supported by WebLogic starting with version 10.3.3. However, if you use SHA2, you must enable JSSE SSL (details in 'Solution' section) or else you will get the above error
------------------------------------------------
SHA2 is a newer hash algorithm and is supported by WebLogic starting with version 10.3.3. However, if you use SHA2, you must enable JSSE SSL (details in 'Solution' section) or else you will get the above error
************************************************************************************
If you are using a Wildcard Certificate:
-----------------------------------------------
Install a certificate with no wildcard characters in the common name (CN)
If you are using a SHA 2 Certificate (ie Signature Algorithm starts with 'SHA2')
------------------------------------------------------------------------------------------
1. If you are using WebLogic 10.3.2 or lower, you must first upgrade to WebLogic 10.3.3 or higher (ideally, you should upgrade to WebLogic 10.3.6 as there are some SHA2 bug fixes that are included in WebLogic 10.3.6. Refer to document 1389918.1 for instructions on upgrading WebLogic. If you are unable to upgrade, then you will need to switch to a SHA1 certificate
2. If you are using WebLogic 10.3.3 or higher, then use the following steps to enable JSSE SSL which trusts stronger certificates such as SHA2.
a. Log in to your WebLogic admin console
b. From left menu, choose Environment -> Servers -> PIA
c. Click the 'Configuration' tab and 'SSL' subtab
d. Go to bottom of page and click the 'Advanced' hyperlink
e. Click the 'Lock & Edit' button on top left menu
f. Go to bottom of page and check "Use JSSE SSL"
g. Click "Save"
h. Click 'Activate Changes'
-----------------------------------------------
Install a certificate with no wildcard characters in the common name (CN)
If you are using a SHA 2 Certificate (ie Signature Algorithm starts with 'SHA2')
------------------------------------------------------------------------------------------
1. If you are using WebLogic 10.3.2 or lower, you must first upgrade to WebLogic 10.3.3 or higher (ideally, you should upgrade to WebLogic 10.3.6 as there are some SHA2 bug fixes that are included in WebLogic 10.3.6. Refer to document 1389918.1 for instructions on upgrading WebLogic. If you are unable to upgrade, then you will need to switch to a SHA1 certificate
2. If you are using WebLogic 10.3.3 or higher, then use the following steps to enable JSSE SSL which trusts stronger certificates such as SHA2.
a. Log in to your WebLogic admin console
b. From left menu, choose Environment -> Servers -> PIA
c. Click the 'Configuration' tab and 'SSL' subtab
d. Go to bottom of page and click the 'Advanced' hyperlink
e. Click the 'Lock & Edit' button on top left menu
f. Go to bottom of page and check "Use JSSE SSL"
g. Click "Save"
h. Click 'Activate Changes'
No comments:
Post a Comment