全球领先

认证服务商

国家首批首批CA机构

官方、权威、可信

weblogic + jdk1.6 报错

weblogic + jdk1.6 报错Unsupported OID in the AlgorithmIdentifier object

I am getting the following error enabling SSL, when I use the jkd 1.6.0_13 and WebLogic Server 10.3

Aug 21, 2009 11:30:16 AM GMT+00:00> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

<Aug 21, 2009 11:30:16 AM GMT+00:00> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11>

Resolution:

To output the keys affected from {JAVA_HOME}\bin (Windows):

keytool -list -v -keystore ..\lib\security\cacerts -storepass changeit > list.txt

I ended up having to delete the following keys:

keytool -delete -keystore ..\lib\security\cacerts -alias ttelesecglobalrootclass2ca -storepass changeit

keytool -delete -keystore ..\lib\security\cacerts -alias ttelesecglobalrootclass3ca -storepass changeit

keytool -delete -keystore ..\lib\security\cacerts -alias keynectisrootca -storepass changeit

keytool -delete -keystore ..\lib\security\cacerts -alias thawteprimaryrootcag3 -storepass changeit

keytool -delete -keystore ..\lib\security\cacerts -alias globalsignr3ca -storepass changeit

keytool -delete -keystore ..\lib\security\cacerts -alias secomscrootca2 -storepass changeit

keytool -delete -keystore ..\lib\security\cacerts -alias verisignuniversalrootca -storepass changeit

keytool -delete -keystore ..\lib\security\cacerts -alias geotrustprimarycag3 -storepass changeit

Referrence:

http://forums.oracle.com/forums/thread.jspa?threadID=947219

问题原因:

查询了网上,得到原因是由于AIX上使用了IBM的JDK,jre/lib/security/cacerts中某些ca根证书的签名算法方式不被weblogic所支持,也可以说是JDK和weblogic不配套。如果在Linux或Windows下的weblogic版本,由于自身就带有jdk,故是配套的,所以不存在签名算法的问题。因此也不能说一定是IBM的JDK问题,JDK版本和Weblogic不配套也会出现此类问题。

 

解决方法:

删除cacerts下不被weblogic支持的签名算法的证书。

查询OID为1.2.840.113549.1.1.11的是sha256WithRSA算法,故删除sha256WithRSA算法的ca证书。

 

keytool -delete -keystore ../lib/security/cacerts -alias ttelesecglobalrootclass2ca -storepass changeit

keytool -delete -keystore ../lib/security/cacerts -alias ttelesecglobalrootclass3ca -storepass changeit

keytool -delete -keystore ../lib/security/cacerts -alias keynectisrootca -storepass changeit

最新文章:

在线咨询

您好,请问有什么可以帮助您?

SSL证书/代码(数字)签名证书/https证书

天威诚信