weblogic + jdk1.6 报错Unsupported OID in the AlgorithmIdentifier object
I am getting the following error enabling SSL, when I use the jkd 1.6.0_13 and WebLogic Server 10.3
Aug 21, 2009 11:30:16 AM GMT+00:00> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Aug 21, 2009 11:30:16 AM GMT+00:00> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11>
Resolution:
To output the keys affected from {JAVA_HOME}\bin (Windows):
keytool -list -v -keystore ..\lib\security\cacerts -storepass changeit > list.txt
I ended up having to delete the following keys:
keytool -delete -keystore ..\lib\security\cacerts -alias ttelesecglobalrootclass2ca -storepass changeit
keytool -delete -keystore ..\lib\security\cacerts -alias ttelesecglobalrootclass3ca -storepass changeit
keytool -delete -keystore ..\lib\security\cacerts -alias keynectisrootca -storepass changeit
keytool -delete -keystore ..\lib\security\cacerts -alias thawteprimaryrootcag3 -storepass changeit
keytool -delete -keystore ..\lib\security\cacerts -alias globalsignr3ca -storepass changeit
keytool -delete -keystore ..\lib\security\cacerts -alias secomscrootca2 -storepass changeit
keytool -delete -keystore ..\lib\security\cacerts -alias verisignuniversalrootca -storepass changeit
keytool -delete -keystore ..\lib\security\cacerts -alias geotrustprimarycag3 -storepass changeit
Referrence:
http://forums.oracle.com/forums/thread.jspa?threadID=947219
问题原因:
查询了网上,得到原因是由于AIX上使用了IBM的JDK,jre/lib/security/cacerts中某些ca根证书的签名算法方式不被weblogic所支持,也可以说是JDK和weblogic不配套。如果在Linux或Windows下的weblogic版本,由于自身就带有jdk,故是配套的,所以不存在签名算法的问题。因此也不能说一定是IBM的JDK问题,JDK版本和Weblogic不配套也会出现此类问题。
解决方法:
删除cacerts下不被weblogic支持的签名算法的证书。
查询OID为1.2.840.113549.1.1.11的是sha256WithRSA算法,故删除sha256WithRSA算法的ca证书。
keytool -delete -keystore ../lib/security/cacerts -alias ttelesecglobalrootclass2ca -storepass changeit
keytool -delete -keystore ../lib/security/cacerts -alias ttelesecglobalrootclass3ca -storepass changeit
keytool -delete -keystore ../lib/security/cacerts -alias keynectisrootca -storepass changeit