Error -
After importing new certificate in keystore, weblogic server starts throwing below error.
<Jun 3, 2015 3:37:48 PM PDT > <Error > <WebLogicServer > <BEA-000297 > <Inconsistent security configuration, java.lang.RuntimeException: Cannot convert identity certificate >
<Jun 3, 2015 3:37:48 PM PDT > <Error <Server > <BEA-002618 > <An invalid attempt was made to configure a channel for unconfigured protocol "Cannot convert identity certificate".
>
Reason -
The new certificate issued now a days are using SHA2 hash algorithm. SHA2 is stronger than SHA1 and generate longer hash. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. The default SSL implementation in weblogic (Certicom SSL) cannot handle more then 128-bit.
Solution -
If you are using WebLogic 10.3.2 or lower, you must first upgrade to WebLogic 10.3.3 or higher (ideally, you should upgrade to WebLogic 10.3.6 as there are some SHA2 bug fixes that are included in WebLogic 10.3.6). If you are unable to upgrade, then you will need to switch to a SHA1 certificate.
If you are using WebLogic 10.3.3 or higher, then use the following steps to enable JSSE SSL which trusts stronger certificates such as SHA2.
a. Log in to your WebLogic admin console
b. From left menu, choose Environment -> Servers -> SOA_MngdSvr1
c. Click the 'Configuration' tab and 'SSL' subtab
d. Go to bottom of page and click the 'Advanced' hyperlink
e. Click the 'Lock & Edit' button on top left menu
f. Go to bottom of page and check "Use JSSE SSL"
g. Click "Save"
h. Click 'Activate Changes'
Restart the servers for the change to take effect.
After importing new certificate in keystore, weblogic server starts throwing below error.
Reason -
The new certificate issued now a days are using SHA2 hash algorithm. SHA2 is stronger than SHA1 and generate longer hash. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. The default SSL implementation in weblogic (Certicom SSL) cannot handle more then 128-bit.
Solution -
If you are using WebLogic 10.3.2 or lower, you must first upgrade to WebLogic 10.3.3 or higher (ideally, you should upgrade to WebLogic 10.3.6 as there are some SHA2 bug fixes that are included in WebLogic 10.3.6). If you are unable to upgrade, then you will need to switch to a SHA1 certificate.
If you are using WebLogic 10.3.3 or higher, then use the following steps to enable JSSE SSL which trusts stronger certificates such as SHA2.
a. Log in to your WebLogic admin console
b. From left menu, choose Environment -> Servers -> SOA_MngdSvr1
c. Click the 'Configuration' tab and 'SSL' subtab
d. Go to bottom of page and click the 'Advanced' hyperlink
e. Click the 'Lock & Edit' button on top left menu
f. Go to bottom of page and check "Use JSSE SSL"
g. Click "Save"
h. Click 'Activate Changes'
Restart the servers for the change to take effect.
