Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL private key password

1 view
Skip to first unread message

Makoto Suzuki

unread,
Sep 17, 2003, 11:18:56 PM9/17/03
to
Hello everyone,

I'm trying to upgrade a WLS 6.1 SP2 with WLP 4.0 SP2 instance to WLS 7.0 SP2
with WLP 7.0 SP2. Everythng is fine except for that we cannot use the same
SSL certificate. By defaul the private key is not encrypted with password
(SSL.KeyEncrypted = false by default, according to the documentations) in
both WLS 6.1 and WLS 7.0. But running WLS 7.0 startup script results the
following error:

<Sep 17, 2003 5:06:40 PM HST> <Alert> <WebLogicServer> <000297>
<Inconsistent se
curity configuration, java.lang.Exception: Cannot read private key from file
C:\
bea7\user_projects\agencyPortal\portal_islandinsurance_com-key.der. Make
sure pa
ssword specified in environment property weblogic.management.pkpassword is
valid
.>
java.lang.Exception: Cannot read private key from file
C:\bea7\user_projects\age
ncyPortal\portal_islandinsurance_com-key.der. Make sure password specified
in en
vironment property weblogic.management.pkpassword is valid.
at
weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.j
ava:434)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:153)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:122)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1513)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:852)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:295)
at weblogic.Server.main(Server.java:32)

Is this happening because the private key is actually encrypted with the
password? It was working, although the KeyEncrypted is not set to true and
the startup script for WLS 6.1 instance did have a line
with -Dweblogic.management.pkpassword. Or could this error be result of
something else? The physical machine the instances are located is the same
and IP address and the DNS entry hasn't been changed, either.

Any insight will be greatly appreciated. Thanks!

Makoto


Tony

unread,
Sep 19, 2003, 7:33:45 AM9/19/03
to
It may be because the private key is both unprotected and in DER format.

There are some things to try:
1) Convert the private key file from a DER file to a PEM file and try
that:
a) Follow the for converting an unprotected private key at:

http://e-docs.bea.com/wls/docs70/adminguide/utils.html#1143743
b) Look at the resulting PEM file, it should look something like
this:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
(Be sure there is no extra lines or whitespace after the footer)

c) Change your configuration to point at the PEM file


If that doesn work, then you can try protecting the key with a password
using
the wlkeytool utility (It should be in the server/bin directory). The
tool should prompt
for a password to use to protect it:

wlkeytool inputkey.pem outputkey.pem
Then change your configuration to use the protected private key, and set
the passwod to use.

Tony

"Makoto Suzuki" <msu...@hoike.net> wrote in message
news:3f69...@newsgroups.bea.com...

Makoto Suzuki

unread,
Sep 22, 2003, 4:42:14 PM9/22/03
to
Thanks Tony - it worked!!


"Tony" <TonyV> wrote in message news:3f6a...@newsgroups.bea.com...

0 new messages