SSL in WLS 7.0 SP2 Where to input keystore password?
Daniel Bratell
ordinary PEM keys caused a NoSuchElementException without any real
explanation and now I've come to a grinding halt.
I've created a keystore mykey.keystore which contains the server key
under the alias 'mykey' and with password secret. The whole keystore
also has the password secret. Now I want WLS 7.0 to use that one. I've
opened the SSL tab in the console and specified the keystore file name
and the alias along with the key password but nowhere can I find a place
the keystore password.
I found one document that suggested that I should specify the keystore
password in the Private Keystore Pass Phrase attribute (
http://edocs.bea.com/wls/docs70/secmanage/ssl.html#1167546 ) but I
doesn't have that field. If I enter Security -> Realms
myRealm/CompatibilityRealm -> Providers -> Key Stores -> myKeyStore
there are only "Private Key Store Location" and "Root CAKey Store
Location" to enter.
I tried anyway but that just gave me this error in the weblogic.log file:
####<2003-jul-30 16:21:31 CEST> <Debug> <TLS> <seven.lin.idainfront.se>
<dnareg_server> <main> <kernel identity> <> <000000>
<SSLListenThread.getSSLManager()>
####<2003-jul-30 16:21:31 CEST> <Debug> <TLS> <seven.lin.idainfront.se>
<dnareg_server> <main> <kernel identity> <> <000000> <SSLManager:
getting server private key>
####<2003-jul-30 16:21:31 CEST> <Debug> <TLS> <seven.lin.idainfront.se>
<dnareg_server> <main> <kernel identity> <> <000000> <SSLManager:
getServerPrivateKey(); key alias: mykey>
####<2003-jul-30 16:21:31 CEST> <Debug> <TLS> <seven.lin.idainfront.se>
<dnareg_server> <main> <kernel identity> <> <000000> <SSLManager:
getServerPrivateKey(); key passphrase: <non-null>>
####<2003-jul-30 16:21:31 CEST> <Debug> <TLS> <seven.lin.idainfront.se>
<dnareg_server> <main> <kernel identity> <> <000000>
<SSLManager.getService(KEYMANAGER)>
####<2003-jul-30 16:21:31 CEST> <Debug> <TLS> <seven.lin.idainfront.se>
<dnareg_server> <main> <kernel identity> <> <000000> <SSLManager:
getServerPrivateKey(); getting KeyStore >
####<2003-jul-30 16:21:31 CEST> <Debug> <TLS> <seven.lin.idainfront.se>
<dnareg_server> <main> <kernel identity> <> <000000> <Looking for key by
alias: mykey>
####<2003-jul-30 16:21:31 CEST> <Debug> <TLS> <seven.lin.idainfront.se>
<dnareg_server> <main> <kernel identity> <> <000000> <Found private key:
<null>>
####<2003-jul-30 16:21:31 CEST> <Debug> <TLS> <seven.lin.idainfront.se>
<dnareg_server> <main> <kernel identity> <> <000000> <Using 6.x
configuration for SSL Server PrivateKey>
####<2003-jul-30 16:21:31 CEST> <Error> <Security>
<seven.lin.idainfront.se> <dnareg_server> <main> <kernel identity> <>
<090109> <The Server was unable to find the configured private key on
server dnareg_server in the file specified by the SSL ServerKeyFileName
attribute.>
####<2003-jul-30 16:21:31 CEST> <Alert> <WebLogicServer>
<seven.lin.idainfront.se> <dnareg_server> <main> <kernel identity> <>
<000297> <Inconsistent security configuration, java.lang.Exception: The
Server was unable to find the server's private key on server
dnareg_server in the file specified by the SSL ServerKeyFileName
attribute.>
####<2003-jul-30 16:21:31 CEST> <Emergency> <Security>
<seven.lin.idainfront.se> <dnareg_server> <main> <kernel identity> <>
<090034> <Not listening for SSL, java.io.IOException: Inconsistent
security configuration, java.lang.Exception: The Server was unable to
find the server's private key on server dnareg_server in the file
specified by the SSL ServerKeyFileName attribute..>
Daniel Bratell
password for both the key and the keystore. Now I get this instead:
<2003-jul-31 07:27:44 CEST> <Notice> <Management> <140005> <Loading
configuration /opt/i4/kiruna/c3-daniel/weblogic/config.xml>
java.security.KeyManagementException: ASN.1: Lengths longer than 32 bits
are not supported
at
com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
Source)
at
com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown Source)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:425)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:288)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1518)
at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:858)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:294)
at weblogic.Server.main(Server.java:31)
####<2003-jul-31 07:28:26 CEST> <Alert> <WebLogicServer>
<seven.lin.idainfront.se> <dnareg_server> <main> <kernel identity> <>
<000297> <Inconsistent security configuration,
java.security.KeyManagementException: ASN.1: Lengths longer than 32 bits
are not supported>
####<2003-jul-31 07:28:26 CEST> <Emergency> <Security>
<seven.lin.idainfront.se> <dnareg_server> <main> <kernel identity> <>
<090034> <Not listening for SSL, java.io.IOException: Inconsistent
security configuration, java.security.KeyManagementException: ASN.1:
Lengths longer than 32 bits are not supported.>
Has anyone else seen this and figured out what it really means?
/Daniel
Tony
only supported
JKS stores, and it assumed that for readonly access it didn't need to use a
passphrase
there (the passphrase was used like a CRC check for validation of the store,
not for
gaining access to it). I believe the ability to set a keystore passphrase
was added in
8.1, as some keystores do require the passphrase for allowing read access.
That message can show up if the wrong password was used to unlock the
private key,
it decrypted the key using a bad password, resulting in garbage, then the
ASN.1 parsing
detected that as bad ASN.1. Double check that the private key passphrase is
correct.
Tony
"Daniel Bratell" <daniel....@idainfront.se> wrote in message
news:3f28aaa0$1...@newsgroups.bea.com...