can this kind of certificate work with weblogic?
George Lin
Hi,
I get certificate from win2000 certificate authority,and try to make it work
with weblogic. But I get the following exception:
<2002-6-13 10:31:35> <Notice> <WebLogicServer> <Starting WebLogic Admin
Server "myserver" for domain "mydomain">
java.io.IOException: Length is too big: takes 6 bytes
at weblogic.security.ASN1.ASN1Header.inputLength(ASN1Header.java:148)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:120)
at weblogic.security.X509.input(X509.java:118)
at weblogic.security.X509.initialize(X509.java:81)
at weblogic.security.Certificate.<init>(Certificate.java:59)
at weblogic.security.X509.<init>(X509.java:56)
at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.ja
va:235)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:427)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1045)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:480)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
<2002-6-13 10:31:35> <Alert> <WebLogicServer> <Inconsistent security con
figuration, weblogic.security.KeyManagementException: java.io.IOException: Lengt
h is too big: takes 6 bytes>
weblogic.security.KeyManagementException: java.io.IOException: Length is too big
: takes 6 bytes
at weblogic.security.X509.initialize(X509.java:86)
at weblogic.security.Certificate.<init>(Certificate.java:59)
at weblogic.security.X509.<init>(X509.java:56)
at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.ja
va:235)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:427)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1045)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:480)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:202)
at weblogic.Server.main(Server.java:35)
Why? What does this mean? How to resolve it?
Any advice is appreciated!
Regards,
George
Jim Brown
I believe what is happening is that WLS is attempting to load a CA
Certificate Chain in PKCS#7 format. I am aware of three formats in which
a CA Certificate Chain can be submitted: PEM/DER, PKCS#7 and PKCS#12.
WebLogic Server (and Java keytool) only supports the PEM/DER format. If
you were using the Netscape Certificate Management System (CMS), you
would choose "Display certificates in the CA certificate chain for
importing individually into a server" and copy the individual
certificates into a new hostname_ca.pem file (keeping their individual
headers "-----BEGIN CERTIFICATE---" and footers "-----END
CERTIFICATE---" intact).
The order of the certificate chain is important:
<< If you want to use a certificate chain, append the additional
PEM-encoded digital certificates to the digital certificate of the
certificate authority that issued the digital certificate for WebLogic
Server. The last digital certificate in the file should be a digital
certificate that is self-signed (that is, the rootCA certificate).>>
Defining Trusted Certificate Authorities
<http://e-docs.bea.com/wls/docs61///////adminguide/cnfgsec.html#1053344>
Hope this helps --
Jim
--
Jim Brown
Developer Relations Engineer
BEA Support
Jim Brown
Certificate Chain", I mean the "Server Certificate Chain File" and not
the "Trusted CA File".
-- Jim
----
Jim Brown
Developer Relations Engineer
BEA Support
George Lin
Hi, Jim
Thanks first! But I still don't understand what you mean. As I kown, PEM/DER is something
as encoding rules, and one format can be converted to the other one. PKCS is soemthing
as syntax standard, and a PKCS#7 file can be base64 encoding or der encoding. Is
it right?
I'm not very sure of it, puzzled... and need help!Thanks!
Regards,
George