Friday, July 26, 2013

handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert in Weblogic cluster


Scenario: 

A WLS cluster configuration in exalogic with one Admin server and 6 managed servers split across 3 nodes.

Each node has its own node manager. The node manager is started using WLST script. Still in the weblogic console URL, the status is "Inactive"

The log files have following message

"NMProcess: WARNING: Uncaught exception in server handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from server1.domainname - 10.200.200.200. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
NMProcess: javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from server1.domainname - 10.200.200.200. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected."


Work around:

In this case, Admin Server and the Node Manager are using default demo certificates. The node manager configuration is done using the fully qualified machine name and entries are there in /etc/hosts. After trying so many options to debug, finally decided to disable the Host Name Varification.

Edit both Nodemanager startup script and weblogic startup script and add following lines.

1. Nodemanager startup script under $WLS_HOME/wlserver_10.3/server/bin

Take a backup of startNodeManager.sh script and edit it

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false"
export JAVA_OPTIONS

Add it between the "export CLASSPATH" line and cd "${NODEMGR_HOME}" line as shown below

export CLASSPATH
export PATH
JAVA_OPTIONS=${JAVA_OPTIONS} -Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
export JAVA_OPTIONS
cd "${NODEMGR_HOME}"

2. Similarly take a backup of startWeblogic.sh script under $DOMAIN_HOME/bin

and add following entry

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"
export JAVA_OPTIONS

Add it between the SAVE_CLASSPATH and trap 'stopAll' line as shown below

CLASSPATH="${SAVE_CLASSPATH}"

SAVE_CLASSPATH=""

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.ignoreHostnameVerification=true"
export JAVA_OPTIONS


trap 'stopAll' 1 2 3 15

Restart all services. The warning is gone now and the node manager status of all nodes when checked from console page changed to "Reachable"

2 comments:

  1. Hi,
    After all, still having the same error message even the server name is in the hosts file. Any idea?

    ReplyDelete
  2. Hi sspdesign,

    Are you sure that the error is exactly same for you as given in the post?

    If so disabling of hostname verification should work.

    Also make sure that the "JAVA_OPTIONS" string is placed at the right position in both files as mentioned above

    ReplyDelete