Weblogic启用SSLDemo证书签名算法问题
由于项目需要将传输的http报文进行加密,考虑采用128位SSL安全传输协议,即https。因应用使用Weblogic容器,故到console控制台启用了其SSL监听,并使用Weblogic自带的Demo证书,在Windows和Redhat Linux下均无问题,但在AIX系统下部署却遇到了问题,问题如下:
<Oct 10, 2011 2:35:37 PM CDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /bea/wls103/wlserver_10.3/server/lib/DemoTrust.jks.>
<Oct 10, 2011 2:35:37 PM CDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /usr/java6_64/jre/lib/security/cacerts.>
<Oct 10, 2011 2:35:37 PM CDT> <Alert> <Security> <BEA-090152> <Demo trusted CA certificate is being used in production mode: [
[
Version: V3
Subject: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key:IBMJCE RSA Public Key:
modulus:
9550192877869244258838480703390456015046425375252278279190673063544122510925482179963329236052146047356415957587628011282484772458983977898996276815440753
public exponent:
65537
Validity: [From: Thu Mar 21 14:12:27 CST 2002,
To: Tue Mar 22 15:12:27 CDT 2022]
Issuer: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
SerialNumber:
Certificate Extensions: 1
: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
]
]
Algorithm:
Signature:
0000: 9d 26 4c 29 c8 91 c3 a706 c3 24 6f ae b4 f8 82..L........o....
0010: 80 4d aa cb 7c 79 46 8481 c4 66 95 f4 1e d8 c4.M...yF...f.....
0020: e9 b7 d9 7c e2 23 33 a4b7 21 e0 aa 54 2b 4a ff......3.....T.J.
0030: cb 21 20 88 81 21 db ac90 54 d8 7d 79 63 23 3c.........T..yc..
] The system is vulnerable to security attacks, since it trusts certificates signed by the demo trusted CA.>
<Oct 10, 2011 2:35:37 PM CDT> <Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11>
<Oct 10, 2011 2:35:37 PM CDT> <Emergency> <Security> <BEA-090034> <Not listening for SSL, java.io.IOException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
问题原因:
查询了网上,得到原因是由于AIX上使用了IBM的JDK,jre/lib/security/cacerts中某些ca根证书的签名算法方式不被weblogic所支持,也可以说是JDK和weblogic不配套。如果在Linux或Windows下的weblogic版本,由于自身就带有jdk,故是配套的,所以不存在签名算法的问题。因此也不能说一定是IBM的JDK问题,JDK版本和Weblogic不配套也会出现此类问题。
解决方法:
删除cacerts下不被weblogic支持的签名算法的证书。
查询OID为1.2.840.113549.1.1.11的是sha256WithRSA算法,故删除sha256WithRSA算法的ca证书。
keytool -delete -keystore ../lib/security/cacerts -alias ttelesecglobalrootclass2ca
-storepass changeit
keytool -delete
-keystore ../lib/security/cacerts -alias ttelesecglobalrootclass3ca -storepass changeit
keytool -delete
-keystore ../lib/security/cacerts -alias keynectisrootca -storepass changeit
页:
[1]