weblogic v10.3配置nodemanager的"BAD_CERTIFICATE alert"的错误

zzgzyyz

在使用weblogic 10.3自带的demo identity keystore(DemoIdentity.jks and DemoTrust.jks),配置使用SSL方式连接NodeManager时出现下面问题:

<Warning> <Uncaught exception in server handler: javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from hellokitty - 192.168.1.133. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>

workaround是

1.修改adminserver的ssl默认参数Hostname Verification:None
2.startWeblogic.cmd中追加:
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.ignoreHostnameVerification=true

真正引起这个问题的原因是:在私钥(private key)中使用的Common Name并不是真正的Server Name，因此在验证hostname的时候会出错

解决方法是:
重新生产公钥和私钥

参考:
(
JAVA_HOME=/opt/weblogic/jdk160_14
WL_HOME=/opt/weblogic/wlserver_10.3
PATH=$JAVA_HOME/bin:$PATH
export PATH

. $WL_HOME/server/bin/setWLSEnv.sh

java utils.CertGen -cn YOURSERVER.DOMAIN.COM -keyfilepass DemoIdentityPassPhrase -certfile mycert -keyfile mykey

java utils.ImportPrivateKey -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -keyfile mykey.pem -keyfilepass DemoIdentityPassPhrase -certfile mycert.pem -alias demoidentity

Copy the newly created demo identity key store to $WL_HOME/server/lib directory.
)