regenerating-the-demoidentity-certificate-in-weblogic-12c/

[utterances-bot]

Regenerating the 'DemoIdentity' certificate in WebLogic 12c

https://chronicler.tech/regenerating-the-demoidentity-certificate-in-weblogic-12c/

[dasnavin]

Great Post.

After that we need to sync the KSS store information to the keystores.xml file located under the $DOMAIN_HOME/config/fmwconfig/

Note: It is suggested to have a backup of the domain folder folder before making any changes to the xml files.

Navigate to $ORACLE_HOME/oracle_common/common/bin Launch the wlst.sh, and run syncKeyStores command to sync system KSS keystore bash$ ./wlst.sh

Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands

wls:/offline> connect() Please enter your username :

Please enter your password : Please enter your server URL [t3://localhost:7001] :t3://: t3://: Connecting to t3://: with userid ... Successfully connected to Admin Server "AdminServer" that belongs to domain "base_domain". Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. wls:/base_domain/serverConfig/> syncKeyStores(appStripe='system', keystoreFormat='KSS') Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root MBean. Keystore sync successful. Restart the admin server followed by managed server(s). NOTE: If you have multiple nodes you'll also need to sync keystores.xml on remote host. Before starting the nodemanager on a remote host, start a managed server manually to synchronize with $DOMAIN_HOME including keystores.xml of the adminserver. For example: $DOMAIN_HOME/bin/startManagedWebLogic.sh Verify the error is no longer showing in the logs. https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=204377406821565&id=2757994.1&_afrWindowMode=0&_adf.ctrl-state=bfq2te0z2_298

[dasnavin]

or via Enterprise Manager:

In FMW Control, Go to Weblogic Domain > System MBean Browser. Search for Operation 'syncKeyStores' In the search results, click the 'syncKeyStores' link (which takes two parameters) For p1, enter 'system'; for p2, enter 'KSS'. Click 'Invoke' button.

[Blauberre]

I want to thank you both for taking the time to document how to replace the demo identity certificate. I was using Oracle Forms (for 5 years) as a developer when it suddenly stopped working. Attempts to start the WLS_FORMS server would fail with a misleading message about an inability to connect to the node manager.

Node Manager associated with machine AdmiServer is not reachable.

I had tried everything I could think of to reinstate my environment without success. I finally found a clue in the Admin Server log: " <Identity certificate has expired" which ultimately led me to your article. I followed the instructions to create a new certificate, which worked exactly as you documented. Then I used the subsequent post to use Enterprise Mgr to use syncKeyStores to invoke the new certificate. That also worked as documented. Now my forms environment works as it did before.

I'm very grateful. I had spent a couple of months trying to identify the problem and was about to give up.

[mikhailidim]

Thank you for sharing! It is very motivating feedback.

On Wed, Nov 9, 2022 at 4:22 AM Blauberre @.***> wrote:

I want to thank you both for taking the time to document how to replace the demo identity certificate. I was using Oracle Forms (for 5 years) as a developer when it suddenly stopped working. Attempts to start the WLS_FORMS server would fail with a misleading message about an inability to connect to the node manager.

Node Manager associated with machine AdmiServer is not reachable.

I had tried everything I could think of to reinstate my environment without success. I finally found a clue in the Admin Server log: " <Identity certificate has expired" which ultimately led me to your article. I followed the instructions to create a new certificate, which worked exactly as you documented. Then I used the subsequent post to use Enterprise Mgr to use syncKeyStores to invoke the new certificate. That also worked as documented. Now my forms environment works as it did before.

I'm very grateful. I had spent a couple of months trying to identify the problem and was about to give up.

— Reply to this email directly, view it on GitHub https://github.com/mikhailidim/chronicler-comments/issues/15#issuecomment-1308456619, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACNMKYAUZXIYQRTDMELGCWTWHNUOZANCNFSM5IEOB2TA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[stasctopi]

The heroes we needed!

Thanks for saving me hours trying to figure this out!

[deniska80]

Great post, thanks. But we have one problem. We have 2 nodes First I didnt notice "replacing Common name with your server hostname" I chose bi_domain name (DemoCertifFor_bi_domain) like it was before. Then after executing start.bat no one of my 2 bi servers started And I have a lot of such messages

Certificate chain received from SERVER01 - 192.168.10.77 failed hostname verification check. Certificate contained DemoCertifFor_bi_domain but check expected SERVER01 Certificate chain received from SERVER02 - 192.168.10.78 failed hostname verification check. Certificate contained DemoCertifFor_bi_domain but check expected SERVER02 Then i recreated cert with Common name=SERVER01 and a half part of my instance started to work! BUT I dont know how to start the second one because I can specify only one Common name

[mikhailidim]

@deniska80, thank you for sharing. I wouldn't see it as a problem since each node is supposed to have its own private/public key pair (certificate) that matches the hostname or FQDN. To make this happen:

1. Create separate keys for each managed server. The common name CN should contain the hostname for each host in the cluster.
2. Sign new certificates with your certificate authority.
3. Update the managed server configuration and point them to the respective key/certificate pairs.
4. Restart managed servers to apply changes. You may try Restart SSL to bounce only secure protocols.

[deniska80]

Thanks for the answer but ive never worked with certificates before. So I dont know how to implement 2 and 3. Is there any tutorial?

[mikhailidim]

Here you are: For #2:
Oracle describes the certificate lifecycle with KSS as a certificate storage. It's for a previous version of OFMW, but the concept is the same. https://docs.oracle.com/middleware/11119/opss/JISEC/kssadm.htm#CACEEDBE

• Most likely, your organization has certificate authority or uses some external services.
• Your goal is to get a certificate request and get it signed. For #3: Check WebLogic documentation on SSL/TLS configuration: https://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/wls/12c/12_2_1/01-38-001-ConfiguringSSL/ConfiguringSSL.html

[deniska80]

Our managed weblogic servers doesnt use ssl. Only Node managers. Doc is about ssl on weblogic managed servers Its my mistake I didnt mention that it is all about OBIEE 12x(12.2.1.4). All ssl settings are by default. So there is no ssl listening ports on managed servers. But Node managers configured(by default) with ssl (demo store) to connect with ssl-designed services. After 5 years we faced same problem. With this manual i started first node. But cant do the same with the second one