regenerating-the-demoidentity-certificate-in-weblogic-12c/

[utterances-bot]

Regenerating the 'DemoIdentity' certificate in WebLogic 12c

https://chronicler.tech/regenerating-the-demoidentity-certificate-in-weblogic-12c/

[dasnavin]

Great Post.

After that we need to sync the KSS store information to the keystores.xml file located under the $DOMAIN_HOME/config/fmwconfig/

Note: It is suggested to have a backup of the domain folder folder before making any changes to the xml files.

Navigate to $ORACLE_HOME/oracle_common/common/bin Launch the wlst.sh, and run syncKeyStores command to sync system KSS keystore bash$ ./wlst.sh

Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands

wls:/offline> connect() Please enter your username :

Please enter your password : Please enter your server URL [t3://localhost:7001] :t3://: t3://: Connecting to t3://: with userid ... Successfully connected to Admin Server "AdminServer" that belongs to domain "base_domain". Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. wls:/base_domain/serverConfig/> syncKeyStores(appStripe='system', keystoreFormat='KSS') Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root MBean. Keystore sync successful. Restart the admin server followed by managed server(s). NOTE: If you have multiple nodes you'll also need to sync keystores.xml on remote host. Before starting the nodemanager on a remote host, start a managed server manually to synchronize with $DOMAIN_HOME including keystores.xml of the adminserver. For example: $DOMAIN_HOME/bin/startManagedWebLogic.sh Verify the error is no longer showing in the logs. https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=204377406821565&id=2757994.1&_afrWindowMode=0&_adf.ctrl-state=bfq2te0z2_298

[dasnavin]

or via Enterprise Manager:

In FMW Control, Go to Weblogic Domain > System MBean Browser. Search for Operation 'syncKeyStores' In the search results, click the 'syncKeyStores' link (which takes two parameters) For p1, enter 'system'; for p2, enter 'KSS'. Click 'Invoke' button.

[Blauberre]

I want to thank you both for taking the time to document how to replace the demo identity certificate. I was using Oracle Forms (for 5 years) as a developer when it suddenly stopped working. Attempts to start the WLS_FORMS server would fail with a misleading message about an inability to connect to the node manager.

Node Manager associated with machine AdmiServer is not reachable.

I had tried everything I could think of to reinstate my environment without success. I finally found a clue in the Admin Server log: " <Identity certificate has expired" which ultimately led me to your article. I followed the instructions to create a new certificate, which worked exactly as you documented. Then I used the subsequent post to use Enterprise Mgr to use syncKeyStores to invoke the new certificate. That also worked as documented. Now my forms environment works as it did before.

I'm very grateful. I had spent a couple of months trying to identify the problem and was about to give up.

[mikhailidim]

Thank you for sharing! It is very motivating feedback.

On Wed, Nov 9, 2022 at 4:22 AM Blauberre @.***> wrote:

I want to thank you both for taking the time to document how to replace the demo identity certificate. I was using Oracle Forms (for 5 years) as a developer when it suddenly stopped working. Attempts to start the WLS_FORMS server would fail with a misleading message about an inability to connect to the node manager.

Node Manager associated with machine AdmiServer is not reachable.

I had tried everything I could think of to reinstate my environment without success. I finally found a clue in the Admin Server log: " <Identity certificate has expired" which ultimately led me to your article. I followed the instructions to create a new certificate, which worked exactly as you documented. Then I used the subsequent post to use Enterprise Mgr to use syncKeyStores to invoke the new certificate. That also worked as documented. Now my forms environment works as it did before.

I'm very grateful. I had spent a couple of months trying to identify the problem and was about to give up.

— Reply to this email directly, view it on GitHub https://github.com/mikhailidim/chronicler-comments/issues/15#issuecomment-1308456619, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACNMKYAUZXIYQRTDMELGCWTWHNUOZANCNFSM5IEOB2TA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[stasctopi]

The heroes we needed!

Thanks for saving me hours trying to figure this out!

[deniska80]

Great post, thanks. But we have one problem. We have 2 nodes First I didnt notice "replacing Common name with your server hostname" I chose bi_domain name (DemoCertifFor_bi_domain) like it was before. Then after executing start.bat no one of my 2 bi servers started And I have a lot of such messages

Certificate chain received from SERVER01 - 192.168.10.77 failed hostname verification check. Certificate contained DemoCertifFor_bi_domain but check expected SERVER01 Certificate chain received from SERVER02 - 192.168.10.78 failed hostname verification check. Certificate contained DemoCertifFor_bi_domain but check expected SERVER02 Then i recreated cert with Common name=SERVER01 and a half part of my instance started to work! BUT I dont know how to start the second one because I can specify only one Common name

[mikhailidim]

@deniska80, thank you for sharing. I wouldn't see it as a problem since each node is supposed to have its own private/public key pair (certificate) that matches the hostname or FQDN. To make this happen:

1. Create separate keys for each managed server. The common name CN should contain the hostname for each host in the cluster.
2. Sign new certificates with your certificate authority.
3. Update the managed server configuration and point them to the respective key/certificate pairs.
4. Restart managed servers to apply changes. You may try Restart SSL to bounce only secure protocols.

[deniska80]

Thanks for the answer but ive never worked with certificates before. So I dont know how to implement 2 and 3. Is there any tutorial?

[mikhailidim]

Here you are: For #2:
Oracle describes the certificate lifecycle with KSS as a certificate storage. It's for a previous version of OFMW, but the concept is the same. https://docs.oracle.com/middleware/11119/opss/JISEC/kssadm.htm#CACEEDBE

• Most likely, your organization has certificate authority or uses some external services.
• Your goal is to get a certificate request and get it signed. For #3: Check WebLogic documentation on SSL/TLS configuration: https://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/wls/12c/12_2_1/01-38-001-ConfiguringSSL/ConfiguringSSL.html

[deniska80]

Our managed weblogic servers doesnt use ssl. Only Node managers. Doc is about ssl on weblogic managed servers Its my mistake I didnt mention that it is all about OBIEE 12x(12.2.1.4). All ssl settings are by default. So there is no ssl listening ports on managed servers. But Node managers configured(by default) with ssl (demo store) to connect with ssl-designed services. After 5 years we faced same problem. With this manual i started first node. But cant do the same with the second one

[cocampbe]

As far as the node manager goes, you could do this. Main reason is that it gets you away from the demoidentity cert in the kss.

1. Create a keystores directory, You can create this under the domain home. It doesn't have to be put there.

mkdir $DOMAIN_HOME/keystores
cd $DOMAIN_HOME/keystores

2. Create an identity file. Also wild card it. That way you can copy it to any host and apply it to that node manager.

keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -validity 1825 -dname "CN=*.company.local,OU=WLS,O=COMPANY,L=CITY,S=STATE,C=COUNTRY" -keystore identity.jks

3. Extract the cert as a root.cer.

keytool -export -alias mykey -file root.cer -keystore identity.jks -storepass MYPASS

4. Add the root.cer to a truststore. I feel like this is optional in the case of node manager.

keytool -import -alias mykey -file root.cer -keystore trust.jks -storepass MYPASS -trustcacerts -noprompt

5. Add these lines to the nodemanager.properties file.

KeyStores=CustomIdentityAndCustomTrust
CustomIdentityKeyStoreFileName=/path/to/domain_home/keystores/identity.jks
CustomIdentityKeyStorePassPhrase=MYPASS
CustomIdentityAlias=mykey
CustomIdentityPrivateKeyPassPhrase=MYPASS

6. Add the root.cer to the cacerts file that comes as part of your jdk.

cd /path/to/jdk/jre/lib/security

keytool -import -alias mykey -trustcacerts -file /path/to/domain_home/keystores/root.cer -keystore cacerts

# password for this is 'changeme'

restart the node manager. Put a calendar reminder to repeat in 5 years. Also keep a copy of the cacerts file. You can re-use it in another java installation. YMMV. Also repeat this on all the nodes in your weblogic cluster.

You could also do this for the adminserver and managed servers.

[mikhailidim]

Thank you for the detailed and very accurate explanation @cocampbe. It'sonly worth adding that you can use NodeManager with the KSS as well. Instead of file CustomIdentityKeyStoreFileName to the right location:

    CustomIdentityKeyStoreFileName =kss://system/myidentity 
    CustomIdentityKeyStoreType=KSS