Weblogic Certificate Error (FATAL Alert:BAD_CERTIFICATE)

I recently configured weblogic to work with a GoDaddy certificate and started getting the following error.

ERROR:

Error: javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received

SOLUTION:

The solution was to add the following startup option to weblogic.    

"-Dweblogic.security.SSL.allowSmallRSAExponent=true" 

CAUSE:

This error is caused when the encryption strength used to create the cert is lower than the version of java you are using to run Weblogic is expecting. 

Installing Certificate in Weblogic Keystore

If you do not have the certificate complete the following steps.
   
1) Open chrome (You can do this in IE or FireFox too but I just have the steps for chrome)
2) Go to the secure website your service needs to connect to.
          a.  Right click on the lock on the upper left hand side
          b.    Left click on the connections tab
          c.    Select View Certificates

          d. Select the Details tab

          e. Select Copy to file.  This will bring up the Certificate Export Wizzard.

                                                               i.      Select Next

                                                             ii.      Select DER Encoded 

          f. Select a file to hold the certificate. 

3) Get intermediary Cert (Reseller Cert).  

          a. Right click on the lock on the upper left hand side

          b. Left click on the connections tab

          c. Select View Certificates

          d. Select Certification Path tab

          e. Select the intermediary cert

         f. This will bring up a certificate window for the intermediary certificate.  Follow steps 3d-f to save this certificate

4) If the Root cert is not already installed, repeat step 3 for the root.
5) You now need to save the certificates in a keystore that will be used by Weblogic
          a. Go to the java/bin directory that is being used by weblogic.  We will use the keytool application to add the certificates.
          b. Find the keystores used by Weblogic.  By default you can use the keystores in $MiddlewareHome/wlserver_10.3/server/lib
          c. List the contents of the keystore by using the keytool –list command.  You will need to supply the keystore location.  You will also need to know the keystore password.  If you use DemoTrust.jks the default password is "DemoTrustKeyStorePassPhrase"
   

Example:

./keytool -list -keystore /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks

           d. Execute the keytool – import command to import the certs.  Note: you will need to supply an alias, the location to the cert file and the location of the keystore and you will need to execute this command twice to import both the site cert and the intermediary cert.

Example:

Booking.Com
keytool -importcert -file /media/sf_Temp/Booking/BookingCom.cer -alias bookingCom -keystore /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks

Go Daddy (Note:  There is a new param)
keytool -trustcacerts -importcert -alias godaddy -file /tmp/GoDaddyInt.cer -keystore /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks  -storepass DemoTrustKeyStorePassPhrase

Clearing Subclipse Stored Credentials

In order to removed the stored user credentials used by Subclipse all you need to do is to remove the .keyring file.   This file can be found in the $MIDDLEWARE_HOME that you are using for Eclipse.  

$Middleware_Home/oepe_11gR1PS3/configuration/org.eclipse.core.runtime/.keyring

Once you remove this file all you need to do is right click on your OSB project and then select Team -> Synchronize with Repository. 

Setting Unit Of Order in OSB Producer

Unit Of Order is used in Weblogic JMS queues/topics to group messages into a single unit that can be processed sequentially even if the message are being processed by multiple consumers.  For example, you can use CustomerID for the Unit Of Order to ensure that you will always process a given customers transactions in order.

Follow the link for more information on Unit Of Order

Setting the Unit Of Order in an OSB Producer is quite simple.

1) Add a Transport Header action in the Request Action section of your communication node (Route, Publish, Service Call Out)

2) Set the Transport Header Properties
     a) For Direction select  Outbount Request.   
     b) Click on the Add Header button.
     c) Select Defined, jms, JMS_BEA_UnitOfOrder under the Name column.
     d) Select Set header to and set the <Expression> you want to use to set your Unit of Work in the Action column.

Weblogic Server Not Starting Due to Expired Database Accounts

If you are unable to start your weblogic server and you are getting the following errors, it is being caused by your oracle accounts expiring and the fix is quite easy.

Errors

####<Apr 23, 2013 9:09:16 AM MST> <Error> <Deployer> <localhost.osbsoavm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <0000JsrdyCXFw000jzwkno1HTf7V000002> <1366733356615> <BEA-149205> <Failed to initialize the application 'wlsbjmsrpDataSource' due to error weblogic.application.ModuleException: .
weblogic.application.ModuleException:
 .........
Caused By: weblogic.common.ResourceException: weblogic.common.ResourceException: Could not create pool connection. The DBMS driver exception was: ORA-28001: the password has expired

<BEA-280061> <The persistent store "JDBCStore-0" could not be deployed: weblogic.store.PersistentStoreException: Can't find JDBC DataSource wlsbjmsrpDataSource: javax.naming.NameNotFoundException: Unable to resolve 'wlsbjmsrpDataSource'. Resolved ''; remaining name 'wlsbjmsrpDataSource'
weblogic.store.PersistentStoreException: Can't find JDBC DataSource wlsbjmsrpDataSource: javax.naming.NameNotFoundException: Unable to resolve 'wlsbjmsrpDataSource'. Resolved ''; remaining name 'wlsbjmsrpDataSource'

Fix 

            1. Check to see if any of the accounts are expired

                           select username, profile, account_status, expiry_date from dba_users;

2. If no accounts are expired, you can skip to step 7

3.  Dynamically create SQL that will unexpired the expired accounts.  You can unexpired the 

     account by resetting the password.   NOTE: You will need to substitute <password> for the password you are using for your user.

                            select 'ALTER USER ' || username || ' identified by <password>;'

                            from dba_users where account_status like 'EXPIRED%' and username != 'XS$NULL';

                  4. Execute the SQL generated in Step 3

                  5.  Dynamically create SQL that will unlock the locked accounts.

                             select 'ALTER USER ' || username || ' account unlock;' from dba_users where 

                             account_status like 'LOCKED%' and username != 'XS$NULL';

6.  Execute the SQL generated in Step 5

7. Modify the profile assigned to the accounts that you don’t want to expire so the 

    PASSWORD_LIFE_TIME is set to UNLIMITED.  This will keep them from expiring 

    again.  In my case, I needed to update the DEFAULT profile.

alter profile DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED ;

Enabling Weblogic to use SSL

Enable SSL on for server in Weblogic

1) Open Weblogic console

2) Navigate to <Domain> -> Environment -> Servers

3) Select the server you want to configure

4) Goto the Configuration -> General tab.

5) Check the box next to SSL Listen Port Enabled.

6) Specify the port that you want to listen for SSL traffic on.

7) Select Save.   Note: You do not need to restart the server for this change.

Out of Memory Error When Deploying From Eclipse

While trying to deploy OSB changes from Eclipse to Weblogic I was getting the following error:

Runtime exception occurred during publish. The publish is aborted. Please report the bug with the stack trace. The stack can be found on the log and the Error Log view. java.lang.reflect.UndeclaredThrowableException

The below error was reported in the Weblogic Server Log

<Jan 7, 2013 11:34:39 AM MST> <Error> <ALSB Console> <BEA-494002> <Internal error occured in OSBConsole : null
java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.bea.alsb.console.support.ConsoleSideMBeanInvocationHandler.__invoke(ConsoleSideMBeanInvocationHandler.java:113)
        Truncated. see log file for complete stacktrace
Caused By: java.lang.OutOfMemoryError: Java heap space
        at java.util.Arrays.copyOf(Arrays.java:2786)

The fix for this problem was very straight forward.  I just had to increase the max java heap space that was available to the Weblogic server.   This was done by setting the USER_MEM_ARGS environmental variable and restarting Weblogic.   Weblogic Service will use the memory settings in this variable when it is starting up. 

export USER_MEM_ARGS="-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=256m  -XX:MaxPermSize=1024m"

-Xms -> Minimum Java Heap Size
-Xmx -> Maximum Java Heap Size
-XX:PermSize -> Minimum PermGen Size
-XX:MaxPermSize -> Maximum PermGen Size

Linking DB Adapter Outbound Connection Pool to Data Source

The following steps show how to link a Database Adapter Outbound Connection Pool to a Data Source in Weblogic.  These steps are intended for developers who are making these changes in their virtual machine or in the development environment. 

1.  Log into Weblogic
2. Go under Deployments and select DBAdapter

3.  Navigate to the Outbound Connection Pools tab which can be found by selecting the Configuration tab .  Then select New.

4.   Enter the JNDI Name and then select Next.   The value entered should match the JNDI name from the JCA resource you are using to connect to the database.  This can be found in the *.jca file in the location attribute.   

5.   Add a JDBC name in the xADataSourceName Property and then Save Changes.  This JDBC name should map to the Weblogic Data Source that points to the database you want to connect to.  If you have not already created a Weblogic Data Source, see this page.

Creating a new Data Source in Weblogic

The below steps outline how to create a new Data Source in Weblogic.  These steps are intended for
developers who want to create a new data source in their own virtual machines or the development
server.

1. Create Connection Information in Weblogic
      a.  Create New Data Source
            i. Navigate to <domain> -> Services -> Data Sources and select New -> Generic 
Data Source.

           ii. Fill in the Name, the JNDI Name and the Database Type for your new data
source on the JDBC Data Source Properties Page.

            iii. Select the database driver that will be used for this connection.

    














            iv. Fill in Transaction Options if available.  If you choose a XA JDBC Driver, you will not have any options.

            v. Fill in Connection Properties information for the database you want to connect
to.

           vi. Test your configuration

           vi.i. Select Next and then select where to deploy the data source you created.  If
you are not using a managed server for OSB you can select the AdminServer.