Weblogic Certificate Error (FATAL Alert:BAD_CERTIFICATE)

I recently configured weblogic to work with a GoDaddy certificate and started getting the following error.

ERROR:

Error: javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received

SOLUTION:

The solution was to add the following startup option to weblogic.    

"-Dweblogic.security.SSL.allowSmallRSAExponent=true" 

CAUSE:

This error is caused when the encryption strength used to create the cert is lower than the version of java you are using to run Weblogic is expecting. 

Installing Certificate in Weblogic Keystore

If you do not have the certificate complete the following steps.
   
1) Open chrome (You can do this in IE or FireFox too but I just have the steps for chrome)
2) Go to the secure website your service needs to connect to.
          a.  Right click on the lock on the upper left hand side
          b.    Left click on the connections tab
          c.    Select View Certificates

          d. Select the Details tab

          e. Select Copy to file.  This will bring up the Certificate Export Wizzard.

                                                               i.      Select Next

                                                             ii.      Select DER Encoded 

          f. Select a file to hold the certificate. 

3) Get intermediary Cert (Reseller Cert).  

          a. Right click on the lock on the upper left hand side

          b. Left click on the connections tab

          c. Select View Certificates

          d. Select Certification Path tab

          e. Select the intermediary cert

         f. This will bring up a certificate window for the intermediary certificate.  Follow steps 3d-f to save this certificate

4) If the Root cert is not already installed, repeat step 3 for the root.
5) You now need to save the certificates in a keystore that will be used by Weblogic
          a. Go to the java/bin directory that is being used by weblogic.  We will use the keytool application to add the certificates.
          b. Find the keystores used by Weblogic.  By default you can use the keystores in $MiddlewareHome/wlserver_10.3/server/lib
          c. List the contents of the keystore by using the keytool –list command.  You will need to supply the keystore location.  You will also need to know the keystore password.  If you use DemoTrust.jks the default password is "DemoTrustKeyStorePassPhrase"
   

Example:

./keytool -list -keystore /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks

           d. Execute the keytool – import command to import the certs.  Note: you will need to supply an alias, the location to the cert file and the location of the keystore and you will need to execute this command twice to import both the site cert and the intermediary cert.

Example:

Booking.Com
keytool -importcert -file /media/sf_Temp/Booking/BookingCom.cer -alias bookingCom -keystore /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks

Go Daddy (Note:  There is a new param)
keytool -trustcacerts -importcert -alias godaddy -file /tmp/GoDaddyInt.cer -keystore /home/oracle/Oracle/Middleware/wlserver_10.3/server/lib/DemoTrust.jks  -storepass DemoTrustKeyStorePassPhrase

Clearing Subclipse Stored Credentials

In order to removed the stored user credentials used by Subclipse all you need to do is to remove the .keyring file.   This file can be found in the $MIDDLEWARE_HOME that you are using for Eclipse.  

$Middleware_Home/oepe_11gR1PS3/configuration/org.eclipse.core.runtime/.keyring

Once you remove this file all you need to do is right click on your OSB project and then select Team -> Synchronize with Repository. 

Setting Unit Of Order in OSB Producer

Unit Of Order is used in Weblogic JMS queues/topics to group messages into a single unit that can be processed sequentially even if the message are being processed by multiple consumers.  For example, you can use CustomerID for the Unit Of Order to ensure that you will always process a given customers transactions in order.

Follow the link for more information on Unit Of Order

Setting the Unit Of Order in an OSB Producer is quite simple.

1) Add a Transport Header action in the Request Action section of your communication node (Route, Publish, Service Call Out)

2) Set the Transport Header Properties
     a) For Direction select  Outbount Request.   
     b) Click on the Add Header button.
     c) Select Defined, jms, JMS_BEA_UnitOfOrder under the Name column.
     d) Select Set header to and set the <Expression> you want to use to set your Unit of Work in the Action column.

OSB Retry Application Errors

Recently our OSB administrator asked me how OSB determined what an application error was for the "Retry Application Errors" setting on the Transport page of a Business Service.  It turns out there is not much documentation on this at all.   So I did some testing.

OSB looks at the  response-code in the Response Metadata to flag an application error.  If this value is a non-zero, then it is treated as an application error.

The easiest way to manipulate this value is to add a Reply with Failure in the OSB service you are calling.

You can also manipulate the response code by inserting a response-code element in $inbound as shown below.  Note: This must be done in the response pipeline 

Note:  I only researched this for Business Services that were calling OSB Proxy Services as that was the architecture for the context of the question asked.  More research would need to be done to determine this behavior when call services outside the OSB.

Using CDATA to handle embedded XML

We ran into an issue when we were trying to pass embedded XML through one of our OSB processes.  The problem came up when we had duplicate namespaces between the embedded XML and the XML for our process.   OSB was combining namespace declarations and removing the namespace declaration from our embedded XML since it was already declared in the XML for our OSB process.

The solution was to wrap the embedded xml in a CDATA wrapper.  This is very easy to do in OSB by using the fn-bea:serialize function shown below.

     <content>{fn-bea:serialize($body/*)}</content>

Removing the  CDATA wrapper is also easy and can be done using the fn-bea:inlinedXML function.

  {fn-bea:inlinedXML($body/content)}

Weblogic Server Not Starting Due to Expired Database Accounts

If you are unable to start your weblogic server and you are getting the following errors, it is being caused by your oracle accounts expiring and the fix is quite easy.

Errors

####<Apr 23, 2013 9:09:16 AM MST> <Error> <Deployer> <localhost.osbsoavm> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <0000JsrdyCXFw000jzwkno1HTf7V000002> <1366733356615> <BEA-149205> <Failed to initialize the application 'wlsbjmsrpDataSource' due to error weblogic.application.ModuleException: .
weblogic.application.ModuleException:
 .........
Caused By: weblogic.common.ResourceException: weblogic.common.ResourceException: Could not create pool connection. The DBMS driver exception was: ORA-28001: the password has expired

<BEA-280061> <The persistent store "JDBCStore-0" could not be deployed: weblogic.store.PersistentStoreException: Can't find JDBC DataSource wlsbjmsrpDataSource: javax.naming.NameNotFoundException: Unable to resolve 'wlsbjmsrpDataSource'. Resolved ''; remaining name 'wlsbjmsrpDataSource'
weblogic.store.PersistentStoreException: Can't find JDBC DataSource wlsbjmsrpDataSource: javax.naming.NameNotFoundException: Unable to resolve 'wlsbjmsrpDataSource'. Resolved ''; remaining name 'wlsbjmsrpDataSource'

Fix 

            1. Check to see if any of the accounts are expired

                           select username, profile, account_status, expiry_date from dba_users;

2. If no accounts are expired, you can skip to step 7

3.  Dynamically create SQL that will unexpired the expired accounts.  You can unexpired the 

     account by resetting the password.   NOTE: You will need to substitute <password> for the password you are using for your user.

                            select 'ALTER USER ' || username || ' identified by <password>;'

                            from dba_users where account_status like 'EXPIRED%' and username != 'XS$NULL';

                  4. Execute the SQL generated in Step 3

                  5.  Dynamically create SQL that will unlock the locked accounts.

                             select 'ALTER USER ' || username || ' account unlock;' from dba_users where 

                             account_status like 'LOCKED%' and username != 'XS$NULL';

6.  Execute the SQL generated in Step 5

7. Modify the profile assigned to the accounts that you don’t want to expire so the 

    PASSWORD_LIFE_TIME is set to UNLIMITED.  This will keep them from expiring 

    again.  In my case, I needed to update the DEFAULT profile.

alter profile DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED ;