BEA-090479 Certificate chain received from failed date validity checks
This error is caused due to the SSL certificate expiry which is present in the key-store . Check the domain's java key store [*.jks] which holds the SSL key for each Domain.. buy using the key tool verify the certificate status and create an new certificate and replace the old one
The centralized key store for the fusion is located at /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate fusion_trust.jks
Download the certnew.sh from the MOS and create the new certificate and replace the old one in the fusion_trust.jks
The error message displayed due to the certificate expiration
<Sep 5, 2012 3:06:33 AM GST> <Warning> <Security> <BEA-090479> <Certificate chain received from failed date validity checks.>
[ERROR:1] [oracle.apps.startstop.util.WLSTCommand: checkNodeManagerStatus.795] [tid:10] Error connecting to Node manager on host [<host name>:5556] for domain FinancialDomain. Please verify node manager status.
Traceback (innermost last):
File "<string>", line 1, in ?
File "<iostream>", line 123, in nmConnect
File "<iostream>", line 648, in raiseWLSTException
WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : [Security:090479]Certificate chain received from <host name> failed date validity checks.
Use dumpStack() to view the full stacktrace
at org.python.core.Py.makeException(Unknown Source)
at org.python.pycode._pyx2.raiseWLSTException$38(<iostream>:648)
at org.python.pycode._pyx2.call_function(<iostream>)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyFunction.__call__(Unknown Source)
at org.python.pycode._pyx2.nmConnect$3(<iostream>:123)
at org.python.pycode._pyx2.call_function(<iostream>)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyFunction.__call__(Unknown Source)
at org.python.core.PyObject.__call__(Unknown Source)
at org.python.pycode._pyx12.f$0(<string>:1)
at org.python.pycode._pyx12.call_function(<string>)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyCode.call(Unknown Source)
at org.python.core.Py.runCode(Unknown Source)
at org.python.core.Py.exec(Unknown Source)
at org.python.util.PythonInterpreter.exec(Unknown Source)
at weblogic.management.scripting.utils.WLSTInterpreter.exec(WLSTInterpreter.java:509)
at oracle.apps.startstop.util.WLSTCommand.checkNodeManagerStatus(WLSTCommand.java:789)
at oracle.apps.startstop.util.SSUtils.checkNodeManagerOnAllAdminHosts(SSUtils.java:376)
at oracle.apps.startstop.invoke.InvocationMgrImpl.invoke(InvocationMgrImpl.java:208)
at oracle.apps.startstop.cli.FAEnv.runStartStop(FAEnv.java:109)
at oracle.apps.startstop.cli.FAEnv.main(FAEnv.java:170)
[ERROR:1] [oracle.apps.startstop.util.SSUtils: checkNodeManagerOnAllAdminHosts.383] [tid:10] Error connecting to Node manager on host [host name ]for domain FinancialDomain. Please verify node manager status.
Exception in thread "Main Thread" oracle.apps.startstop.util.exception.SSException: Error connecting to Node manager on host [ node name ] for domain FinancialDomain . Please verify node manager status.
at oracle.apps.startstop.util.SSUtils.checkNodeManagerOnAllAdminHosts(SSUtils.java:384)
at oracle.apps.startstop.invoke.InvocationMgrImpl.invoke(InvocationMgrImpl.java:208)
at oracle.apps.startstop.cli.FAEnv.runStartStop(FAEnv.java:109)
at oracle.apps.startstop.cli.FAEnv.main(FAEnv.java:170)
Oracle Fusion Applications Start Stop Utility failed with error code 1
[ERROR:1] [oracle.apps.startstop.util.WLSTCommand: checkNodeManagerStatus.795] [tid:10] SSUTIL023
[ERROR:1] [oracle.apps.startstop.util.WLSTCommand: checkNodeManagerStatus.795] [tid:10] Error connecting to Node manager on host [<host name>:5556] for domain FinancialDomain. Please verify node manager status.
Traceback (innermost last):
File "<string>", line 1, in ?
File "<iostream>", line 123, in nmConnect
File "<iostream>", line 648, in raiseWLSTException
WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : [Security:090479]Certificate chain received from <host name> failed date validity checks.
Use dumpStack() to view the full stacktrace
at org.python.core.Py.makeException(Unknown Source)
at org.python.pycode._pyx2.raiseWLSTException$38(<iostream>:648)
at org.python.pycode._pyx2.call_function(<iostream>)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyFunction.__call__(Unknown Source)
at org.python.pycode._pyx2.nmConnect$3(<iostream>:123)
at org.python.pycode._pyx2.call_function(<iostream>)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyFunction.__call__(Unknown Source)
at org.python.core.PyObject.__call__(Unknown Source)
at org.python.pycode._pyx12.f$0(<string>:1)
at org.python.pycode._pyx12.call_function(<string>)
at org.python.core.PyTableCode.call(Unknown Source)
at org.python.core.PyCode.call(Unknown Source)
at org.python.core.Py.runCode(Unknown Source)
at org.python.core.Py.exec(Unknown Source)
at org.python.util.PythonInterpreter.exec(Unknown Source)
at weblogic.management.scripting.utils.WLSTInterpreter.exec(WLSTInterpreter.java:509)
at oracle.apps.startstop.util.WLSTCommand.checkNodeManagerStatus(WLSTCommand.java:789)
at oracle.apps.startstop.util.SSUtils.checkNodeManagerOnAllAdminHosts(SSUtils.java:376)
at oracle.apps.startstop.invoke.InvocationMgrImpl.invoke(InvocationMgrImpl.java:208)
at oracle.apps.startstop.cli.FAEnv.runStartStop(FAEnv.java:109)
at oracle.apps.startstop.cli.FAEnv.main(FAEnv.java:170)
[ERROR:1] [oracle.apps.startstop.util.SSUtils: checkNodeManagerOnAllAdminHosts.383] [tid:10] Error connecting to Node manager on host [host name ]for domain FinancialDomain. Please verify node manager status.
Exception in thread "Main Thread" oracle.apps.startstop.util.exception.SSException: Error connecting to Node manager on host [ node name ] for domain FinancialDomain . Please verify node manager status.
at oracle.apps.startstop.util.SSUtils.checkNodeManagerOnAllAdminHosts(SSUtils.java:384)
at oracle.apps.startstop.invoke.InvocationMgrImpl.invoke(InvocationMgrImpl.java:208)
at oracle.apps.startstop.cli.FAEnv.runStartStop(FAEnv.java:109)
at oracle.apps.startstop.cli.FAEnv.main(FAEnv.java:170)
Oracle Fusion Applications Start Stop Utility failed with error code 1
[ERROR:1] [oracle.apps.startstop.util.WLSTCommand: checkNodeManagerStatus.795] [tid:10] SSUTIL023
New SSL certificate Configuration in the Fusion Applications
Download the certrenew.sh script from the MOS How to Renew SSL Certificates in Fusion Applications [ID 1382666.1]
Step1
verify the certification status and check the valid date ..
Syntax :keytool -list -v keypass <password> -storepass <password> -keystore <file_name>
[oracle@fahapp lib]$ keytool -list -v -keypass < password > -storepass <password> -keystore <hostname>_fusion_identity.jks.
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: fahapp.oasiserp.com_fusion
Creation date: Mar 5, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=<hostname>, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Issuer: CN=<hostname>, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Serial number: 4f54086d
Valid from: Mon Mar 05 04:27:25 GST 2012 until: Sat Sep 01 04:27:25 GST 2012
Certificate fingerprints:
MD5: 84:4F:FF:C1:35:EC:C5:6B:64:8B:69:40:CF:B9:84:18
SHA1: 8A:5D:8A:90:ED:F2:66:A2:D4:CF:B7:C9:9E:A1:1F:ED:66:1B:7A:84
Signature algorithm name: SHA1withRSA
Version: 3
*******************************************
*******************************************
The certificate and been expired and need to create the new certificate and replace with the new one
verify the the fusion_trust.jks keystore
Syntax keytool -list -v -keypass <password> -storepass <password> -keystore fusion_trust.jks
Step2
Bring down all the admin server's and the Managed Server's .. if you try to stop by using the fastartstop it may fail due the certificate expiry .. try stop the server's from the GUI .. or Kill the process.. it is highly recommended to stop all managed and Admin Servers before changing the certificate
[oracle@fahapp bin]$ ps -ef |grep u01
oracle 4307 4026 0 02:06 pts/2 00:00:00 grep u01
[oracle@fahapp bin]$ ps -ef |grep u02
oracle 4309 4026 0 02:06 pts/2 00:00:00 grep u02
[oracle@fahapp bin]$ ps -ef |grep java
oracle 4311 4026 0 02:06 pts/2 00:00:00 grep java
Kill the node manager and make sure all the process are down
Step 3
verify the cerrenew.sh and change according to your environment
In the cerrenew.sh file change the Appltop and the location of the fusion_trust.jks according to the environment
Source the environmental file for the fusion apps which will be present in the $APPL_TOP/lcm/lad/bin/APPSORA.env
adsetenv.sh
adsetenv.sh is used to generate the new ENV file for the fusion applications ..the new file named APPSORA.env will be generated when you execute the assetenv .sh
$APPL_TOP/lcm/ad/bin/adsetenv.sh
Step4
Create the new certificate
[oracle@fahapp Desktop]$ cd /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib
[oracle@fahapp lib]$ /home/oracle/Desktop/certrenew.sh < host name > <password> < password > create
Hostname ::: <host_name>
key password ::: < password >
store password ::: < password >
Current Date Sep-06-12-02-26-19
Working directory is /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
You are in ::: /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
apps ::: < host name >_fusion
apps jks ::: < host name >_identity.jks
apps cer ::: < host name >_identity.cer
Generating the new certificate and private key
Done generating new certificate and private key for fahapp.oasiserp.com_fusion . File name is fahapp.oasiserp.com_fusion_identity.jks under certificate directory
Extracting the certificate from the identity key store
Certificate stored in file << host name >_fusion_identity.cer>
Done extracting the certficate from the identity key store. File name is fahapp.oasiserp.com_fusion_identity.cer under certificate directory
Copying the store fusion_trust.jks to cerfificate directory
Copied fusion_trust.jks to certificate directory
Removing the trusted certificate
Removed the trusted certificate
Importing the new public certificate into trust key store fusion_trust.jks
Certificate was added to keystore
Imported the new public certificate into trust key store fusion_trust.jks
*************************************************************************************************************************************************************
*For listing the trusted key store to verify and ensure that all the certificates are present in the keys store and the validation of the certificates
*Please execute the command under certificate directory
*keytool -list -v -keypass <password> -storepass <password> -keystore fusion_trust.jks
*keytool -list -v -keypass <password> -storepass < password > -keystore fahapp.oasiserp.com_fusion_identity.jks
NEXT STEP : SHUTDOWN MANAGED SERVERS, ADMIN SERVERS and NODE MANAGERS BY KILLING IT
RUN THE SAME SHELL SCRIPT WITH REPLACE AS FOURTH PARAMETER VALUE
**************************************************************************************************************************************************************
Step 5
A new directory certificate will be create at the /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate and the new certificates which get created will be under the certificate directory
verify the certificate before replacing it
[oracle@hostname certificate]$ ls -l
-rw-r--r-- 1 oracle oinstall 857 Sep 6 02:26 < host name >_fusion_identity.cer
-rw-r--r-- 1 oracle oinstall 1381 Sep 6 02:26 < host name >_fusion_identity.jks
-rwxr-x--- 1 oracle oinstall 82502 Sep 6 02:26 fusion_trust.jks
[oracle@host certificate]$ keytool -list -v -keypass <password>-storepass <password> -keystore < host name >_fusion_identity.jks
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: fahapp.oasiserp.com_fusion
Creation date: Sep 6, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=< host name >, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Issuer: CN=< host name >, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Serial number: 5047d18c
Valid from: Thu Sep 06 02:26:20 GST 2012 until: Fri Sep 06 02:26:20 GST 2013
Certificate fingerprints:
MD5: AB:FB:F5:FB:CB:62:48:79:F4:12:7F:A2:8E:8B:14:9D
SHA1: 2A:24:6F:68:57:DD:B5:79:9F:3B:DA:E1:82:86:AA:01:BD:82:0D:E5
Signature algorithm name: SHA1withRSA
Version: 3
Step 6
Replace the old certificate with the newly generated certificate
[oracle@fahapp lib]$ /home/oracle/Desktop/certrenew.sh < host name >< password >< password > replace
Hostname ::: < host name >
key password ::: < password >
store password ::: <password>
Current Date Sep-06-12-02-34-53
Working directory is /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
You are in ::: /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
apps ::: < host name >_fusion
apps jks ::: < host name >_fusion_identity.jks
apps cer ::: < host name >_fusion_identity.cer
Replacing the certificates with newly created one
in directory
/u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib
Changed directory to server lib
/u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
Replaced old certificate with new certificate
START NODE MANAGER, ADMIN SERVERS AND ALL MANAGED SERVERS
Oracle Fusion Applications: Bea-090479 Certificate Chain Received Failed Date Validity Checks >>>>> Download Now
ReplyDelete>>>>> Download Full
Oracle Fusion Applications: Bea-090479 Certificate Chain Received Failed Date Validity Checks >>>>> Download LINK
>>>>> Download Now
Oracle Fusion Applications: Bea-090479 Certificate Chain Received Failed Date Validity Checks >>>>> Download Full
>>>>> Download LINK zs