Wednesday, September 5, 2012

BEA-090479 Certificate chain received failed date validity checks

BEA-090479 Certificate chain received from failed date validity checks


This error is caused due to the SSL certificate expiry which is present in the  key-store . Check the domain's java key store [*.jks] which holds the SSL key for each Domain.. buy using the key tool verify the certificate status and create an new certificate and replace the  old one
The centralized key store for the fusion is located at  /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate  fusion_trust.jks 
Download the certnew.sh from the MOS and create the new certificate and replace the old one  in the fusion_trust.jks 

The error message displayed due to the certificate expiration

<Sep 5, 2012 3:06:33 AM GST> <Warning> <Security> <BEA-090479> <Certificate chain received from  failed date validity checks.>
[ERROR:1] [oracle.apps.startstop.util.WLSTCommand: checkNodeManagerStatus.795] [tid:10] Error connecting to Node manager on host [<host name>:5556] for domain FinancialDomain. Please verify node manager status.
Traceback (innermost last):
  File "<string>", line 1, in ?
  File "<iostream>", line 123, in nmConnect
  File "<iostream>", line 648, in raiseWLSTException
WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : [Security:090479]Certificate chain received from <host name> failed date validity checks.
Use dumpStack() to view the full stacktrace
        at org.python.core.Py.makeException(Unknown Source)
        at org.python.pycode._pyx2.raiseWLSTException$38(<iostream>:648)
        at org.python.pycode._pyx2.call_function(<iostream>)
        at org.python.core.PyTableCode.call(Unknown Source)
        at org.python.core.PyTableCode.call(Unknown Source)
        at org.python.core.PyFunction.__call__(Unknown Source)
        at org.python.pycode._pyx2.nmConnect$3(<iostream>:123)
        at org.python.pycode._pyx2.call_function(<iostream>)
        at org.python.core.PyTableCode.call(Unknown Source)
        at org.python.core.PyTableCode.call(Unknown Source)
        at org.python.core.PyFunction.__call__(Unknown Source)
        at org.python.core.PyObject.__call__(Unknown Source)
        at org.python.pycode._pyx12.f$0(<string>:1)
        at org.python.pycode._pyx12.call_function(<string>)
        at org.python.core.PyTableCode.call(Unknown Source)
        at org.python.core.PyCode.call(Unknown Source)
        at org.python.core.Py.runCode(Unknown Source)
        at org.python.core.Py.exec(Unknown Source)
        at org.python.util.PythonInterpreter.exec(Unknown Source)
        at weblogic.management.scripting.utils.WLSTInterpreter.exec(WLSTInterpreter.java:509)
        at oracle.apps.startstop.util.WLSTCommand.checkNodeManagerStatus(WLSTCommand.java:789)
        at oracle.apps.startstop.util.SSUtils.checkNodeManagerOnAllAdminHosts(SSUtils.java:376)
        at oracle.apps.startstop.invoke.InvocationMgrImpl.invoke(InvocationMgrImpl.java:208)
        at oracle.apps.startstop.cli.FAEnv.runStartStop(FAEnv.java:109)
        at oracle.apps.startstop.cli.FAEnv.main(FAEnv.java:170)
[ERROR:1] [oracle.apps.startstop.util.SSUtils: checkNodeManagerOnAllAdminHosts.383] [tid:10] Error connecting to Node manager on host [host name ]for domain FinancialDomain. Please verify node manager status.
Exception in thread "Main Thread" oracle.apps.startstop.util.exception.SSException: Error connecting to Node manager on host [  node name ] for domain  FinancialDomain . Please verify node manager status.
        at oracle.apps.startstop.util.SSUtils.checkNodeManagerOnAllAdminHosts(SSUtils.java:384)
        at oracle.apps.startstop.invoke.InvocationMgrImpl.invoke(InvocationMgrImpl.java:208)
        at oracle.apps.startstop.cli.FAEnv.runStartStop(FAEnv.java:109)
        at oracle.apps.startstop.cli.FAEnv.main(FAEnv.java:170)
Oracle Fusion Applications Start Stop Utility failed with error code 1
[ERROR:1] [oracle.apps.startstop.util.WLSTCommand: checkNodeManagerStatus.795] [tid:10] SSUTIL023

New SSL certificate Configuration in the Fusion Applications  


Download the certrenew.sh script from the MOS How to Renew SSL Certificates in Fusion Applications [ID 1382666.1]

Step1
verify the certification status and check the valid date ..

Syntax :keytool -list -v keypass <password> -storepass  <password> -keystore  <file_name>

[oracle@fahapp lib]$ keytool -list -v -keypass < password > -storepass <password> -keystore <hostname>_fusion_identity.jks.

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: fahapp.oasiserp.com_fusion
Creation date: Mar 5, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=<hostname>, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Issuer: CN=<hostname>, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Serial number: 4f54086d
Valid from: Mon Mar 05 04:27:25 GST 2012 until: Sat Sep 01 04:27:25 GST 2012
Certificate fingerprints:
         MD5:  84:4F:FF:C1:35:EC:C5:6B:64:8B:69:40:CF:B9:84:18
         SHA1: 8A:5D:8A:90:ED:F2:66:A2:D4:CF:B7:C9:9E:A1:1F:ED:66:1B:7A:84
         Signature algorithm name: SHA1withRSA
         Version: 3
*******************************************
*******************************************

The certificate and been expired and need to create the new certificate and replace with the new one 

verify the the fusion_trust.jks keystore 

Syntax keytool -list -v -keypass <password> -storepass <password> -keystore fusion_trust.jks

Step2

Bring down all the admin server's and the Managed Server's .. if you try to stop by using the fastartstop  it may fail due the certificate expiry .. try stop the server's from the GUI .. or Kill the process.. it is highly recommended to stop all managed and Admin Servers before changing the certificate

[oracle@fahapp bin]$ ps -ef |grep u01
oracle    4307  4026  0 02:06 pts/2    00:00:00 grep u01
[oracle@fahapp bin]$ ps -ef |grep u02
oracle    4309  4026  0 02:06 pts/2    00:00:00 grep u02
[oracle@fahapp bin]$ ps -ef |grep java
oracle    4311  4026  0 02:06 pts/2    00:00:00 grep java

Kill the node manager and make sure all the process are down

Step 3

verify the cerrenew.sh and change according to your environment
In the cerrenew.sh file change the Appltop and the location of the fusion_trust.jks according to the environment
Source the environmental file for the fusion apps which will be present in the $APPL_TOP/lcm/lad/bin/APPSORA.env

adsetenv.sh

adsetenv.sh is used to generate the new ENV file for the fusion applications ..the new file named APPSORA.env will be generated when you execute the assetenv .sh

$APPL_TOP/lcm/ad/bin/adsetenv.sh

Step4

Create the new certificate 

[oracle@fahapp Desktop]$ cd /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib
[oracle@fahapp lib]$ /home/oracle/Desktop/certrenew.sh < host name > <password> < password > create
Hostname                        ::: <host_name>
key password            ::: < password >
store password          ::: < password >
Current Date Sep-06-12-02-26-19
Working directory is /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
You are in ::: /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
apps     :::  < host name >_fusion
apps jks :::  < host name >_identity.jks
apps cer :::  < host name >_identity.cer
 Generating the new certificate and private key
Done generating new certificate and private key for fahapp.oasiserp.com_fusion . File name is fahapp.oasiserp.com_fusion_identity.jks under certificate directory
 Extracting the certificate from the identity key store
Certificate stored in file << host name >_fusion_identity.cer>
Done extracting the certficate from the identity key store. File name is  fahapp.oasiserp.com_fusion_identity.cer under certificate directory
Copying the store fusion_trust.jks to cerfificate directory
Copied fusion_trust.jks to  certificate directory
Removing the trusted certificate
Removed the trusted certificate
Importing the new public certificate into trust key store fusion_trust.jks
Certificate was added to keystore
Imported the new public certificate into trust key store fusion_trust.jks
*************************************************************************************************************************************************************
*For listing the trusted key store to verify and ensure that all the certificates are present in the keys store and the validation of the certificates
*Please execute the command under certificate directory
*keytool -list -v -keypass <password> -storepass <password> -keystore fusion_trust.jks                                                                                    
*keytool -list -v -keypass <password> -storepass < password > -keystore fahapp.oasiserp.com_fusion_identity.jks                                                             

NEXT STEP : SHUTDOWN MANAGED SERVERS, ADMIN SERVERS and NODE MANAGERS BY KILLING IT
RUN THE SAME SHELL SCRIPT WITH REPLACE AS FOURTH PARAMETER VALUE

**************************************************************************************************************************************************************

Step 5

A new directory certificate will be create at the /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate and the new certificates which get created will be under the certificate directory 
verify the certificate before replacing it

[oracle@hostname certificate]$ ls -l
-rw-r--r-- 1 oracle oinstall   857 Sep  6 02:26 < host name >_fusion_identity.cer
-rw-r--r-- 1 oracle oinstall  1381 Sep  6 02:26 < host name >_fusion_identity.jks
-rwxr-x--- 1 oracle oinstall 82502 Sep  6 02:26 fusion_trust.jks

[oracle@host certificate]$ keytool -list -v -keypass <password>-storepass <password> -keystore < host name >_fusion_identity.jks

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: fahapp.oasiserp.com_fusion
Creation date: Sep 6, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=< host name >, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Issuer: CN=< host name >, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Serial number: 5047d18c
Valid from: Thu Sep 06 02:26:20 GST 2012 until: Fri Sep 06 02:26:20 GST 2013
Certificate fingerprints:
         MD5:  AB:FB:F5:FB:CB:62:48:79:F4:12:7F:A2:8E:8B:14:9D
         SHA1: 2A:24:6F:68:57:DD:B5:79:9F:3B:DA:E1:82:86:AA:01:BD:82:0D:E5
         Signature algorithm name: SHA1withRSA
         Version: 3

Step 6

Replace the old certificate with the newly generated certificate

[oracle@fahapp lib]$ /home/oracle/Desktop/certrenew.sh < host name >< password >< password >  replace
Hostname                   ::: < host name >
key password            ::: < password >
store password          ::: <password>
Current Date Sep-06-12-02-34-53
Working directory is /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
You are in ::: /u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
apps     :::    < host name >_fusion
apps jks :::  < host name >_fusion_identity.jks
apps cer :::  < host name >_fusion_identity.cer
Replacing the certificates with newly created one
in directory
/u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib
Changed directory to server lib
/u01/oracle/fa/products/fusionapps/wlserver_10.3/server/lib/certificate
Replaced old certificate with new certificate
START NODE MANAGER, ADMIN SERVERS AND ALL MANAGED SERVERS










1 comment:

  1. Oracle Fusion Applications: Bea-090479 Certificate Chain Received Failed Date Validity Checks >>>>> Download Now

    >>>>> Download Full

    Oracle Fusion Applications: Bea-090479 Certificate Chain Received Failed Date Validity Checks >>>>> Download LINK

    >>>>> Download Now

    Oracle Fusion Applications: Bea-090479 Certificate Chain Received Failed Date Validity Checks >>>>> Download Full

    >>>>> Download LINK zs

    ReplyDelete