Following are some of the exceptions/errors and resolutions.

Host name verification (Node Manager log)

Following problem is due to Node manager Setup and seen in the node manager log:

<May 3, 2005 1:00:45 PM EDT> <Error> <NodeManager@xxxx11:5559> <NodeManager is not configured to receive commands from host : /10.62.3.215. Please update the trusted hosts file : /home/rbabu/nodemanager.hosts of the node manager by adding the hostname or ip address of /10.62.3.215>

Resolution: Add the host name or IP address to nodemanager.hosts and restart the node manager.
If, after adding the entry to the nodemanager.hostsfile you still see the error, add the following to the node manager start script and admin server.


Node Manager:

-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
Admin Server:

-Dweblogic.security.SSL.ignoreHostnameVerification=true
Or you can do the same using console as shown below:
Under Keystores & SSL tab, click on "Advanced Options." Change the Hostname verification to None.



Incomplete certificate chain (Admin Server log)

Following problem is seen in the Admin server log:

#### <> Certificate chain received from xxxx11 - 172.18.137.74 was incomplete., [Security:090477]Certificate chain received from xxxx11 - 172.18.137.74 was not trusted causing SSL handshake failure.. Please ensure that the NodeManager is active on the target machine].]
Resolution: Import the root certificate of the admin server into the keystore as trustedcacert.

Managed server accepts the command from the admin but fails to start

Following problem is seen in the managed server log:

####<May 4, 2005 4:56:47 PM EDT> <Warning> <Security> <xxxx22.bea.com> <xxxx22babu1> <main> <> <> <BEA-090477> <Certificate chain received from xxxx22 - 172.18.137.66 was not trusted causing SSL handshake failure.>
####<May 4, 2005 4:56:47 PM EDT> <Warning> <NodeManager> <xxxx22.bea.com> <xxxx22babu1> <main> <> <> <BEA-300038> <The node manager is unable to monitor this server. Could not create an SSL connection to the node manager. Reason : [Security:090477]Certificate chain received from xxxx22 - 172.18.137.66 was not trusted causing SSL handshake failure.>
####<May 4, 2005 4:56:47 PM EDT> <Emergency> <WebLogicServer> <xxxx22.bea.com> <babu1> <main> <> <> <BEA-000342> <Unable to initialize the server: weblogic.management.configuration.ConfigurationException: Due to faulty SSL configuration, this server is unable to establish a connection to the node manager.>
Resolution: This exception is between the node manager and the managed server that the node manager is trying to start (not between admin and node manager). This typically happens due to missing trusted certificate entry. If the node manager is on hostserverA, the root certificate from the hostserverA should be imported into the trusted key store.

Node Manager exception (Admin Server log)

Following problem is seen in the Admin Server log:
weblogic.nodemanager.NodeManagerException: [[NodeManager:300034]Could not execute command getState for server xxxx11babu1 using the node manager. Reason: [CommandInvoker: Failed to send command: 'getState to server 'xxxx11babu1' to NodeManager at host: 'xxxx11:5559' with exception [Security:090497]HANDSHAKE_FAILURE alert received from xxxx11 - 172.18.137.74. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings.. Please ensure that the NodeManager is active on the target machine].]
Resolution: This exception is seen when the admin server and node manager fail to establish trust. When you see this exception on the admin server log, go to the node manager log and see why the node manager rejected the certificate from admin server. The exception will generally mention the reason like expired certificates, host verification exceptions, etc. Check if the exception matches one of the exceptions that is detailed in this document and take the necessary action as described in the resolution for the exception. If the error is not descriptive, turn on debugging.

BEA-000342 (Managed Server log)

Following exception will be seen if the root certificate is missing:
####<May 4, 2005 4:56:47 PM EDT> <Warning> <Security> <xxxx22.bea.com> <xxxx22babu1> <main> <> <> <BEA-090477> <Certificate chain received from xxxx22 - 172.18.137.66 was not trusted causing SSL handshake failure.>
####<May 4, 2005 4:56:47 PM EDT> <Warning> <NodeManager> <xxxx22.bea.com> <xxxx22babu1> <main> <> <> <BEA-300038> <The node manager is unable to monitor this server. Could not create an SSL connection to the node manager. Reason : [Security:090477]Certificate chain received from xxxx22 - 172.18.137.66 was not trusted causing SSL handshake failure.>
####<May 4, 2005 4:56:47 PM EDT> <Emergency> <WebLogicServer> <xxxx22.bea.com> <xxxx22babu1> <main> <> <> <BEA-000342> <Unable to initialize the server: weblogic.management.configuration.ConfigurationException: Due to faulty SSL configuration, this server is unable to establish a connection to the node manager.>
Resolution: Import the root certificate that is exported from the keystore from step 3 back into the keystore from step 4 in the procedure for creating self-signed certificates.

Date validation exception (Admin Server log)

Following exception is seen in the Admin Server log:
weblogic.nodemanager.NodeManagerException: [[NodeManager:300034]Could not execute command getState for server xxxx11babu1 using the node manager. Reason: [CommandInvoker: Failed to send command: 'getState to server 'xxxx11babu1' to NodeManager at host: 'xxxx11:5559' with exception [Security:090479]Certificate chain received from xxxx11 - 172.18.137.74 failed date validity checks.. Please ensure that the NodeManager is active on the target machine].]
Resolution: Check for the validation times for the certificates. This can be done using keytool:
keytool -v -list -keystore .jks
If the certificate is expired, delete or update the key for correct date.
[
  Version: V1
     Subject: CN=.com, OU=DRE, O=BEA, L=Denver, ST=Colorado, C=US
     Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
     Key: SunJSSE RSA public key:
     public exponent:
       010001
     modulus:
       c61857d4 70ab5919 36d86cf5 3e4b310b 1f6e79cf 2a06cc9c 54b9e8c0 55faa8d5
       4b256b26 4e7da96b 92a14a5c 025ae39c 31397d26 e17ebf44 d3fa690a 72f92d91
       e1a06156 6a55da06 8d472550 0d4b0519 246d9bd0 ae3167c1 4abdffa6 fdc2f980
       bf357e89 ca483fc8 a175ba6f e3be068c d001279c 32d2241c 70677a44 14a44bd9
     Validity: [From: Tue May 03 13:39:15 MDT 2011,
         To: Mon Aug 01 13:39:15 MDT 2011]

         Issuer: CN=.com, OU=DRE, O=BEA, L=Denver, ST=Colorado, C=US
         SerialNumber: [4277d363]
]
Make sure that the from date is not in future and to date has not passed
If none of the above works, turn SSL debug on both node manager and admin server.

0 Comments