Recently i faced certification expiration issue during starting Fusion Application using fastartstop.sh script. In fusion Application, to connect node manager for start/stop Admin/Managed servers, it will use fusion_trust.jks keystore. If certification is already expired then you will receive below error..
Error:
WLSTException: Error occured while performing nmConnect : Cannot connect to Node Manager. : [Security:090479]Certificate chain received from scmhost1.domain.com - <IP Address> failed date validity checks.
Use dumpStack() to view the full stacktrace
Solution:
1. First go to KeyStore directory
/u01/app/oracle/fa/products/fusionapps/wlserver_10.3/server/lib
2. if you do ls -ltr *.jks, you will find below two keystores
-rw-r--r-- 1 oracle oinstall 82535 Oct 16 14:49 fusion_trust.jks
-rw-r--r-- 1 oracle oinstall 1416 Oct 16 14:50 scmhost1.domain.com_fusion_identity.jks
3. Let's check validity of certificate
keytool -list -v -keystore scmhost1.domain.com_fusion_identity.jks -storepass Welcome1
=====================================================================
Output:
Alias name: scmhost1.domain.com_fusion
Creation date: Mar 14, 2012
Entry type: trustedCertEntry
Owner: CN=scmhost1.domain.com, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Issuer: CN=scmhost1.domain.com, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Serial number: 4f60c436
Valid from: Wed Mar 14 12:15:50 EDT 2012 until: Mon Sep 10 12:15:50 EDT 2012
Certificate fingerprints:
MD5: 67:D5:E7:26:17:D9:A9:1B:AF:E0:1B:E1:DA:D2:8B:9A
SHA1: 80:1D:AF:B5:0F:01:B3:B9:54:3E:E3:56:BB:54:99:4A:55:64:1F:CF
Signature algorithm name: SHA1withRSA
Version: 3
=========================================================================
As per above output, my certification was expired on Sep 10 2012. If you run above list command for fusion_trust.jks keystore, you will find scmhost1.domain.com_fusion alias certificate has expired with same date.
To fix issue, Perform below steps:
1. Backup existing keystore
2. create /tmp/certificate directory (will create new keystore in this directory)
3. Generate New keystore
keytool -genkeypair -keypass Welcome1 -storepass Welcome1 -keyalg RSA -alias "scmhost1.domain.com_fusion" -keystore scmhost1.domain.com_fusion_identity.jks -validity 3650 -dname "CN=scmhost1.domain.com, OU=defaultOrganizationUnit, O=defaultOrganization, C=US"
4. Export Certificate (from New Key Store)
keytool -export -alias scmhost1.domain.com_fusion -rfc -keypass Welcome1 -storepass Welcome1 -keystore scmhost1.domain.com_fusion_identity.jks -file scmhost1.domain.com_fusion.cer
5. Now delete scmhost1.domain.com_fusion alias from fusion_trust.jks Keystore
cd /u01/app/oracle/fa/products/fusionapps/wlserver_10.3/server/lib
keytool -delete -alias scmhost1.domain.com_fusion -keypass Welcome1 -storepass Welcome1 -keystore fusion_trust.jks
Note: Make sure your fusion application environment is down before performing above step.
6. Now import scmhost1.domain.com_fusion.cer certificate to fusion_trust.jks keystore
cp /tmp/certificate/scmhost1.domain.com_fusion.cer .
keytool -import -alias scmhost1.domain.com_fusion -noprompt -keystore fusion_trust.jks -keypass Welcome1 -storepass Welcome1 -file scmhost1.domain.com_fusion.cer
7. Now validate certificate validity for fusion_trust.jks keystore
keytool -list -v -keystore fusion_trust.jks -storepass Welcome1
========================================================================
Alias name: scmhost1.domain.com_fusion
Creation date: Oct 16, 2012
Entry type: trustedCertEntry
Owner: CN=scmhost1.domain.com, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Issuer: CN=scmhost1.domain.com, OU=defaultOrganizationUnit, O=defaultOrganization, C=US
Serial number: 507da94d
Valid from: Tue Oct 16 14:37:01 EDT 2012 until: Fri Oct 14 14:37:01 EDT 2022
Certificate fingerprints:
MD5: EF:50:0E:C8:C1:A2:6D:7B:3D:9D:3B:8C:06:44:17:6A
SHA1: DB:57:08:FC:BB:1D:BC:52:86:C1:EF:14:D7:D1:28:58:0D:8C:B0:3F
Signature algorithm name: SHA1withRSA
Version: 3
========================================================================
8. Start Node manager, Admin and Managed servers
