Last updated on SEPTEMBER 19, 2016

Applies to:

Goal

During OAAM OAM integration via simple mode we observe certificate errors.

We see ultimately a CertPathBuilder error looking for a target.

oaam SSL handshake error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

OAAM complains:


oaam_server_server1.out


OAM also records the failed handshake.

2015-10-28T06:55:00.309-04:00] [oam_server1] [ERROR] [OAM-04020] [oracle.oam.proxy.oam] [tid: NioProcessor-1] [userId: ] [ecid: e69911b52c4478ba:2e1a6fae:150a55fbb33:-8000-000000000006abfc,0] [APP: oam_server#11.1.2.0.0] Exception encountered while processing the request message:[[
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
at org.apache.mina.common.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:425)
at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:387)
at org.apache.mina.common.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:379)
at org.apache.mina.common.AbstractPollingIoProcessor.access$400(AbstractPollingIoProcessor.java:43)
at org.apache.mina.common.AbstractPollingIoProcessor$Worker.run(AbstractPollingIoProcessor.java:678)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at oracle.security.am.proxy.oam.mina.CommonJWorkImpl.run(CommonJWorkImpl.java:41)
at weblogic.work.j2ee.J2EEWorkManager$WorkWithListener.run(J2EEWorkManager.java:184)
at weblogic.work.DaemonWorkThread.run(DaemonWorkThread.java:30)
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.mina.filter.ssl.SslHandler.unwrap0(SslHandler.java:644)
at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:591)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:461)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)



We suspect that the OAAM certificates are corrupt, and we would like to rebuild them

When we did our OAM Tap integration we specified the location of these certs in this file: oaam_cli.properties.


oam.uio.oam.rootcertificate.keystore.filepath=/prodapps/oracle/config/domains/IAMAccessDomain/output/webgate-ssl/oamclient-keystore.jks
oam.uio.oam.privatekeycertificate.keystore.filepath=/prodapps/oracle/config/domains/IAMAccessDomain/output/webgate-ssl/oamclient-truststore.jks

How can we regenerate OAAM client key and truststore?
 

Solution