My Oracle Support Banner

After Configuring FIPS Mode in WebLogic Server - SSLContext Initialization Errors Occur - Need to Convert Trust Keystore for FIPS Compliance (Doc ID 2493872.1)

Last updated on SEPTEMBER 28, 2020

Applies to:

Oracle WebLogic Server - Version 12.2.1.0.0 to 12.2.1.3.0 [Release 12c]
Information in this document applies to any platform.

Symptoms

When you enable FIPS mode for WebLogic Server, Java SSL Context initialization exceptions may occur. If you have configured the Oracle Identity Cloud Integrator provider, users from Oracle Identity Cloud Service may fail to authenticate.

When you enable JDK debug (-Djavax.net.debug=ssl), error messages for the exception are similar to the following:

Default SSLContext initialization
Key Store:
Key Store type: jks
Initializing key managers
Exception while initializing default context JKS keystores cannot be loaded in FIPS-140 mode.
Only PKCS12 PBES2 key stores are supported 


If you are using a PKCS12 keystore that is not FIPS compliant (created with the keytool command using the Sun JSSE provider for example), you may also receive an error similar to the following when using the keytool command:

keytool error: java.lang.SecurityException: Algorithm not allowable in
FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40

  

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.