OPSS: Keystores.xml Overwritten With Default Demo Keystore Values - Failed to load identity <CUSTOM_KEYSTORE> of type KSS from file kss://system/<CUSTOM_KEYSTORE> on server (Doc ID 2807011.1)

Last updated on DECEMBER 22, 2023

Applies to:

Symptoms

On : 12.2.1.4.0 version, Java Platform Security, OAM 5565 12.2.1.4.0

AdminServer restart the existing keystore.xml is overwritten with values from the default demo keystore even though the process outlined in the Enterprise Deployment Guide to replace demo certs, keystores, & truststores has been followed. Debug logs for AdminServer during startup as well as both keystore.xml files are attached for reference. Note: If the wlst 'syncKeyStores(appStripe='system', keystoreFormat='KSS')' command is executed the desired values will be populated into the keystore.xml file, however upon AdminServer restart the file is reverted to demo values.

STEPS
--------
The issue can be reproduced at will with the following steps:

1. Configure OPSS KSS as outlined in FMW OPSS guide here - https://docs.oracle.com/en/middleware/fusion-middleware/platform-security/12.2.1.4/jisec/kssadm.html#GUID-2808CA69-66DB-4E6E-87CE-678961CA52E8

2. Once configuration is complete sync keystores as outlined here - https://docs.oracle.com/en/middleware/fusion-middleware/platform-security/12.2.1.4/jisec/kssadm.html#GUID-CB2C9A5F-1D85-44D6-838D-E582508DC25B

3. Restart AdminServer at any point after step 2 above and notice the keystore.xml file is overwritten with the default demo cert/keystore data

4. Initiating the sync keystore process via wlst and the keystore.xml will be updated with the correct data from the central security store. However, this process has to be competed every time AdminServer is restarted and is not sustainable.

ServerLog shows the following:

<Warning> <oracle.security.opss.internal.runtime.ServiceContextManagerImpl> <BEA-000000> <Bootstrap services are used by OPSS internally and clients should never need to directly read/write bootstrap credentials. If required, use Wlst or configuration management interfaces.>
<Error> <Security> <BEA-090929> <Unable to load key store [<CUSTOM_KEYSTORE>Type="KSS", source="kss://system/<CUSTOM_KEYSTORE>", exception="java.io.IOException", message="<CUSTOM_KEYSTORE> <CUSTOM_KEYSTORE> in app stripe system does not exist"]>
<Alert> <Security> <BEA-090166> <Failed to load identity <CUSTOM_KEYSTORE> of type KSS from file kss://system/<CUSTOM_KEYSTORE> on server <OAM_MANAGED_SERVER>>
<Error> <WebLogicServer> <BEA-000297> <Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: Failed to load identity <CUSTOM_KEYSTORE> of type KSS from file kss://system/<CUSTOM_KEYSTORE> on server <OAM_MANAGED_SERVER>>
<Emergency> <Security> <BEA-090034> <Not listening for SSL, weblogic.management.configuration.ConfigurationException: Failed to load identity <CUSTOM_KEYSTORE> of type KSS from file kss://system/<CUSTOM_KEYSTORE> on server <OAM_MANAGED_SERVER>.>
<Error> <Server> <BEA-002606> <The server is unable to create a server socket for listening on channel "DefaultSecure[iiops]". The address <IPADDRESS> might be incorrect or another process is using port <OAM_SSL_PORT>>: java.io.IOException: Failed to load identity <CUSTOM_KEYSTORE> of type KSS from file kss://system/<CUSTOM_KEYSTORE> on server <OAM_MANAGED_SERVER>>

Changes

 Created the <CUSTOM_KEYSTORE> under the CUSTOMSTRIPE

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.