DIP Keystore Reverting to Older keystore After Adding New Certificates (Doc ID 2833547.1)

Last updated on MARCH 06, 2023

Applies to:

Symptoms

OID 12C and DIP server were setting for SSL Server authentication (Mode 2).

It is need it create a sync profile to sync with AD in SSL. So, Issue is trying to import the AD/SSL certificate into the DIP key store file as trust certificate to stablish SSL connection from DIP server to AD in SSL to create the sync profile.

When attempting to add new certificates to dip.jks keystore used by DIP, the keystore is being reverted back to older file (.jks) after one to two minutes.

EXAMPLE:

- Lets look dip key store file size:

 ls -l /<DOMAIN_HOME>/config/fmwconfig/components/OID/oid1/admin/dip.jks
-rw-r-----. 1 oracle dbagroup 1567 Nov 10 14:36 <DOMAIN_HOME>/config/fmwconfig/components/OID/oid1/admin/dip.jks

- Now importing the new SSL certificate

keytool -importcert -v -trustcacerts -alias <ALIAS_NAME> -file <PATH>,<CERTFILE>.cer -keystore <DOMAIN_HOME>/config/fmwconfig/components/OID/oid1/admin/dip.jks
Enter keystore password:
Owner: CN=<CN_VALUE>, DC=<DC_VALUE>, DC=<DC_VALUE>
Issuer: CN=<CN_VALUE>, DC=<DC_VALUE>, DC=<DC_VALUE>
Serial number: XXXXXXXXXXXXXXXXX
Valid from: Wed Jan 11 00:37:56 UTC 2017 until: Mon Jan 11 00:47:56 UTC 2027
Certificate fingerprints:
        SHA1:xxxxxxxxxxxxx
        SHA256:xxxxxxxxxxxxx
....
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing <DOMAIN_HOME>/config/fmwconfig/components/OID/oid1/admin/dip.jks]

 keytool -list -keystore <DOMAIN_HOME>/config/fmwconfig/components/OID/oid1/admin/dip.jks
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

<ALIAS_NAME>, Jan 11, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): xxxxxxxxxxxxxxxx
<ALIAS_NAME2>, Sep 24, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): xxxxxxxxxxxxxxxx

- Checking new dip key store file size. It increase as expected:

 ls -l <DOMAIN_HOME>/config/fmwconfig/components/OID/oid1/admin/dip.jks
-rw-r-----. 1 oracle dbagroup 2486 Jan 11 19:47 <DOMAIN_HOME>/config/fmwconfig/components/OID/oid1/admin/dip.jks

- Wait a minute or two file is revert back to the original one.

 ls -l <DOMAIN_HOME>/config/fmwconfig/components/OID/oid1/admin/dip.jks
-rw-r-----. 1 oracle dbagroup 1567 Nov 10 14:36 <DOMAIN_HOME>/config/fmwconfig/components/OID/oid1/admin/dip.jks


Note the dip.jks gets reverted back to original file.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.