Unable to Run Corba API in SSL Environment Using JDK 8u301 and Higher - "WARNING Unable to create ServerSocketFactory : Invalid keystore format java.io.IOException: Invalid keystore format"
(Doc ID 2847060.1)
Last updated on MAY 31, 2023
Applies to:
Oracle Communications MetaSolv Solution - Version 6.3.1 and laterInformation in this document applies to any platform.
Symptoms
An "Invalid keystore format" error occurs when a keystore is read by a JDK version lower than a keystore generated with JDK 8u301 and higher. Below are the Java keytool options used to generate the SSL certificate for use on the WebLogic Server.
keytool -genkey -alias mycert -keyalg RSA -keypass password -keystore identity.jks -storepass password -validity 365 -deststoretype pkcs12 keytool -export -alias mycert -file root.cer -keystore identity.jks -storepass password keytool -import -alias mycert -trustcacerts -file root.cer -keystore trust.jks -storepass password
Below is the "Invalid keystore format" error observed during CORBA API regression testing of all Java 8 JDK CPU releases (including JDK 1.8 u291, JDK 1.8 u301 and JDK 1.8 u311).
WARNING Unable to create ServerSocketFactory : Invalid keystore format java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.jacorb.security.ssl.sun_jsse.KeyStoreUtil.getKeyStore(KeyStoreUtil.java:121)
at org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory.createServerSocketFactory(SSLServerSocketFactory.java:299)
at org.jacorb.security.ssl.sun_jsse.SSLServerSocketFactory.configure(SSLServerSocketFactory.java:180)
at org.jacorb.orb.factory.SocketFactoryManager.newFactory(SocketFactoryManager.java:294)
at org.jacorb.orb.factory.SocketFactoryManager.newSSLServerSocketFactory(SocketFactoryManager.java:210)
at org.jacorb.orb.factory.SocketFactoryManager.getSSLServerSocketFactory(SocketFactoryManager.java:162)
at org.jacorb.orb.iiop.IIOPListener$SSLAcceptor.getServerSocketFactory(IIOPListener.java:819)
at org.jacorb.orb.iiop.IIOPListener$Acceptor.createServerSocket(IIOPListener.java:727)
at org.jacorb.orb.iiop.IIOPListener$Acceptor.createServerSocket(IIOPListener.java:696)
at org.jacorb.orb.iiop.IIOPListener$Acceptor.init(IIOPListener.java:473)
at org.jacorb.orb.iiop.IIOPListener.configure(IIOPListener.java:152)
at org.jacorb.orb.BasicAdapter.configure(BasicAdapter.java:121)
at org.jacorb.orb.ORB.getRootPOA(ORB.java:1264)
Changes
In Java 8u301 release, a new fix went in to upgrade the default PKCS12 encryption algorithm, as noted in Java 8u301 release notes at https://www.oracle.com/java/technologies/javase/8all-relnotes.html#R180_301
➜ Upgraded the Default PKCS12 Encryption Algorithms
The default encryption algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.
For compatibility, a new system property named keystore.pkcs12.legacy is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |