Ops Center EC registration fails with error after Java 1.7.0_151 or 1.8.0_121: Cannot find cert in truststore (/usr/jdk/latest/jre/lib/security/cacerts)

(Doc ID 2313480.1)

Last updated on OCTOBER 18, 2017

Applies to:

Enterprise Manager Ops Center - Version 12C to 12cR3 (12.3) [Release 12.0]
Information in this document applies to any platform.

Symptoms

 - Ops Center Enterprise Controller (EC) fails to register with MOS starting with Java 1.7.0_151 OR Java 8 Update 121 because these Java releases no longer include the required certificate. This only happens when an unregistered Ops Center tries to register. This includes new or upgraded installation that has not yet been registered, for example, switching from disconnected mode to connected mode and then registering Ops Center. The already registered Ops Center will continue to work. In order to register Ops Center, a Java certificate needs to be imported into the Java truststore. 

 - The following errors may be seen in the EC cacao logs: (example)

/var/cacao/instances/oem-ec/logs/cacao.*

 

SEVERE: thr#17643:"Service Request MOS Status Checker" MosRelayException was thrown MOS services maybe down. Cannot validate MOS user at this time. Setting user validity to UNKNOWN with Error message:
java.security.cert.CertificateException: Cannot find cert in truststore (/usr/jdk/latest/jre/lib/security/cacerts)

IOException was caught: java.security.cert.CertificateException: Cannot find cert in truststore (/usr/jdk/latest/jre/lib/security/cacerts) for Certificate:
Serial Number: 141202760863248523350552346688836349491
Version: 3
Issuer: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Subject: CN=*.oracle.com, O=Oracle Corporation, L=Redwood Shores, ST=California, C=US
Not valid before: Wed Sep 14 20:00:00 EDT 2016
Not valid after: Tue Nov 14 18:59:59 EST 2017

Certificate:
Serial Number: 107998343814376832458216740669838760447
Version: 3
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Subject: CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Not valid before: Wed Oct 30 20:00:00 EDT 2013
Not valid after: Mon Oct 30 19:59:59 EDT 2023

Certificate:
Serial Number: 35937092757358589497111621496656664184
Version: 3
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Not valid before: Tue Nov 07 19:00:00 EST 2006
Not valid after: Sun Nov 07 18:59:59 EST 2021

 - Note that the `OCDoctor.sh --check-connectivity` tests run without any issue.

Changes

 - Having the following Java versions or later:

Java 1.7.0_151
Java 1.8.0_121

 

- Below is a legend showing what versions of Java are included with each version SRU, and what Java versions are affected and not:

[A] AFFECTED VERSION
[U] UNAFFECTED VERSION

Solaris 11.3.23.5 SRU includes Java 8 Update 141 [A], Java 7 Update 151 [A]
Solaris 11.3.19.5 SRU includes Java 8 Update 131 [A], Java 7 Update 141 [U]
Solaris 11.3.17.5 SRU includes Java 8 Update 121 [A], Java 7 Update 131 [U]

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms