Hi All,
The server certificate got expired in my server (webMethods 6.5) and so I got a new one and configured it in the “Server’s Signed Certificate”.
But after that HTTPS ports with keyStore(IAIK) are not getting enabled due to the below error. It worked with the previous certificates that was configured in the server.
Error in SSL setup: java.lang.ClassCastException: [Liaik.asn1.ASN1Object;
The only difference I found in the previous certificates and the new ones are in the Signature Algorithm. The old ones are having sha1WithRSAEncryption whereas the new ones have sha256WithRSAEncryption.
My questions:
- Could the Signature Algorithm be a contributing element to this issue?
- Do I need to import the new certificate in the keystore? If so, then how to do it? (The keystore type was predefined in the dropdown list while configuring the port)
- As a whole any idea how to get the port started again?
Please feel free to ask for any further information. Urgent help will be greatly appreciated.
Hi,
can you provide the full stack trace of the ClassCastException?
Did you check if ypu have latest available Fixes applied to your IS?
Signature Algorithm might be an issue here.
As wM 6.5 is fairly old and out of support for quite some time now you are advised to upgrade to wM 9.12 or newer.
This will be a multiple migration task as you will have to migrate to 7.1.3 and 9.5 as intermediates.
Reagrds,
Holger
Hi Holger,
As I got the error while enabling a port, I only got the below error in the console.
[ISS.0070.0021] Failed to start HTTPSListener@5307: [Liaik.asn1.ASN1Object;
However, I have tested the below service from WmPublic package with the private key and certificates as inputs and got the below stack trace.
pub.security:setKeyAndChain
java.lang.ClassCastException: [Liaik.asn1.ASN1Object;
at com.wm.security.Util.loadPKCS1(Util.java:121)
at com.wm.security.Util.loadRSAPrivateKey(Util.java:89)
at com.wm.security.Util.loadRSAPrivateKey(Util.java:70)
at com.wm.security.Util.loadRSAPrivateKey(Util.java:62)
at pub.securityimpl.setKeyAndChain(securityimpl.java:81)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.wm.app.b2b.server.JavaService.baseInvoke(JavaService.java:332)
at com.wm.app.b2b.server.invoke.InvokeManager.process(InvokeManager.java:612)
at com.wm.app.b2b.server.invoke.StatisticsProcessor.process(StatisticsProcessor.java:44)
at com.wm.app.b2b.server.invoke.ServiceCompletionImpl.process(ServiceCompletionImpl.java:235)
at com.wm.app.b2b.server.invoke.ValidateProcessor.process(ValidateProcessor.java:49)
at com.wm.app.b2b.server.ACLManager.process(ACLManager.java:198)
at com.wm.app.b2b.server.invoke.DispatchProcessor.process(DispatchProcessor.java:39)
at com.wm.app.b2b.server.AuditLogManager.process(AuditLogManager.java:411)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:521)
at com.wm.app.b2b.server.invoke.InvokeManager.invoke(InvokeManager.java:369)
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java:246)
at com.wm.app.b2b.server.ServiceManager.invoke(ServiceManager.java:128)
at com.wm.app.b2b.server.HTTPInvokeHandler._process(HTTPInvokeHandler.java:131)
at com.wm.app.b2b.server.InvokeHandler.process(InvokeHandler.java:119)
at com.wm.app.b2b.server.Dispatch.run(Dispatch.java:312)
at com.wm.util.pool.PooledThread.run(PooledThread.java:105)
at java.lang.Thread.run(Thread.java:595)
Actually, I created a new private key and csr using openssl from the server and using that csr we got the server certificate from our client. But when I configured the same in the port, it is not getting enabled. PFA the port configurations.
After some analysis, I found out the new private key might be the source of the error. This is because the port got enabled when I used the old private key and new certificates.
I am assuming I need to import the new key in the keystore (IAIKKeyStore) of the port.
Am I correct in my assumptions? Can you help me in importing the key in the keystore?
If not, then can you advise on what to do next?
Please take into considerationthe wM version.
Hi Mainak,
when we were using wM 6.5 we never specified any Listener specific credentials, only the server wide ones under Security → Certificates.
Check IS Administrators Guide for details.
When you created a new private key and csr you should adjust the proper pathes/file names in your security settings and remember to restart IS afterwards.
We have migrated to wM 9.x meanwhile which handles certificates in a different way.
It is using PCKS12 (P12) for private key and server cert and JKS for the certificate authorities which are not part of the base cacerts file of the JVM.
Regards,
Holger