Follow Us on Twitter

BEA-090898 – Unsupported OID in the AlgorithmIdentifier Object

by Patrick Sinke on December 12, 2013 · 15 comments

This error shows up  in our OSB logs all the time:

<BEA-090898> <Ignoring the trusted CA certificate “CN=KEYNECTIS ROOT CA,  OU=ROOT,O=KEYNECTIS,C=FR”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>

There aren’t any relevant results when searching for the BEA-090898, but Oracle Support has a note that mentions the cause of the PKIX: Unsupported OID in the AlgorithmIdentifier object error. This is the cause according to support:

Recent updates to the Sun JDK (Java Developer Kit) (versions: 1.6.0_13 and 1.5.0_18) are incompatible with the SSL (Secure Socket Layer) implementation in the following versions of Oracle WebLogic Server:

  • 11gR1 (10.3.1)
  • 10gR3 (10.3.0)
  • 10.0 and all maintenance releases of 10.0
  • 9.0, 9.1, 9.2 and all maintenance releases of 9.2 prior to 9.2 MP4

Oracle JRockit versions from R27.6.4 (1.6.0_13 and 1.5.0_18) and higher also exhibit this issue.

The solution is to install one of the following patches after upgrading the Java JDK. Note: this issue should be fixed in Weblogic server 10.3.2 and above.

WLS Version Patch Number
9.1.0 Patch 8422724
9.2.0 Patch 9384535
9.2.1 Patch 9032735
9.2.2 Patch 9309512
9.2.3 Patch 8849418
10.0.0 Patch 8422724
10.0.1 Patch 8895699
10.0.2 Patch 8896127
10.3.0 Patch 8715553
10.3.1 Patch 9003716

If you still encounter the problem after patching, try one of the following solutions:

1) Select your Server in the Weblogic Console -> SSL -> Advanced -> set “Enable JSSE” to true. Restart your weblogic.
2) Replace the trust store file of \jdk\jre\lib\security\cacerts with one from earlier JDK (Oracle Doc ID 952078.1).
3) check the contents in the keystore file by issueing the following command: keytool -list -keystore .keystore
Delete the invalid certificates with “keytool -delete -alias mydomain -keystore keystore.jks”

 

 

BEA-090898 - Unsupported OID in the AlgorithmIdentifier Object, 4.7 out of 5 based on 3 ratings
Ratings:
VN:D [1.9.22_1171]
Rating: 4.7/5 (3 votes cast)

{ 15 comments… read them below or add one }

Bob Speck February 26, 2014 at 11:26 pm

I am running weblogic server 10.3.6.0 and still having the error running JDK 1.6.0_21

Reply

Patrick Sinke March 14, 2014 at 11:18 pm

Hello Bob, thanks for your reply.
When scanning through our logs, I also find the error is still there in 10.3.6. So I have to do some further investigations myself here. When I find a solution, I’ll update this post and let you know.

Reply

Bob Speck May 1, 2014 at 11:49 pm

Hi Patrick,
I was searching for a solution (still have not found one), and came across this page. Any luck with tracking down how to fix this?

Reply

Patrick Sinke May 22, 2014 at 10:48 am

Hello Bob,

There are a few possible solutions I came across (but was not able to try yet). Try one of the following:
1) Select your Server in the Weblogic Console -> SSL -> Advanced -> set “Enable JSSE” to true. Restart your weblogic.
2) Replace the trust store file of \jdk\jre\lib\security\cacerts with one from earlier JDK (Oracle Doc ID 952078.1).
3) check the contents in the keystore file by issueing the following command: keytool -list -keystore .keystore
Delete the invalid certificates with “keytool -delete -alias mydomain -keystore keystore.jks”

Let me know which solution worked for you!

Reply

Kshitij July 3, 2014 at 2:17 pm

Thanks Patrick. This is perfect solution.

Jeff Morris November 13, 2014 at 5:59 am

Awesome! #1 worked like a charm.

Santhoshi October 29, 2015 at 9:04 pm

Thanks a lot and i tried option #1 is worked for me..

Tanveer May 26, 2016 at 7:00 pm

first option worked for this issue.

omar mendez May 21, 2014 at 2:15 pm

Hi,

I have the samne problems just now.
i have a HTTPS webservice client that work using java but when we put the code in the OWLS 10.3.6 get the error above, has you fine a solution for this?

Reply

Patrick Sinke May 22, 2014 at 10:49 am

Hi Omar, please check my response to Bob Speck. Hopefully one of the possible solutions works for you.

Reply

yoborider April 24, 2015 at 10:12 am

Select your Server in the Weblogic Console -> SSL -> Advanced -> set “Enable JSSE” to true. Restart your weblogic.

equivalent :

Starting WebLogic with additionnal param
-Dweblogic.ssl.JSSEEnabled=true

Reply

Prashant Goel June 10, 2016 at 6:53 am

Hi All,

I am using weblogic 10.3.6 version but still i am getting same error as below:

Can someone please help me here?

Reply

cyberflow July 6, 2016 at 9:16 am

Hi All,

I discovered that WLS 10.3.6 is loading the trusted store twice. On the first access the setting “JSSE enabled” from the domain configuration is not active and therefor the message “Ignoring the trusted CA certificate” is logged. A few seconds later (after domain configuration is loaded) the trusted store is loaded again, and the message “Ignoring the trusted CA certificate” is not logged again. Setting -Dweblogic.ssl.JSSEEnabled=true will fix the “first access” message.

Reply

Patrick Sinke July 6, 2016 at 9:57 am

Thanks for sharing!

Reply

Guest February 7, 2017 at 7:26 pm

Thanks for sharing.
The below changed worked!
1) Select your Server in the Weblogic Console -> SSL -> Advanced -> set “Enable JSSE” to true. Restart your weblogic.

Reply

Leave a Comment

 

Previous post:

Next post:

About Whitehorses
Company profile
Services
Technology

Whitehorses website

Home page
Whitebooks
Jobs

Follow us
Blog post RSS
Comment RSS
Twitter