Ignoring the trusted CA certificate warnings when connecting to Node Manager using WLST nmConnect()

Symptoms

When using Weblogic Scripting Tool (WLST) nmConnect() to connect to the node manager, notice warnings are seen for unsupported certificates (after running setWLSEnv.cmd or .sh)

Connecting to Node Manager ...
CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object:
1.2.840.113549.1.1.11.>
<Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
Successfully Connected to Node Manager.

Steps

The issue can be reproduced at will with the following steps:

1. Start node manager
2. Open a command line window (or terminal window) and run setDomainEnv.cmd (or .sh)
3. Run java weblogic.WLST
4.nmConnect('weblogic','weblogic1','test.comain.com','5556','testDomain','D:\Oracle\Middleware\user_projects\domains\testDomain','plain')

Cause

This is caused because of Certicom which is WLS default SSL implementation until Oracle Weblogic Server 10.3.5, does not support sha256WithRSAEncryption based certificates. Due to this reason, some certificates with that algorithm as signature are ignored and thus, the reason why those warnings are seen.

Solutions

Solution 1:
You can make a copy of cacerts file before removing these trusted certificates. First you need to find out alias for each of these certificates it is complaining.

keytool -list -keystore cacerts -v

(If it prompts for password, the default password is changeit most of the times). For each of the certificate it is complaining, find the alias name from output of above command and execute following command

keytool -delete -keystore cacerts -alias keynectisrootca

(When it prompt for the password, the default password is changeit)" This took care of the notice warnings on invalid certs. For example. 

After running the setWLSEnv.cmd (or .sh, changed the directory to JAVA_HOME%\jre\lib\security, made a backup copy of cacerts and ran the scripts:

1. List out certificates to match them with unsupported ones (default password is changeit):

keytool -list -keystore cacerts -v > certlist.txt

This must be done in a command window that is started with "Run as Administrator" or the file cannot be read/updated. Redirect this to a file, as the output is large and can overflow cmd window buffer. You can search the certlist file for the owner CN or OU and get the alias name for the cert that precedes it. For example:

Alias name: ttelesecglobalrootclass3ca
Creation date: Feb 10, 2009
Entry type: trustedCertEntry

Owner: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE
Issuer: CN=T-TeleSec GlobalRoot Class 3, OU=T-Systems Trust Center, O=T-Systems Enterprise Services GmbH, C=DE

These five notice warnings correspond to these aliases:
ttelesecglobalrootclass3ca
ttelesecglobalrootclass2ca
globalsignr3ca
secomscrootca2
keynectisrootca

2. Then, use these commands to remove the unsupported certificates from the keystore (default password is changeit):

keytool -delete -keystore cacerts -alias ttelesecglobalrootclass3ca
keytool -delete -keystore cacerts -alias ttelesecglobalrootclass2ca
keytool -delete -keystore cacerts -alias globalsignr3ca
keytool -delete -keystore cacerts -alias secomscrootca2
keytool -delete -keystore cacerts -alias keynectisrootca

If you then connect to the node manager with nmConnect, no warnings occur.

Solution 2:

You can enable the JSSE SSL provider instead of Certicom to support the SHA256 algorithm. To enable JSSE, modify the startNodeManager script and add this java option to the JAVA_OPTIONS variable:

-Dweblogic.security.SSL.enableJSSE=true

This correction would also reduce log file occurrences of the same notice warning messages. Most likely within the node manager log file. There is potential that other processes that communicate with the node manager or when more parts of the WLS/FMW environment are configured to run on SSL ports that similar reduction in certificate warning messages would be reduced by this procedure.

Additionally, add the following line to the nodemanager.properties file:

CipherSuite=SSL_RSA_EXPORT_WITH_RC4_40_MD5

If later patchsets are applied that up-rev the JVM, the procedure most likely will need to be repeated.