How to Renew Demo Identity Certificate thats Expired for DemoIdentity in Weblogic

How to Renew Demo Identity Certificate thats Expired for DemoIdentity in Weblogic

Error

DemoIdentity identity certificate expired and getting the following error in the logs:

 

 <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the kss keystore file kss://system/demoidentity.>

<Alert> <Security> <BEA-090154> <Identity certificate has expired:

Solution:

1. Login to EM console.

2. Navigate to <domain name> [ eg :- base_domain ]

3. Click on the drop down Weblogic Domain -> Security -> Keystore

4. Expand the system folder.

5. Select the demoidentity -> click Manage

6. It will prompt for password , enter the password DemoIdentityKeyStorePassPhrase

7. It will open the Manage Certificates option.

8. Select the existing 'DemoIdentity' certificate which is expired -> Select Delete.

(NOTE: You need to click the refresh button on the top right to see the changes)

9. It will ask to enter password -> Enter the password as : DemoIdentityPassPhrase

10. Click on Generate Keypair.

11. Provide the same information as before.

Alias name: DemoIdentity

Subject Name: DemoCertFor_base_domain

Password: DemoIdentityPassPhrase

12. You can see that a self signed certificate is created.

Now we need to sync the KSS store information to the local keystores.xml file located under the $DOMAIN_HOME/config/fmwconfig/

Note: It is suggested to have a backup of your domain before making any changes to the domain, but it is not required.

1. Navigate to $ORACLE_HOME/oracle_common/common/bin

2. Launch the wlst.sh, and run syncKeyStores command to sync system KSS keystore

Example below:

bash$ ./wlst.sh

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

wls:/offline> connect()

Please enter your username :<username>

<username>

Please enter your password :

Please enter your server URL [t3://localhost:7001] :t3://<admin hostname>:<admin port>

t3://<admin hostname>:<admin port>

Connecting to t3://<admin hostname>:<admin port> with userid <username> ...

Successfully connected to Admin Server "AdminServer" that belongs to domain "base_domain".

Warning: An insecure protocol was used to connect to the server.

To ensure on-the-wire security, the SSL port or Admin port should be used instead.

wls:/base_domain/serverConfig/> syncKeyStores(appStripe='system', keystoreFormat='KSS')

Location changed to domainRuntime tree. This is a read-only tree

with DomainMBean as the root MBean.

Keystore sync successful.

3. Restart the admin server followed by managed server(s).

NOTE: If you have multiple nodes you'll also need to run the WLST steps to sync keystores.xml on each remote host.

Before starting the nodemanager on a remote host, start a managed server manually to synchronize with $DOMAIN_HOME including keystores.xml of the adminserver.

For example: $DOMAIN_HOME/bin/startManagedWebLogic.sh <SERVER_NAME> <ADMIN_URL>

4. Verify the error is logs and SSL services should be running.

Please do like and subscribe to my youtube channel: https://www.youtube.com/@foalabs If you like this post please follow,share and comment