Troubleshooting
Problem
Using the Configuration Manager tool in FileNet Content Engine to connect to an Oracle Weblogic 10.x Application Server that requires SSL a, Destination Unreachable java.net.ssl.SSLKeyException, is displayed.
Symptom
After filling in the required connection properties and checking the, Use SSL certificates for server communications in the Edit Application Server Properties window for Configuration Manager, the following message is displayed :
Connection error : t3s://<server>:<port>:Destination Unreachable java.net.ssl.SSLKeyException Certificate chain received from <Server> was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior) and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client; No available router to destination.
Resolving The Problem
- Logon to the Oracle Weblogic Application Server console
- Access the Properties of the Weblogic Server where FileNet Content Engine is deployed. The Configuration -> Keystores tab will display the identity and trust keystores currently configured. If SSL is enabled in the Weblogic Application Server, then certificate currently configured will be in the identity store.
- Export the SSL certificate from the identity keystore and add it to the trusted CA for the JRE that is used by Configuration Manager, by default located in :
<Content_Engine_Install_Dir>\_cejvm\jre\lib\security\cacerts
Below is an example on how to export the SSL certificate. The exact location of the keystore file depends on the setting for identity keystores in the Weblogic console.
To export the certificate:
%JAVA_HOME%/bin/keytool -export -file <certfile> -alias <name> -keystore <keystore_path>
- <certfile> - filename for the exported certificate
- <name> - the certificate alias as indicated in the Weblogic console : Configuration -> SSL -> Private Key Alias
- <keystore_path> - the keystore location as indicated in the Weblogic console : Configuration -> Keystores -> Custom Identity Keystore
Add the exported certificate to the Truststore for the private JRE used by Configuration Manager :
%JAVA_HOME%/bin/keytool -import -file <certfile> -alias <name> -keystore <keystore_path >
- <certfile> - filename that contains the exported certificate
- <name> - the certificate alias specified during export (may also use a different label)
- <keystore_path> - the path to the cacerts keystore used by Configuration Manager, by default <Content_Engine_Install_Dir>\_cejvm\jre\lib\security\cacerts
After the certificate is imported, attempt to connect to test the connection to the application server in Configuration Manager.
[{"Product":{"code":"SSNW2F","label":"FileNet P8 Platform"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"5.2;5.1;5.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
More support for:
FileNet P8 Platform
Software version:
5.2, 5.1, 5.0
Operating system(s):
Windows, AIX, HP-UX, Linux, Solaris
Document number:
154395
Modified date:
17 June 2018
UID
swg21473936