2011-02-08

X509CertChainInvalidErr

SSL Handshake Error In Discoverer Plus With JInitiator After Verisign Certificate Renewal [ID 946034.1]
-- Problem Statement:
Since renewal of the SSL certificate (Verisign), unable to connect in SSL mode to Discoverer Plus using JInitiator.


Error in the Java Console:
java.io.IOException: javax.net.ssl.SSLException: SSL handshake failed: X509CertChainInvalidErr

Even the latest versions of Jinitiator, 1.3.1.29, 1.3.1.30 fail.

The failure occurs only when running Discoverer with JInitiator, not when using the Sun Java Plug-in.

The new Verisign certificate has an intermediate certificate (Verisign Class 3 Secure Server CA), which has been implemented in the the same Oracle Wallet as the server certificate.


Changes

SSL has been implemented or the server certificate has been renewed with Verisign.

Cause

Verisign started to sign their certificates with a new key starting from 17 May 2009 and afterwards. This is explained in following document by verisign:

The new certificates do not work for JInitiator unless manually imported into certdb.txt.

This has been logged as bug
Bug:8717513 X509CERTCHAININVALIDERR WITH VERISIGN CERTIFICATE AFTER 17 MAY 2009


Solution

-- To implement the solution, please execute the following steps::
Bug:8717513 is under investigation by Development.

Until a fix is availabe, one of the following workarounds can be used:

1. Import the intermediate certificate into certdb.txt for Jinitiator following
Note 372800.1 How to Implement an SSL CA Root Certificate in JInitiator,

OR 

2. Use the Sun Java Plug-in.

We do recommend using the Sun Java Plug-in  as Oracle JInitiator is nearing the end of its life cycle.
Ref.:
Note 761159.1 Oracle JInitiator - 1.3 1.
Note 465234.1 Recommended Client Java Plug-in (JVM/JRE) For Discoverer Plus 10g (10.1.2).

Niciun comentariu:

Trimiteți un comentariu