Renew Expired Demo Identity Certificate in FMW12.2

 

Issue Reported - WLS Admin Server startup hangs forever, with a warning message DemoIdentity Certificate Expired.

Assumption - Certificate Expired in 10 Dec 2022

Resolution - A quick workaround in this case is 

1. Stop all products running on that machine
2. Backup Domain and Oracle Home
3. Change the date on your machine to a date in past - example 16 Oct 2022
4. This will allow you to startup Admin Server and access EM console
5. Change the date on your machine to current date .
6. Login to EM console and renew the DemoIdentity Certificate with below steps
7. run syncKeyStores command to sync system KSS keystore
8. Restart all Weblogic Services

Steps to create a new KSS DemoIdentity certificate

• Login to EM console.
• Navigate to <domain name> [ eg :- base_domain ]
• Click on the drop down Weblogic Domain -> Security -> Keystore
• Expand the system folder.
• Select the demoidentity -> click Manage
• It will prompt for password , enter the password DemoIdentityKeyStorePassPhrase
  
  
  
• It will open the Manage Certificates option. Note down the certificate details                                  [ DemoIdentity:   CN=DemoCertFor_forms_domain October 16, 2022 ]
• Select the existing DemoIdentity certificate which is expired -> Select Delete.
• It will ask to enter password -> Enter the password as : DemoIdentityPassPhrase
• Click on Generate Keypair.
• Provide the same information as before

                Example      :  Subject Name CN=DemoCertFor_base_domain
                Password as : DemoIdentityPassPhrase

        You can see that a self signed certificate is created.

• Now we need to sync the KSS store information to the keystores.xml file located under the $DOMAIN_HOME/config/fmwconfig/
•  Navigate to $ORACLE_HOME/oracle_common/common/bin
•  Launch the wlst.sh, and run syncKeyStores command to sync system KSS keystore

cd E:\Middleware\Oracle_Home\oracle_common\common\bin> wlst.cmd

connect()

wls:/offline> connect()

Please enter your username :weblogic

Please enter your password :

Please enter your server URL [t3://localhost:7001] :

Connecting to t3://localhost:7001 with userid weblogic ...

Successfully connected to Admin Server "AdminServer" that belongs to domain "adf_domain".

wls:/adf_domain/serverConfig/> syncKeyStores(appStripe='system', keystoreFormat='KSS')

Location changed to domainRuntime tree. This is a read-only tree

with DomainMBean as the root MBean.

For more help, use help('domainRuntime')

        Keystore sync successful.

• Restart all Weblogic Services

If Using OHS  

Update "<OHS_INSTANCE_NAME>_default" keystore in "OHS" stripe which is used by Oracle HTTP Server (OHS)

1. Launch Fusion Middleware Control.  (http://<HOSTNAME>:<PORT>/em)
2. From the "WebLogic Domain" menu, select "Security" then "Keystore".
3. Select "<OHS_INSTANCE_NAME>_default" keystore in the "OHS" stripe. 
            Example --> ohs1_default
  If "OHS" stripe does not exist, Create "OHS" stripe before this step.

  If "<OHS_INSTANCE_NAME>_default" does not exist under "OHS" stripe, 
  Create "<OHS_INSTANCE_NAME>_default" 
4. Click Manage.
5. If "democert" alias exists, Select it then Delete it
6. Click "Generate Keypair" to generate a private/public key pair with the following parameters.
  a. Alias : "democert"
  b. Common name : "localhost"
7. <OHS_INSTANCE_NAME> in HTTP Server from Target Navigation
8. Navigate [Oracle HTTP Server] -> [Security] -> [Keystore]
9. "Lock and Edit", Then Select "<OHS_INSTANCE_NAME>_default" keystore
10. Click "Export Keystore to Wallet", then "Activate Changes"