Summary
This technote resolves for the BEA Weblogic startup error of "Inconsistent security configuration, java.lang.Exception: Cannot read private key from file"
Error Log Example:
<000297> java.lang.Exception: Cannot read private key from file /usr/local/bea/weblogic70 0/server/bin/sol8rlecsts_testcertificates_com-key.der. Make sure password specified in environment property weblogic.management.pkpassword is valid. at weblogic.security.service.SSLManager.getServerPrivateKey(SSLManager.java:436) at weblogic.t3.srvr.SSLListenThread.(SSLListenThread.java:153) at weblogic.t3.srvr.SSLListenThread.(SSLListenThread.java:122) at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1548) at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:891) at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:300) at weblogic.Server.main(Server.java:32) <090034> <000354>
Steps to resolve this problem:
-
If the private key is encrypted, convert the key to PEM format using the
java utils der2pem
command and modify the header as follows:
----------BEGIN ENCRYPTED PRIVATE KEY---------- ... -----------END RSA PRIVATE KEY---------------------
If the private key is not in PEM format, you receive the following exception:
java.lang.Exception:Cannot read private key from file C:\bea700sp5\user_proects\mydomain\privatkey.der Make sure password specified in environment property weblogic.management.pkpassword is valid.
If the private key is unencrypted, use the java utils der.2pem command and modify the header as follows:
----------BEGIN RSA PRIVATE KEY---------- ... ----------END RSA PRIVATE KEY----------
Check to see if the digital certificate has an extra line at the end of the file. The following should be the last line of the certificate file:
-
----------END CERTIFICATE----------
If the existing private key is not password protected, you do not need to specify the weblogic.management.pkpassword argument when starting the server.
When configuring the SSL protocol in the WebLogic Server Administration Console, note that the Key Encrypted attribute is not used to dictate whether or not the private key is password encrypted. The attribute is irrelevant if a password is not used for the private key passphrase.
If you want to import the converted private key and digital certificate into a keytore, use
java utils.ImportPrivateKey
.
If you have any questions or concerns please contact the
Entrust Certificate Services Support
department for further assistance:
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: Smart Phone users may use the 1-800 numbers shown in the table below.
Otherwise, it is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
Country | Number |
Australia |
0011 - 800-3687-7863
1-800-767-513 |
Austria | 00 - 800-3687-7863 |
Belgium | 00 - 800-3687-7863 |
Denmark | 00 - 800-3687-7863 |
Finland |
990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet) |
France | 00 - 800-3687-7863 |
Germany | 00 - 800-3687-7863 |
Hong Kong |
001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax) |
Ireland | 00 - 800-3687-7863 |
Israel | 014 - 800-3687-7863 |
Italy | 00 - 800-3687-7863 |
Japan |
001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ) 0061 - 800-3687-7863 (IDC) |
Korea |
001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom) |
Malaysia | 00 - 800-3687-7863 |
Netherlands | 00 - 800-3687-7863 |
New Zealand |
00 - 800-3687-7863
0800-4413101 |
Norway | 00 - 800-3687-7863 |
Singapore | 001 - 800-3687-7863 |
Spain | 00 - 800-3687-7863 |
Sweden |
00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2) |
Switzerland | 00 - 800-3687-7863 |
Taiwan | 00 - 800-3687-7863 |
United Kingdom |
00 - 800-3687-7863
0800 121 6078 +44 (0) 118 953 3088 |