Skip Headers
Oracle® Fusion Middleware Troubleshooting Guide for Oracle Mobile Security Suite
Release 3.0.1
Part Number E51929-03
Go to Documentation Home
Home		 Go to Table of Contents
Contents		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
PDF · Mobi · ePub

8 Certificate Troubleshooting

This chapter describes how to troubleshoot the Windows certificate store API.

This chapter contains the following sections:

8.1 Windows CryptoAPI Certificate Store Issues

If the Microsoft Windows CryptoAPI (CAPI) certificate store is mis-configured or is missing a certificate, use the following hints and initialization messages in the log file for troubleshooting:

Server should be SSL-aware but has no certificate from windows CAPI configured [Hint: SSLCAPIEngine requires SSLCertificateCN] 
 
Init: Check that your certificate template is correct and can support your configured SSL protocol
Init: Private key not found
SSL Library Error: error:89067067:lib(137):CAPI_GET_KEY:cryptacquirecontext error (Error code= 0x0)
SSL Library Error: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key

8.2 Service Account Not Installed

If the service account that is used to start Mobile Security Access Server or Mobile Security Administrative Console is not installed with IIS, proceed as follows:

  1. Verify the certificate is in the service account's certificate store

  2. Verify the certificate is in the computer certificate store and the service account has permission to access the private key.

    1. In some versions of Windows, admin privileges are required.

    2. Use the MMC console with certificate snap-in. Give permissions by right clicking and selecting manage private key to give permission to the service account.

  3. Verify that the subject name of the certificate matches what was specified in the installation. In httpd.conf, check the following lines:

    AuthBMAXSSLCertificateKeyFile nofips p11 capi MY "" <CERT_COMMON_NAME:> cn

SSLCertificateFile <CERT_COMMON_NAME:>

  4. Verify that Microsoft Enhanced RSA and AES Cryptographic Provider is being used. This is required when certificates are stored in the Windows certificate store. Microsoft Web server templates can be modified to include the Microsoft Enhanced RSA and AES Cryptographic Provider.

If none of the above suggestions resolve the issue, un-comment the following line in the httpd.conf file and send the error logs generated as a result to Oracle support:

#SSLCAPIEngineLog "C:/Program Files (x86)\Oracle\OMSS/gateway/logs/openssl_capi.log"
Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Table of Contents
Contents		 Go to Feedback page
Contact Us