Oracle® Fusion Middleware Troubleshooting Guide for Oracle Mobile Security Suite Release 3.0.1 Part Number E51929-03 |
|
|
PDF · Mobi · ePub |
This chapter describes how to troubleshoot the Windows certificate store API.
This chapter contains the following sections:
If the Microsoft Windows CryptoAPI (CAPI) certificate store is mis-configured or is missing a certificate, use the following hints and initialization messages in the log file for troubleshooting:
Server should be SSL-aware but has no certificate from windows CAPI configured [Hint: SSLCAPIEngine requires SSLCertificateCN] Init: Check that your certificate template is correct and can support your configured SSL protocol Init: Private key not found SSL Library Error: error:89067067:lib(137):CAPI_GET_KEY:cryptacquirecontext error (Error code= 0x0) SSL Library Error: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key
If the service account that is used to start Mobile Security Access Server or Mobile Security Administrative Console is not installed with IIS, proceed as follows:
Verify the certificate is in the service account's certificate store
Verify the certificate is in the computer certificate store and the service account has permission to access the private key.
In some versions of Windows, admin privileges are required.
Use the MMC console with certificate snap-in. Give permissions by right clicking and selecting manage private key to give permission to the service account.
Verify that the subject name of the certificate matches what was specified in the installation. In httpd.conf
, check the following lines:
AuthBMAXSSLCertificateKeyFile nofips p11 capi MY "" <CERT_COMMON_NAME:> cn SSLCertificateFile <CERT_COMMON_NAME:>
Verify that Microsoft Enhanced RSA and AES Cryptographic Provider is being used. This is required when certificates are stored in the Windows certificate store. Microsoft Web server templates can be modified to include the Microsoft Enhanced RSA and AES Cryptographic Provider.
If none of the above suggestions resolve the issue, un-comment the following line in the httpd.conf
file and send the error logs generated as a result to Oracle support:
#SSLCAPIEngineLog "C:/Program Files (x86)\Oracle\OMSS/gateway/logs/openssl_capi.log"