2. Troubleshooting Compliance Framework (Oracle ORAchk and Oracle EXAchk)
  3. Unable to Implement CA Certificates in Oracle Trace File Analyzer

11.12 Unable to Implement CA Certificates in Oracle Trace File Analyzer

Description: After implementing TFAMain starts but ends up in client server SSL socket exceptions errors when running tfactl commands.

Cause: Combining both intermediate.pem and server.pem file into the caroot.cert.txt file results in Empty server certificate chain error.

Action: Split the caroot.cert.txt file into intermediate.pem and server.pem using the command openssl x509 -in cerfile.cer -noout -text, and then follow the keytool steps again. 
  1. keytool -importkeystore -destkeystore server.p12 -deststoretype pkcs12 -srckeystore serverCert.pfx
  2. keytool -v -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore server_ac.jks -deststoretype JKS
  3. keytool -v -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore client_ac.jks -deststoretype JKS
  4. keytool -list -keystore client_ac.jks
Enter keystore pswrd:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

1, Nov 30, 2021, PrivateKeyEntry, 
Certificate fingerprint (SHA1):
59:BA:C8:94:97:48:9C:6C:11:23:36:F9:46:A1:1C:87:67:F7:84:19

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore client_ac.jks -destkeystore client_ac.jks -deststoretype pkcs12".
  5. # keytool -list -keystore server_ac.jks
Enter keystore pswrd:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

1, Nov 30, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA1):
59:BA:C8:94:97:48:9C:6C:11:23:36:F9:46:A1:1C:87:67:F7:84:19

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server_ac.jks -destkeystore server_ac.jks -deststoretype pkcs12".
  6. keytool -import -v -alias server-ca -file server.cert.pem -keystore client_ac.jks
  7. keytool -import -v -alias client-ca -file server.cert.pem -keystore server_ac.jks
  8. keytool -importcert -trustcacerts -alias inter -file intermediate.cert.pem -keystore server_ac.jks
  9. keytool -list -keystore server_ac.jks
Enter keystore pswrd:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 3 entries

inter, Nov 30, 2021, trustedCertEntry,
Certificate fingerprint (SHA1):
F6:E3:AA:60:E0:D0:80:69:12:72:06:E0:FA:62:7A:EB:54:38:11:55
client-ca, Nov 30, 2021, trustedCertEntry,
Certificate fingerprint (SHA1):
59:BA:C8:94:97:48:9C:6C:11:23:36:F9:46:A1:1C:87:67:F7:84:19
1, Nov 30, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA1):
59:BA:C8:94:97:48:9C:6C:11:23:36:F9:46:A1:1C:87:67:F7:84:19

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server_ac.jks -destkeystore server_ac.jks -deststoretype pkcs12"
  10. # keytool -list -keystore client_ac.jks
Enter keystore pswrd:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

1, Nov 30, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA1):
59:BA:C8:94:97:48:9C:6C:11:23:36:F9:46:A1:1C:87:67:F7:84:19
server-ca, Nov 30, 2021, trustedCertEntry,
Certificate fingerprint (SHA1):
59:BA:C8:94:97:48:9C:6C:11:23:36:F9:46:A1:1C:87:67:F7:84:19

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore client_ac.jks -destkeystore client_ac.jks -deststoretype pkcs12".

Parent topic: Troubleshooting Compliance Framework (Oracle ORAchk and Oracle EXAchk)