After we enabled SSL on all our Weblogic machines in our environment (multiple hosts) we enabled the Administration port for our domain:

The domain-wide administration port enables you to start a WebLogic Server instance in STANDBY state. It also allows you to separate administration traffic from application traffic in your domain. Because all servers in the domain must enable or disable the administration port at once, you configure the default administration port settings at the domain level. If you enable the administration port:
The administration port accepts only connections that specify administrator credentials. Connections that specify administrator credentials can use only the administration port. Because the administration port uses SSL, enabling the administration port requires that SSL must be configured for all servers in the domain. (source: Weblogic console)

Everything started up fine, however in the weblogic logfiles of every managed server we did see the following message:


<Warning> <Server> <server2> <rbx_dev_wls_01> <[STANDBY] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1322835992044> <BEA-090504> <Certificate chain received from server1.rubix.local - 10.0.0.11 failed hostname verification check. Certificate contained server1 but check expected server1.rubix.local>

<Notice> <WebLogicServer> <server2> <rbx_dev_wls_01> <main> <<WLS Kernel>> <> <> <1322835992137> <BEA-000365> <Server state changed to RUNNING>

<Notice> <WebLogicServer> <server2> <rbx_dev_wls_01> <main> <<WLS Kernel>> <> <> <1322835992153> <BEA-000360> <Server started in RUNNING mode>

<Warning> <Log Management> <server2> <rbx_dev_wls_01> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1322835996646> <BEA-170011> <The LogBroadcaster on this server failed to broadcast log messages to the admin server. The Admin server may not be running. Message broadcasts to the admin server will be disabled.>

<Warning> <Server> <server2> <rbx_dev_wls_01> <[STANDBY] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1322835992044> <BEA-090504> <Certificate chain received from server1.rubix.local - 10.0.0.11 failed hostname verification check. Certificate contained server1 but check expected server1.rubix.local>

The CN value of all our SSL certificates are based upon the basis hostname of the server. In this case the admin runs on server1 and the managed server on server2. The Managed Server performs a SSL hostname verification and this fails due to the fact that server1 is trying to communicate with server2 over channel server1.rubix.local but server receives the identity based upon CN=server1.

We needed to override Weblogic to use the server1 communication channel instead of the server1.rubix.local channel which it default is trying to use. This could be easily fixed by going to the Weblogic console and check each Managed Server and Admin server for it’s Listen Address.

I’ve seen more problems with Weblogic environments (also on Windows) where the Listen Address is not configured. For me reason enough to use a best-practice to always configure the Listen Address with a fixed value.

Houd jij je kennis graag up to date?

Mis niets meer van onze kennisdocumenten, events, blogs en cases: ontvang als eerste het laatste nieuws in je inbox!

Fijn dat we je op de hoogte mogen houden!