Document 2193938.1 https://mosemp.us.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl...

Copyright (c) 2022, Oracle. All rights reserved. Oracle Confidential.

Domain Trust fails When Connecting Other Domain Server - "java.lang.SecurityException:

[Security:090398]Invalid" (Doc ID 2193938.1)

In this Document

Symptoms
Changes
Cause
Solution
References

Created from SR 3-13168724735[This section is not visible to customers.]

APPLIES TO:

Oracle WebLogic Server - Version 12.1.1.0 and later

Information in this document applies to any platform.

SYMPTOMS

On : 12.2.1.0.0 version, WLS Security

When attempting to trying to connect to other domain, for which the domain trust has been enabled, the following error occurs:

2016-08-05 18:00:14,248 ERROR xxx.publishing.Publish - Error sending to Publishing Service for Print Draft
java.lang.SecurityException: [Security:090398]Invalid Subject: principals=xxxAUTHUSER]
at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:833)
~[com.oracle.weblogic.security.service.ffapi.jar:12.2.1.0]
at weblogic.security.service.SecurityServiceManager.getSealedSubjectFromWire(SecurityServiceManager.java:522)
~[com.oracle.weblogic.security.service.ffapi.jar:12.2.1.0]
at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:352)
~[com.bea.core.weblogic.rmi.client.jar:12.2.1.0]
at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:1024)
~[com.bea.core.weblogic.rmi.client.jar:12.2.1.0]
at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:351)
~[com.bea.core.weblogic.rmi.client.jar:12.2.1.0]
at weblogic.rmi.cluster.ClusterableServerRef.dispatch(ClusterableServerRef.java:242)
~[com.bea.core.weblogic.rmi.client.jar:12.2.1.0]
at weblogic.rjvm.RJVMImpl.dispatchRequest(RJVMImpl.java:1141) ~[com.bea.core.weblogic.rmi.client.jar:12.2.1.0]
at weblogic.rjvm.RJVMImpl.dispatch(RJVMImpl.java:1023) ~[com.bea.core.weblogic.rmi.client.jar:12.2.1.0]
at weblogic.rjvm.ConnectionManagerServer.handleRJVM(ConnectionManagerServer.java:240)
~[com.bea.core.weblogic.rmi.client.jar:12.2.1.0]
at weblogic.rjvm.ConnectionManager.dispatch(ConnectionManager.java:888)
~[com.bea.core.weblogic.rmi.client.jar:12.2.1.0]
at weblogic.rjvm.MsgAbbrevJVMConnection.dispatch(MsgAbbrevJVMCo

CHANGES

This worked on previous versions, e.g. 12.1.1.

CAUSE

WLS 12.1.1 uses MD5 when signing principals and there was a design change and now 12.2.1 uses SHA256, hence the incompatibility.

SOLUTION

In order to solve this issue, execute below action plan:

1. Edit WLS 12.2.1 start up options and append

-Dweblogic.security.crypto.generatePriorDigest=true
-Dweblogic.security.crypto.verifyPriorDigest=true

1 of 2 01/20/2022, 11:03 AM
Document 2193938.1 https://mosemp.us.oracle.com/epmos/faces/DocumentDisplay?_adf.ctrl...

2. Restart WLS 12.2.1

3. Regenerate the WLS Domain Password on 12.2.1.

The password is a Global Trust Password. Not Admin user password.

4. Restart WLS 12.2.1 domain

REFERENCES

BUG:24589722 - GLOBAL TRUST NOT WORKING WHEN SENDING JMS MESSAGE FROM 12.2.1.1 TO 12.1.1
Didn't find what you are looking for?

Document Attributes
Author: EVEGABA.US; Status: PUBLISHED(EXTERNAL)
Owner: EVEGABA.US Publisher: EVEGABA.US
Alias: Content Type: TEXT/X-HTML
Distribution: EXTERNAL Visibility: EXTERNAL
Created By: EVEGABA.US Created: Oct 17, 2016
Modified By: RTUMMA.US Modified: Jan 4, 2022
Reviewed By: KVINCENT.US Reviewed: Jan 20, 2022
Source: AWIZ 3-13168724735 Exception: No
Priority: 3

2 of 2 01/20/2022, 11:03 AM