-- Problem Statement:
Since renewal of the SSL certificate (Verisign), unable to connect in SSL mode to Discoverer Plus using JInitiator.
Error in the Java Console:
java.io.IOException: javax.net.ssl.SSLException: SSL handshake failed: X509CertChainInvalidErr
Even the latest versions of Jinitiator, 18.104.22.168, 22.214.171.124 fail.
The failure occurs only when running Discoverer with JInitiator, not when using the Sun Java Plug-in.
The new Verisign certificate has an intermediate certificate (Verisign Class 3 Secure Server CA), which has been implemented in the the same Oracle Wallet as the server certificate.
Verisign started to sign their certificates with a new key starting from 17 May 2009 and afterwards. This is explained in following document by verisign:
The new certificates do not work for JInitiator unless manually imported into certdb.txt.
This has been logged as bug
Bug:8717513 X509CERTCHAININVALIDERR WITH VERISIGN CERTIFICATE AFTER 17 MAY 2009
Bug:8717513 is under investigation by Development.
Until a fix is availabe, one of the following workarounds can be used:
1. Import the intermediate certificate into certdb.txt for Jinitiator following
Note 372800.1 How to Implement an SSL CA Root Certificate in JInitiator,
2. Use the Sun Java Plug-in.
We do recommend using the Sun Java Plug-in as Oracle JInitiator is nearing the end of its life cycle.
Note 761159.1 Oracle JInitiator - 1.3 1.
Note 465234.1 Recommended Client Java Plug-in (JVM/JRE) For Discoverer Plus 10g (10.1.2).