Two way SSL issue in weblogic

Similar Messages

• Two way SSL with jax-ws on weblogic 10.3.1.1

  I'm desperately trying to create a webservice client using jax-ws for two way ssl (mutual authentication). The client shoud be a web service (war) not a normal fat java client (jar).Could someone please give me any help? I've tried with the ssl context but it dosn't work :(
  BlokIzmenjava service= new BlokIzmenjava(new URL("https://wwwt.ajpes.si/wsBlokIzmenjava/BlokIzmenjava.asmx?WSDL"), new QName("http://www.ajpes.si/blok_izmenjava", "BlokIzmenjava"));
  BlokIzmenjavaSoap port=service.getBlokIzmenjavaSoap();
  KeyStore ks = KeyStore.getInstance("JKS");
  ks.load(new FileInputStream("D:/Podatki/Workspace1031/TestWorkSpace/TestWS/src/nkbm/ws/Ajpes.jks"), "trustpass".toCharArray());
  KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
  kmf.init(ks, "trustpass".toCharArray());
  javax.net.ssl.SSLContext sslCtx = SSLContext.getInstance("SSL");
  TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
  tmf.init(ks);
  TrustManager tms[] = tmf.getTrustManagers();
  sslCtx.init(kmf.getKeyManagers(), tms, null);
  javax.net.ssl.SSLSocketFactory ssl = (javax.net.ssl.SSLSocketFactory) sslCtx.getSocketFactory();
  Map<String, Object> requestContext = ((BindingProvider) port).getRequestContext();
  requestContext.put(com.sun.xml.internal.ws.developer.JAXWSProperties.SSL_SOCKET_FACTORY, ssl);
  port.test("aaaaa");
  The thing is that this solution works on a fat client(as a jar) but it dosn't work as a client (webservice) deployed on weblogic server. I've also set the everything in the weblogic console (SSL,keystores) and it still dosn't work :(
  any help would b appretiated!
  thank you!
  Edited by: user10677650 on 30.6.2010 6:37

  Isn't the SSL adapter meant to be used for jax-rpc webservices?
  "JAX-RPC clients can use the SSLAdapter mechanism described in Using a Custom SSL Adapter with Reliable Messaging to persist the state of a request over an SSL connection"
  I have already tried with weblogic.wsee.jaxws.sslclient.SSLClientUtil...still I always get the error (this error is with ssl debug mode on)....
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 31921099>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write SSL_20_RECORD>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 994001646
  Issuer:C=si, O=state-institutions, OU=sigen-ca
  Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
  Not Valid Before:Fri Nov 17 14:26:17 CET 2006
  Not Valid After:Thu Nov 17 14:56:17 CET 2011
  Signature Algorithm:SHA1withRSA
  >
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 994001646
  Issuer:C=si, O=state-institutions, OU=sigen-ca
  Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
  Not Valid Before:Fri Nov 17 14:26:17 CET 2006
  Not Valid After:Thu Nov 17 14:56:17 CET 2011
  Signature Algorithm:SHA1withRSA
  >
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: wwwt.ajpes.si>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(sock): 12457751>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <close(): 27314217>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 31288249>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 262>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received CHANGE_CIPHER_SPEC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Finished>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 342>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 493>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <5095980 read(offset=0, length=8192)>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: HelloRequest>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 147>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 994001646
  Issuer:C=si, O=state-institutions, OU=sigen-ca
  Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
  Not Valid Before:Fri Nov 17 14:26:17 CET 2006
  Not Valid After:Thu Nov 17 14:56:17 CET 2011
  Signature Algorithm:SHA1withRSA
  >
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 994001646
  Issuer:C=si, O=state-institutions, OU=sigen-ca
  Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
  Not Valid Before:Fri Nov 17 14:26:17 CET 2006
  Not Valid After:Thu Nov 17 14:56:17 CET 2011
  Signature Algorithm:SHA1withRSA
  >
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: wwwt.ajpes.si>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateRequest>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <No suitable identity certificate chain has been found.>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 7>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 262>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received CHANGE_CIPHER_SPEC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Finished>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received APPLICATION_DATA: databufferLen 0, contentLength 2073>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <5095980 read databufferLen 2073>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <5095980 read A returns 2073>
  1.7.2010 8:38:39 com.sun.xml.ws.server.sei.EndpointMethodHandler invoke
  SEVERE: The server sent HTTP status code 403: Forbidden
  com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 403: Forbidden
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.checkStatusCode(HttpTransportPipe.java:225)
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:191)
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:101)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
       at com.sun.xml.ws.client.Stub.process(Stub.java:246)
       at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
       at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
       at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
       at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
       at $Proxy166.blokVrni(Unknown Source)
       at nkbm.ws.TestAjpes1.hello(TestAjpes1.java:59)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:101)
       at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:83)
       at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:152)
       at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:264)
       at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:93)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
       at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:249)
       at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:453)
       at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:250)
       at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140)
       at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:298)
       at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:211)
       at weblogic.wsee.jaxws.JAXWSServlet.doPost(JAXWSServlet.java:297)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at weblogic.wsee.jaxws.JAXWSServlet.service(JAXWSServlet.java:87)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3590)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 0
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
       at weblogic.net.http.HttpClient.closeServer(HttpClient.java:528)
       at weblogic.net.http.KeepAliveCache$1.run(KeepAliveCache.java:111)
       at java.util.TimerThread.mainLoop(Timer.java:512)
       at java.util.TimerThread.run(Timer.java:462)
  >
  <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <close(): 5095980>
  <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 31921099>
  any ideas?
  thank you again!
  Edited by: user10677650 on 30.6.2010 23:42

• Help with getting Web Start working with two-way SSL

  I have successfully transferred data (myclient.jnlp) utilizing web browsers (IE and Mozilla) from my web server (which is set up for two-way SSL "CLIENT-CERT" required) after using the browser's utility to "import" my client-side cert (in .p12 format).
  After the browser connects and downloads the "myclient.jnlp" contents and places it in a temporary file, it then kicks off the javaws process with the temporary file as a parameter. The first thing javaws does is utilize the codebase and href values (found in the temporary file) to make a "GET" call to the server for the "myclient.jnlp" file (again).
  However, this fails (with a SSL handshake error) since javaws uses a different keystore than IE - the server does not receive the client-side cert. I have imported the root CA and the client cert (in .pem format) into the $JAVA_HOME/jre/lib/security/cacerts file using the keytool command but alas my server still indicates a lack of a client-side cert.
  Has anyone else tried this and got it working?

  Hi Richard,
  Indeed it appears that the 1.5 version will have more built-in capability for client certs. It has the look of the IE browser import capability. Unfortunately, I am stuck with having to utilize 1.4.2 for the time being. Since I have posted my original message I have found more information but have yet to get it all working. The truststore in javaws 1.4.2 does have a default (the 1.4.2 jre's cacert file - stragely enough not the same one that gets updated when you import the root CA! - but this has been noted in many other threads). The javaws keystore does not have a default and I have tried, to no avail yet, to utilize some command line parameters, see http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#Customization - to get my client cert "available" and recognized by javaws.
  With the help of some debug flags here is the output on my javaws "output" log - all seems to go well up to the point of the client's Certificate chain (which appears to be empty), after the ServerHelloDone :
  trustStore is: C:\j2sdk1.4.2_04\jre\lib\security\cacerts
  trustStore type is : jks
  init truststore
  adding as trusted cert:
  snipped all the regular trusted certs, left my root CA as proof it is recognized...
  adding as trusted cert:
  Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Wed May 26 16:38:59 EDT 2004 until Fri Jun 25 16:38:59 EDT 2004
  trigger seeding of SecureRandom
  done seeding SecureRandom
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1070211537 bytes = { 205, 211, 129, 234, 88, 129, 152, 176, 223, 180, 161, 138, 246, 183, 181, 89, 61, 252, 63, 35, 21, 34, 253, 32, 254, 124, 38, 198 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  [write] MD5 and SHA1 hashes: len = 73
  0000: 01 00 00 45 03 01 40 CA 22 D1 CD D3 81 EA 58 81 ...E..@.".....X.
  0010: 98 B0 DF B4 A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 .........Y=.?#."
  0020: FD 20 FE 7C 26 C6 00 00 1E 00 04 00 05 00 2F 00 . ..&........./.
  0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
  0040: 03 00 08 00 14 00 11 01 00 .........
  Thread-3, WRITE: TLSv1 Handshake, length = 73
  [write] MD5 and SHA1 hashes: len = 98
  0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
  0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
  0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
  0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
  0040: 00 11 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 ..@.".....X.....
  0050: A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C .....Y=.?#.". ..
  0060: 26 C6 &.
  Thread-3, WRITE: SSLv2 client hello message, length = 98
  Thread-3, READ: TLSv1 Handshake, length = 58
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1070211539 bytes = { 81, 106, 82, 45, 233, 226, 89, 6, 38, 240, 71, 122, 90, 226, 255, 207, 9, 102, 205, 127, 223, 211, 4, 84, 79, 16, 101, 89 }
  Session ID: {34, 167, 132, 174, 141, 4, 57, 197, 190, 207, 105, 117, 241, 9, 97, 81}
  Cipher Suite: SSL_RSA_WITH_DES_CBC_SHA
  Compression Method: 0
  %% Created: [Session-1, SSL_RSA_WITH_DES_CBC_SHA]
  ** SSL_RSA_WITH_DES_CBC_SHA
  [read] MD5 and SHA1 hashes: len = 58
  0000: 02 00 00 36 03 01 40 CA 22 D3 51 6A 52 2D E9 E2 ...6..@.".QjR-..
  0010: 59 06 26 F0 47 7A 5A E2 FF CF 09 66 CD 7F DF D3 Y.&.GzZ....f....
  0020: 04 54 4F 10 65 59 10 22 A7 84 AE 8D 04 39 C5 BE .TO.eY.".....9..
  0030: CF 69 75 F1 09 61 51 00 09 00 .iu..aQ...
  Thread-3, READ: TLSv1 Handshake, length = 607
  *** Certificate chain
  chain [0] = [
  Version: V3
  Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
  Key: SunJSSE RSA public key:
  public exponent:
  010001
  modulus:
  e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
  6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
  Validity: [From: Wed May 26 16:38:59 EDT 2004,
                 To: Fri Jun 25 16:38:59 EDT 2004]
  Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  SerialNumber: [    00]
  Certificate Extensions: 3
  [1]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
  0010: 88 76 14 DA .v..
  [2]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
  0010: 88 76 14 DA .v..
  [CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
  SerialNumber: [    00]
  [3]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:true
  PathLen:2147483647
  Algorithm: [SHA1withRSA]
  Signature:
  0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
  0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
  0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
  0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
  Found trusted certificate:
  Version: V3
  Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
  Key: SunJSSE RSA public key:
  public exponent:
  010001
  modulus:
  e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
  6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
  Validity: [From: Wed May 26 16:38:59 EDT 2004,
                 To: Fri Jun 25 16:38:59 EDT 2004]
  Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  SerialNumber: [    00]
  Certificate Extensions: 3
  [1]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
  0010: 88 76 14 DA .v..
  [2]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
  0010: 88 76 14 DA .v..
  [CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
  SerialNumber: [    00]
  [3]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:true
  PathLen:2147483647
  Algorithm: [SHA1withRSA]
  Signature:
  0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
  0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
  0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
  0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
  [read] MD5 and SHA1 hashes: len = 607
  0000: 0B 00 02 5B 00 02 58 00 02 55 30 82 02 51 30 82 ...[..X..U0..Q0.
  0010: 01 FB A0 03 02 01 02 02 01 00 30 0D 06 09 2A 86 ..........0...*.
  0020: 48 86 F7 0D 01 01 05 05 00 30 57 31 0B 30 09 06 H........0W1.0..
  0030: 03 55 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 .U....US1.0...U.
  0040: 08 13 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 ...Virginia1.0..
  0050: 03 55 04 07 13 07 46 61 69 72 66 61 78 31 11 30 .U....Fairfax1.0
  0060: 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 ...U....Zork.org
  0070: 31 10 30 0E 06 03 55 04 03 13 07 52 6F 6F 74 20 1.0...U....Root
  0080: 43 41 30 1E 17 0D 30 34 30 35 32 36 32 30 33 38 CA0...0405262038
  0090: 35 39 5A 17 0D 30 34 30 36 32 35 32 30 33 38 35 59Z..04062520385
  00A0: 39 5A 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 9Z0W1.0...U....U
  00B0: 53 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 S1.0...U....Virg
  00C0: 69 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 inia1.0...U....F
  00D0: 61 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 airfax1.0...U...
  00E0: 08 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 .Zork.org1.0...U
  00F0: 04 03 13 07 52 6F 6F 74 20 43 41 30 5C 30 0D 06 ....Root CA0\0..
  0100: 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 4B 00 30 .*.H.........K.0
  0110: 48 02 41 00 E2 BD 8D E9 59 8E 07 35 2B ED 20 57 H.A.....Y..5+. W
  0120: 38 00 C8 3D 34 85 50 E2 93 A0 17 C7 98 45 F3 5F 8..=4.P......E._
  0130: CD 7B 4A DA 6E F0 C7 0F 7A 03 3E 69 A9 7C CD 15 ..J.n...z.>i....
  0140: 46 F0 D1 C8 7A 0A E9 09 DD B7 6F 5B CD 80 29 E6 F...z.....o[..).
  0150: 3A 6A 49 65 02 03 01 00 01 A3 81 B1 30 81 AE 30 :jIe........0..0
  0160: 0C 06 03 55 1D 13 04 05 30 03 01 01 FF 30 1D 06 ...U....0....0..
  0170: 03 55 1D 0E 04 16 04 14 3F A7 DF 1F FA 90 1F 98 .U......?.......
  0180: 4F BA 42 9F 21 7D B4 C4 88 76 14 DA 30 7F 06 03 O.B.!....v..0...
  0190: 55 1D 23 04 78 30 76 80 14 3F A7 DF 1F FA 90 1F U.#.x0v..?......
  01A0: 98 4F BA 42 9F 21 7D B4 C4 88 76 14 DA A1 5B A4 .O.B.!....v...[.
  01B0: 59 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 53 Y0W1.0...U....US
  01C0: 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 69 1.0...U....Virgi
  01D0: 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 61 nia1.0...U....Fa
  01E0: 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 08 irfax1.0...U....
  01F0: 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 04 Zork.org1.0...U.
  0200: 03 13 07 52 6F 6F 74 20 43 41 82 01 00 30 0D 06 ...Root CA...0..
  0210: 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 41 00 29 .*.H.........A.)
  0220: CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D 9E ..H../.J.s.q.X..
  0230: 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD C4 .D....<.........
  0240: FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 AE .R..re....ba5...
  0250: FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 .........w..j..
  Thread-3, READ: TLSv1 Handshake, length = 220
  *** CertificateRequest
  Cert Types: RSA, DSS, Ephemeral DH (RSA sig),
  Cert Authorities:
  <CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
  <CN=Server CA, OU=Server Division, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
  [read] MD5 and SHA1 hashes: len = 220
  0000: 0D 00 00 D8 03 01 02 05 00 D2 00 59 30 57 31 0B ...........Y0W1.
  0010: 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0F 06 0...U....US1.0..
  0020: 03 55 04 08 13 08 56 69 72 67 69 6E 69 61 31 10 .U....Virginia1.
  0030: 30 0E 06 03 55 04 07 13 07 46 61 69 72 66 61 78 0...U....Fairfax
  0040: 31 11 30 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 1.0...U....Zork.
  0050: 6F 72 67 31 10 30 0E 06 03 55 04 03 13 07 52 6F org1.0...U....Ro
  0060: 6F 74 20 43 41 00 75 30 73 31 0B 30 09 06 03 55 ot CA.u0s1.0...U
  0070: 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 08 13 ....US1.0...U...
  0080: 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 03 55 .Virginia1.0...U
  0090: 04 07 13 07 46 61 69 72 66 61 78 31 11 30 0F 06 ....Fairfax1.0..
  00A0: 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 31 18 .U....Zork.org1.
  00B0: 30 16 06 03 55 04 0B 13 0F 53 65 72 76 65 72 20 0...U....Server
  00C0: 44 69 76 69 73 69 6F 6E 31 12 30 10 06 03 55 04 Division1.0...U.
  00D0: 03 13 09 53 65 72 76 65 72 20 43 41 ...Server CA
  Thread-3, READ: TLSv1 Handshake, length = 4
  *** ServerHelloDone
  [read] MD5 and SHA1 hashes: len = 4
  0000: 0E 00 00 00 ....
  *** Certificate chain
  JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  Random Secret: { 3, 1, 175, 38, 47, 77, 131, 125, 209, 147, 174, 228, 183, 99, 34, 2, 100, 186, 77, 47, 65, 233, 82, 133, 183, 113, 8, 193, 51, 241, 167, 105, 4, 187, 57, 130, 161, 11, 178, 11, 134, 84, 96, 106, 203, 11, 195, 51 }
  [write] MD5 and SHA1 hashes: len = 77
  0000: 0B 00 00 03 00 00 00 10 00 00 42 00 40 39 9F EC ..........B.@9..
  0010: 5F 92 FA 3D 5E 3D 0C 19 10 72 DA BE B6 14 76 62 _..=^=...r....vb
  0020: AE 39 75 0B 74 10 C7 B1 42 D7 A1 22 C0 0E B8 A2 .9u.t...B.."....
  0030: 22 80 73 20 36 A2 FD BB F9 3E F4 F0 91 CE 95 F8 ".s 6....>......
  0040: 05 D7 22 FC 2C CF 1B AB 19 82 03 D2 F5 ..".,........
  Thread-3, WRITE: TLSv1 Handshake, length = 77
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 AF 26 2F 4D 83 7D D1 93 AE E4 B7 63 22 02 ...&/M.......c".
  0010: 64 BA 4D 2F 41 E9 52 85 B7 71 08 C1 33 F1 A7 69 d.M/A.R..q..3..i
  0020: 04 BB 39 82 A1 0B B2 0B 86 54 60 6A CB 0B C3 33 ..9......T`j...3
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 A1 8A @.".....X.......
  0010: F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C 26 C6 ...Y=.?#.". ..&.
  Server Nonce:
  0000: 40 CA 22 D3 51 6A 52 2D E9 E2 59 06 26 F0 47 7A @.".QjR-..Y.&.Gz
  0010: 5A E2 FF CF 09 66 CD 7F DF D3 04 54 4F 10 65 59 Z....f.....TO.eY
  Master Secret:
  0000: 67 B9 58 74 69 18 0B 2E 00 EB AC 9B 77 15 B4 65 g.Xti.......w..e
  0010: 61 A1 AC D0 F1 D5 4C CA 0E 51 FC 58 A0 11 B7 87 a.....L..Q.X....
  0020: EC 72 26 D0 83 18 27 49 8F B6 32 FF E3 89 1D E4 .r&...'I..2.....
  Client MAC write Secret:
  0000: D5 96 AB F7 1E 46 5F 46 8A E9 3E DF A0 5E 32 5E .....F_F..>..^2^
  0010: 00 FB B8 D8 ....
  Server MAC write Secret:
  0000: E6 7D 8E F5 6A 4C 94 4C D6 2A 3A 4D FC C1 94 A3 ....jL.L.*:M....
  0010: C5 6C 5F B6 .l_.
  Client write key:
  0000: 18 1D 51 8C 74 6D 18 57 ..Q.tm.W
  Server write key:
  0000: 0D 4E 7A F1 5A D6 5F 5B .Nz.Z._[
  Client write IV:
  0000: 4C BB 4D FA 4F EB CB 4E L.M.O..N
  Server write IV:
  0000: B7 6A CA E9 66 7D 25 88 .j..f.%.
  Thread-3, WRITE: TLSv1 Change Cipher Spec, length = 1
  JsseJCE: Using JSSE internal implementation for cipher DES/CBC/NoPadding
  *** Finished
  verify_data: { 20, 20, 38, 13, 43, 235, 102, 72, 75, 212, 21, 21 }
  [write] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
  Padded plaintext before ENCRYPTION: len = 40
  0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
  0010: 90 9C E9 09 F4 48 96 A6 8F AA 04 DF E9 36 72 F0 .....H.......6r.
  0020: 42 F0 60 78 03 03 03 03 B.`x....
  Thread-3, WRITE: TLSv1 Handshake, length = 40
  Thread-3, READ: TLSv1 Alert, length = 2
  Thread-3, RECV TLSv1 ALERT: fatal, handshake_failure
  Thread-3, called closeSocket()
  Thread-3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  Finalizer, called close()
  Finalizer, called closeInternal(true)
  So I'll toil away trying to get *right* combination of settings - please let me know if you have any ideas! FYI here are the command line settings I am using for the keystore:
  -Djavax.net.ssl.keyStore=c:\myClientIdKeyStore -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=myClientIdKeyStorePass
  Thanks,
  Paul

• Two-Way SSL does not work until "Use Server Certs" is selected on client

  We have a web service application and a client application. Both applications are deployed in WebLogic 10.3. The web service application is secured by Two-Way SSL. When the client attempts to access the service, we got the following error logs on the server side:
  <Dec 8, 2009 3:25:42 PM EST> <Warning> <Security> <BEA-090508> <Certificate chain received from ... was incomplete.>
  CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0
  CertPathTrustManagerUtils.certificateCallback: validateErr = 4
  CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors
  We got the same error even if the WebLogic 10.3 domain on the client side uses the same identity and trust keystores as the server side.
  The problem was solved when we selected Environment -> Servers -> <server> -> SSL, expanded "Advanced" and selected "Use Server Certs". Could anyone tell me what "Use Server Certs" does to make the difference?
  Another question is how we can invoke this web service in a Java application since "Use Server Certs" solution only works for web application deployed in weblogic.

  "Use Server Certs" means that a client application running within Weblogic will use the WL managed server's identity certificate as its client certificate. Otherwise, the client application is responsible for selecting the keystore, and presenting the certificate as part of the handshake.
  This is a great feature in 9 & 10; client SSL was much more difficult in WL 8.
  If you are using a standalone client application to invoke anything over 2-way SSL, you are responsible for presenting the certificate. For instance, if you invoke the page from your browser, your browser can maintain client certificates and you'll get a popup to select which cert to use.

• Difference Between One-way SSL and Two Way SSL

  Hi ,
  Can any tell difference between one way and two ssl. apache to weblogic server which type of ssl we can configure. Please provide information on this.
  thanks

  In short below is the difference:
  One Way SSL - Only the client authenticates the server
  - This means that the public cert of the server needs to configured in the trust store of the client for this to happen.
  Two Way SSL - The client authenticates the server & the server also authenticates the client.
  - This means that the public cert of the server needs to configured in the trust store of the client for this to happen.
  - Also the public cert of the client needs to be configured on the server's trust store
  Please refer to http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10660_.htm. In case of Two way SSL the step numbers 5 & 6 also occur.
  You can implement either of them between apache and weblogic.
  Hope this helps.
  Thanks,
  Patrick

• Two way ssl with self signed certificate?

  How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
  Specfically, I don't want to use any CA authority.
  Is it possible to simply have the clients certificate in the servers truststore or not?
  I pull out the certificate via
  javax.servlet.request.X509Certificate
  but when I use a self signed certificate it's never there.
  If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain.

  How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
  Specfically, I don't want to use any CA authority.
  Is it possible to simply have the clients certificate in the servers truststore or not?
  I pull out the certificate via
  javax.servlet.request.X509Certificate
  but when I use a self signed certificate it's never there.
  If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain.

• Two-way SSL: Private key is incorrectly read if the charset is set to UTF8

  Looks like PEMInputStream and other related classes assumes the application charset
  "iso81", but if the charset is something else, then "java.security.KeyManagementException"
  is thrown.
  We have everything setup and two-way ssl works when the encoding is not set. but
  brakes if the encoding is UTF8.
  WLS 7.0
  OS - HP-UX
  Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
  app).
  Thanks

  I would suggest posting this to the security newsgroup.
  -- Rob
  Govinda Raj wrote:
  Looks like PEMInputStream and other related classes assumes the application charset
  "iso81", but if the charset is something else, then "java.security.KeyManagementException"
  is thrown.
  We have everything setup and two-way ssl works when the encoding is not set. but
  brakes if the encoding is UTF8.
  WLS 7.0
  OS - HP-UX
  Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
  app).
  Thanks

• How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

  Hi,
  I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
  Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
  Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
  Please suggest how to pass both the certs from client Application..

  Hi,
  This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
  And for more information, you could refer to:
  http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
  Regards

• 1 WAY SSL issue.

  Our Domain has one proxy server and a weblogic cluster with 2 managed server running on Weblogic Integration Server 8.1 SP5.
  The proxy will forward the request to the cluster in a round robin.
  The environment is configured for 2 way SSL and the configuration works fine.
  The authorization used is perimeter authorization using HttpClusterServlet.
  Now I need one way ssl.
  Since the managed servers are configured for 1 way ssl I am trying to access the managed servers by bypassing the proxy.
  I am getting the following error.
  "Error 401--Unauthorized xxx
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.2 401 Unauthorized
  I cehcked the server logs are getting the following error.
  Any help?
  Thanks && Regards,
  Rajeev
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 10330858>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLSocket will be Muxing>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(is): 20100894>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 received HANDSHAKE>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientHello>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE offset = 0 length = 58>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE offset = 0 length = 2120>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE offset = 0 length = 4>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 received HANDSHAKE>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientKeyExchange>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientKeyExchange RSA>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 received CHANGE_CIPHER_SPEC>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 received HANDSHAKE>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC offset = 0 length = 1>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE offset = 0 length = 40>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(sock): 9712642>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <activateNoRegister()>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <avalable(): 31630577 : 0 + 0 = 0>
  <Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.activate(): activated: 20100894 31630577>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read( offset: 0 length: 4080 )>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord()>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord returns true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 received APPLICATION_DATA>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 APPDATA databufferLen 0>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 APPDATA contentLength 572>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read databufferLen 572>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read A returns 572>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read( offset: 572 length: 3508 )>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord()>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord returns false 1>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 Rethrowing InterruptedIOException>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(sock): 9712642>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <activateNoRegister()>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <avalable(): 31630577 : 0 + 0 = 0>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.activate(): activated: 20100894 31630577>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read( offset: 572 length: 3508 )>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord()>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord returns false 1>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 Rethrowing InterruptedIOException>
  *** ServletRequestImpl.setClientCertProxy.x509ProxyClientCert ***null
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <write APPLICATION_DATA offset = 0 length = 339>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <write APPLICATION_DATA offset = 6 length = 1526>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.tls.record.alert.Alert@89314f Severity: 1 Type: 0
  java.lang.Throwable: Stack trace
  at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
  at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
  at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
  at weblogic.socket.SocketMuxer.closeSocket(SocketMuxer.java:267)
  at weblogic.socket.SocketMuxer.cleanupSocket(SocketMuxer.java:605)
  at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:569)
  at weblogic.socket.SocketMuxer.deliverEndOfStream(SocketMuxer.java:513)
  at weblogic.servlet.internal.ServletResponseImpl.send(ServletResponseImpl.java:1221)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2637)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  >
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <avalable(): 31630577 : 0 + 0 = 0>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <write ALERT offset = 0 length = 2>
  <Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 10330858>

  I have exactly the same problem, except that I regularly open up the npr site. But here is the real problem. I open firefox>preferences>advanced>encryption>view certificates>add exception. But here is the problem. I can not click on the box to permanently store exception. This box appears permanently closed.
  I am currently running firefox 9.01, and I've got to say I never had any problems with firefox in all the years I've used it. But ever since it went through this dizzying series of upgrades from 3.6 to the present it has given me problems.
  I am a regular npr listener, and so this annoying error message is really making me consider permanently leaving firefox for chrome or safari.

• 2 way ssl, cac card, weblogic 9.2 webservice

  I have 2 way ssl configured in lower environement and I am using WLSSLAdapter to send the client cert and key. It is working perfectly in lower environement when I use JKS and load certificate and private key from JKS.
  But when I use CAC Card reader and pass the X509Certificate and Privatekey, I get following:
  HANDSHAKE_FAILURE alert received from XXX.XX.X.XXX - XXX.XX.X.XXX. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings.>
  Please help as I am close to deploying in Production.
  Pls. Pls. Pls.

  Yes. I am using the 9.2 webservices. This is a new webservice I'm creating. The ant build.xml file to generate it is like this:
  <jwsc srcdir="${SRCDIR}/src" destdir="${EXPDIR}/webservice"
  tempdir="${WRKDIR}/webservice"
  verbose="on" debug="on"
  enableAsyncService="false"
  classpathref="our.custom.classpath" keepGenerated="true">
  <jws file="sdo/webservice/impl/SDOWSImpl.java"
  contextPath="SDO" name="SDOService">
  <WLHttpTransport contextPath="SDO"
  serviceUri="SDOService"
  portName="SDOService"/>
  </jws>
  </jwsc>
  The our.custom.classpath is as follows:
  <path id="our.custom.classpath">
  <pathelement location="${EXPTOP}/log4j/1.29/lib/log4j.jar"/>
  <pathelement location="${EXPTOP}/weblogic/9.23/lib/apache_xbean.jar"/>
  <pathelement location="${EXPTOP}/weblogic/9.23/lib/xbean.jar"/>
  <pathelement location="${EXPTOP}/weblogic/9.23/lib/weblogic.jar"/>
  <pathelement location="${EXPTOP}/weblogic/9.23/lib/wsse.jar"/>
  </path>
  I have to include xbean.jar here because if I didn't, I got "java.lang.NoClassDefFoundError: com/bea/xml/XmlException" during the ant build.
  How do I make sure I use the 9.2 style xbeans?
  thanks!

• How to get the correct client certificate used in the two way ssl

  how to export the certificate in browser to the correct client certificate format needed by the WLSSSLAdaptor?
  I can export the certificate in browser to p12 or pfx format, but how to retrieve the private key from it and convert to PKCS#8?
  anyone did this before?
  Thanks

  Hi,
  Use the event after_user_command.When the user clicks any other buttons in the toolbar,this event will be triggered after the processing and you can handle the sub-total for % columns here.
  Regards,
  Archna Raja

• SOA Suite - " usermessagingdriver-email " & SSL issue.

  Hi All,
  We are about to install SSL certificate on Weblogic 10.3.6 server ( built in windows ). We have followed the below steps to install and configure the SSL certificate.
  1. Created a Keystore
  2. Generated a Certificate Signing Request (CSR)
  3. Sent the CSR to a Certificate Authority (CA)
  4. Imported the Trusted CA Certificate(s) - 3
  5. Imported the Server Certificate - 1
  6. Configured WebLogic Server for SSL ( filled required values under Keystore and SSL tab , Als enabled the SSL port as 443 ).
  7. As a final step,We have restarted the managed server where SSL requires to install. However we have been thrown with below error in managed server.log ( Server is started to run with the protocols iiop, t3, ldap, snmp, http not with https ).
  Error
  ####<Nov 11, 2013 8:37:52 PM CET> <Error> <Security> <XXXXX> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <1384198672574> <BEA-090132> <Could not open the keystore file D:\oracle\Middleware\Keystores for read access. Exception: java.io.FileNotFoundException: D:\oracle\Middleware\Keystores (Access is denied)>
  ####<Nov 11, 2013 8:37:52 PM CET> <Alert> <Security> <DNSAPPCPH601> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <1384198672574> <BEA-090166> <Failed to load identity keystore of type JKS from file D:\oracle\Middleware\Keystores on server soa_server1>
  ####<Nov 11, 2013 8:37:52 PM CET> <Error> <WebLogicServer> <XXXXXX> <soa_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <1384198672574> <BEA-000297> <Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: Failed to load identity keystore of type JKS from file D:\oracle\Middleware\Keystores on server soa_server1>
  Deployment status ( We installed SOA server under weblogic )
  After the restart of managed server , We could see one of the application (usermessagingdriver-email ) moved to prepared status. This was in good health status before the restart.
  When we are starting the application.It throws below error in the top of the admin console.
  The run-as security principal, 'OracleSystemUser', chosen for the EJB 'DriverDispatcherBean(Application: usermessagingdriver-email, EJBComponent: sdpmessagingdriver-dispatcher-ejb.jar)' is not a valid user principal in the current security realm. Please specify a valid user principal for the EJB to use
  Can anyone please suggest how shall we go further.

  Hi All,
  I have sorted the above Access denied issue by navigating the proper path in Admin Console. Have configured the SSL certificate now..( but request is to install two way SSL ). However have installed server certificate alone with the root and intermediate certs. After executing the below steps...
  1. Created a Keystore
  2. Generated a Certificate Signing Request (CSR)
  3. Sent the CSR to a Certificate Authority (CA)
  4. Imported the Trusted CA Certificate(s) - 3
  5. Imported the Server Certificate - 1
  6. Configured WebLogic Server for SSL ( filled required values under Keystore and SSL tab , Also enabled the SSL port as 443 ).
  7. We have restarted the managed server where SSL requires to install.
  8. Modified the SSL > Two way Client cert Behaviour > Client Certs Requested But Not Enforced , this option was enabled ( PS ! We are not yet install client certificate ).
  Could see the log entries like below
  <Nov 14, 2013 3:44:12 PM > <Notice> <Security> <BEA-090169> <Loading trusted certificates from the JKS keystore file D:\oracle\Middleware\Keystores\keystore.jks.>
  <Nov 14, 2013 3:44:12 PM > <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.123.1.141:443 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
  <Nov 14, 2013 3:44:12 PM > <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[1]" is now listening on 0:0:0:0:0:0:0:1:443 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
  <Nov 14, 2013 3:44:12 PM > <Notice> <Server> <BEA-002613> <Channel "DefaultSecure[2]" is now listening on 127.0.0.1:443 for protocols iiops, t3s, CLUSTER-BROADCAST-SECURE, ldaps, https.>
  Even though when we tried to access the URL ( https://hostname.local:443/benefits) we got the below error.
  There is a problem with this website's security certificate.
  We recommend that you close this webpage and do not continue to this website. 
  > Click here to close this webpage. 
  > Continue to this website (not recommended). 
  > More information
  If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
  When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
  If you choose to ignore this error and continue, do not enter private information into the website.
  For more information, see "Certificate Errors" in Internet Explorer Help.
  Can anyone please suggest me the flow to install two way ssl certificate in weblogic 10.3.6 ?
  Thanks
  Lakshmanan

• I am having trouble Trouble implementing one-way SSL on WebLogic 9.2...

  I am having trouble Trouble implementing one-way SSL on WebLogic 9.2. I am using Demo Identity and Demo Trust certificates with a SSL Listen Port Enabled on 7002, and a Two Way Client Cert Behavior of Client Certs Not Requested. I assume that by using Client Certs Not Requested that there is no need to install certificates on user's computers.
  When weblogic is restarted, I get the following log telling me it works...
  <Sep 11, 2012 9:35:16 AM PDT> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoIdentity.jks.>
  <Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoTrust.jks.>
  <Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file e:\bea\jdk150_12\jre\lib\security\cacerts.>
  <Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.9.20.172:7000 for protocols iiop, t3, ldap, http.>
  <Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.9.20.172:7002 for protocols iiops, t3s, ldaps, https.>
  However, when I open the console in https://server:7002/console, I get the following error in log file...
  <Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090481> <NO_CERTIFICATE alert was received from x.y.z.com - 10.37.10.54. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
  <Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090508> <Certificate chain received from x.y.z.com - 10.37.10.54 was incomplete.>
  I do not understand why I am getting this error when I assume there is no need to install certificates on user's computers. Can't someone please explain what is going on? Thanks in advance.

  <?xml version='1.0' encoding='UTF-8'?>
  <domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/extension http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd">
  <name>nctcis</name>
  <domain-version>9.2.3.0</domain-version>
  <security-configuration>
  <name>nctcis</name>
  <realm>
  <sec:authentication-provider xsi:type="wls:default-authenticatorType">
  <sec:name>DefaultAuthenticator</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  </sec:authentication-provider>
  <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
  <sec:name>DefaultIdentityAsserter</sec:name>
  <sec:active-type>AuthenticatedUser</sec:active-type>
  </sec:authentication-provider>
  <sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
  <sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
  <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
  <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
  <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
  <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
  <sec:name>myrealm</sec:name>
  </realm>
  <default-realm>myrealm</default-realm>
  <anonymous-admin-lookup-enabled>true</anonymous-admin-lookup-enabled>
  <credential-encrypted>{3DES}PyUkjWRp8JGpk75BYSbvQ6OWYgA9SZq2nj2IuENa2vxrMy835GMRZ+GGKhJiWapjt0mMC2ohcxxlIMNUZJUH2gCjbB5kQUmA</credential-encrypted>
  <node-manager-username>system</node-manager-username>
  <node-manager-password-encrypted>{3DES}KmaZDZGQC6spYVY12CbJGA==</node-manager-password-encrypted>
  </security-configuration>
  <jta>
  <timeout-seconds>1800</timeout-seconds>
  <abandon-timeout-seconds>3600</abandon-timeout-seconds>
  <max-transactions>100000</max-transactions>
  <max-resource-unavailable-millis>100000</max-resource-unavailable-millis>
  </jta>
  <log>
  <name>nctcis</name>
  <file-name>e:/netcracker/logs/wl-domain.log</file-name>
  <file-min-size>5120</file-min-size>
  </log>
  <server>
  <name>nctcisAdmin</name>
  <ssl>
  <enabled>true</enabled>
  <hostname-verifier xsi:nil="true"></hostname-verifier>
  <hostname-verification-ignored>false</hostname-verification-ignored>
  <client-certificate-enforced>true</client-certificate-enforced>
  <two-way-ssl-enabled>false</two-way-ssl-enabled>
  <server-private-key-alias>tcisdevbpagov_cert</server-private-key-alias>
  <server-private-key-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</server-private-key-pass-phrase-encrypted>
  <use-server-certs>false</use-server-certs>
  </ssl>
  <log>
  <name>nctcisAdmin</name>
  <file-name>e:/netcracker/logs/weblogic.log</file-name>
  <file-min-size>5120</file-min-size>
  </log>
  <listen-port>7000</listen-port>
  <web-server>
  <name>nctcisAdmin</name>
  <web-server-log>
  <name>nctcisAdmin</name>
  <file-name>e:/netcracker/logs/access.log</file-name>
  <file-min-size>5120</file-min-size>
  </web-server-log>
  </web-server>
  <listen-address>tcis.dev.bpa.gov</listen-address>
  <key-stores>DemoIdentityAndDemoTrust</key-stores>
  <custom-identity-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_identity.jks</custom-identity-key-store-file-name>
  <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
  <custom-identity-key-store-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</custom-identity-key-store-pass-phrase-encrypted>
  <custom-trust-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_trust.jks</custom-trust-key-store-file-name>
  <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
  <custom-trust-key-store-pass-phrase-encrypted>{3DES}I++r0/FEMRGFrqF47pYZJA==</custom-trust-key-store-pass-phrase-encrypted>
  </server>
  <embedded-ldap>
  <name>nctcis</name>
  <credential-encrypted>{3DES}i51JYfmoGyFTxPjiCjjtXWwza1t13k56Ls7fmdqtKB0=</credential-encrypted>
  </embedded-ldap>
  <configuration-version>9.2.3.0</configuration-version>
  <app-deployment>
  <name>NetCracker</name>
  <target>nctcisAdmin</target>
  <module-type>ear</module-type>
  <source-path>applications\NetCracker</source-path>
  <security-dd-model>DDOnly</security-dd-model>
  <staging-mode>nostage</staging-mode>
  </app-deployment>
  <app-deployment>
  <name>pictures</name>
  <target>nctcisAdmin</target>
  <module-type>war</module-type>
  <source-path>e:\pictures</source-path>
  <security-dd-model>DDOnly</security-dd-model>
  <staging-mode>nostage</staging-mode>
  </app-deployment>
  <jms-server>
  <name>NCJMSServer</name>
  <target>nctcisAdmin</target>
  <temporary-template-resource>NCJMSModule</temporary-template-resource>
  <temporary-template-name>NetCrackerTemplate</temporary-template-name>
  <message-buffer-size>100000</message-buffer-size>
  </jms-server>
  <self-tuning>
  <max-threads-constraint>
  <name>MaxThreadsConstraint</name>
  <target>nctcisAdmin</target>
  <count>40</count>
  </max-threads-constraint>
  <work-manager>
  <name>default</name>
  <target>nctcisAdmin</target>
  <max-threads-constraint>MaxThreadsConstraint</max-threads-constraint>
  <work-manager-shutdown-trigger>
  <stuck-thread-count>1000</stuck-thread-count>
  </work-manager-shutdown-trigger>
  </work-manager>
  </self-tuning>
  <jms-system-resource>
  <name>NCJMSModule</name>
  <target>nctcisAdmin</target>
  <sub-deployment>
  <name>BEA_JMS_MODULE_SUBDEPLOYMENT_NCJMSServer</name>
  <target>NCJMSServer</target>
  </sub-deployment>
  <descriptor-file-name>jms/ncjmsmodule-jms.xml</descriptor-file-name>
  </jms-system-resource>
  <admin-server-name>nctcisAdmin</admin-server-name>
  <jdbc-system-resource>
  <name>NetCrackerDataSource</name>
  <target>nctcisAdmin</target>
  <descriptor-file-name>jdbc/NetCrackerDataSource-5713-jdbc.xml</descriptor-file-name>
  </jdbc-system-resource>
  <jdbc-system-resource>
  <name>NetCrackerDataSourceNonTX</name>
  <target>nctcisAdmin</target>
  <descriptor-file-name>jdbc/NetCrackerDataSourceNonTX-6926-jdbc.xml</descriptor-file-name>
  </jdbc-system-resource>
  </domain>
  Edited by: user6904153 on Sep 12, 2012 6:57 AM

• Weblogic 6.1's 2-way SSL

  I'm using wsl proxy plug-in between iPlanet Webserver 4.1SP9 and
  wsl 6.1.
  The obj.conf of iPlanet web server was configured to use path proxy:
  -------- httpd.conf --------
  Init fn="load-modules" funcs="wl_proxy,wl_init" shlib="/usr/netscape/web/plugin\
  s/lib/libproxy.so"
  Init fn="wl_init"
  <Object name="weblogic" ppath="*/weblogic/*">
  Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7001" Pat
  hTrim="/weblogic"
  </Object>
  The "Seccurity" parameter "magnus.conf" is set to on and an certificate
  was installed on this iPlnet web server.
  I was able to open:
  https://iplanet.test.com:443/weblogic/console
  to set 'Client Certificate Enforced' option in
  Petstore's SSL section with port 7002.
  I can also access:
  https://iplanet.test.com:443/weblogic/estore
  to bring up the top page and some pages of the petstore sample
  program. But the browser got no data fromt the web server
  when I clicked on "Enter the "Store". I then tried to "Enter the Store"
  directly through port 7002 (without proxying through iPlanet web server)
  and it also returned on data.
  I suppose that I have to modify petstore sample codes SSL protocol -
  even in 1-way SSL verification. Is this true?
  I also tried to change WebLogicPort="7001" to "7002" in obj.conf.
  which is tied to the SSL port of wsl61 with some sample certificates.
  When I open:
  https://iplanet.test.com:443/weblogic/console
  The server couldn't locate that object. I checked the adminGuide of
  of wsl6.1 on page 13-10. It mentioned 'SecurieProxy' parameter in
  the 'Service' directive in the obj.conf has to be set to ON.
  So I appended SecureProxy="on" as the following:
  <Object name="weblogic" ppath="*/weblogic/*">
  Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7002" Pat
  hTrim="/weblogic" SecureProxy="on"
  </Object>
  But it still failed to connect to port 7002 of wsl61.
  In the FAQs of wsl61 has the section:
  Does the 6.1 plug-in support two-way SSL?
  No. But the plug-in can be set-up to require the client certificate and
  pass it on to WebLogic Server. For example:
  apache ssl
  SSLVerifyClient require
  SSLVerifyDepth 10
  SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
  +StrictRequire
  I am confused with adminGuide's page 14-49. It talked about how to
  confiure 'Mutual Authentification' breifly - it only mentioned
  the opton of 'Client Certificate Enforced' besides copying root
  certificates into 'config' directory.
  Can someone explain to me whether the 2-way authentication can be done
  via plug-in proxy? If not, what is the right way/best way for 2-way
  authentication? Is anyone have some sample programs like petstore
  that work with iPlnet Web server and wsl61 with 2-way authentication?
  Thanks in advance.
  -kl

  I got some progress after digging into appendix
  of adminGuide.
  I added two more paramaters into obj.conf
  service directive:
  <Object name="weblogics" ppath="*/weblogics/*">
  Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7002" Pat\
  hTrim="/weblogics" SecureProxy="ON" TrustedCAFile="/usr/netscape/server4/alias/\
  ca.pem"
  </Object>
  When I tried:
  https://iplanet.test.com:443/weblogics/
  It didn't hang. The browser showed:
  No backend server available for connection: timed out after 10 seconds.
  But I tested backend server. It was alive.
  Anyone got this working?
  Thanks.
  -kl

• Ldapbind failed over SSL  (U2 – "one way", "U3-two way") from Oracle DB to

  Hi
  I am facing the below error when I try ldapbind (database server to OID) over SSL (U2 – “one way”, “U3-two way”)
  *** ACTION NAME:() 2010-09-29 07:09:46.691
  *** MODULE NAME:(sqlplus@alddbux01 (TNS V1-V3)) 2010-09-29 07:09:46.691
  *** SERVICE NAME:(SYS$USERS) 2010-09-29 07:09:46.691
  *** SESSION ID:(121.274) 2010-09-29 07:09:46.691
  kzld_discover received ldaptype: OID
  KZLD_ERR: DB-OID SSL auth failed. Err=0
  KZLD is doing LDAP unbind
  KZLD_ERR: found err from kzldini
  Environment details:
  OID Server:
  OS: Enterprise Linux Enterprise Linux AS release 5.3
  Hostname : aldidmux02
  Oracle Internet Directory 11.1.1.2.0
  Realm in this OID is “dc=mycmsc,dc=com”
  Oracle Database Server:
  OS: Sun Solrais 5.10
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  Hostname: alddbux01
  Key points:
  1.     As per metalink notes 466662.1, I am trying to setup EUS between DB - OID.
  First difference I see here is OID version (10.1.4.0.1) in notes & using OID 11g (11.1.1.2.0) in my environment for testing.
  a)     Are these steps applicable for OID11g(11.1.1.2.0) version?
  b)     If not please provide me the references for achieving ldap authentication from Oracle database server with OID 11g as ldap user repository.
  c)     As per task1 > step3 For the first time oidctl command is used to connect & start the instance before starting services using opmnctl. What is the procedure to do the same in OID11g?
  2.     Wallet certificates in my environment OID & Database server status shows “Ready”

  Is it possible to get an answer on this one from someone who knows?
  "Leif Kristian Vadseth" <[email protected]> wrote in
  message news:[email protected]..
  In WLS 6.0 I was able to configue the server SSL protocol so that when
  accessing the server (web application) from a web browser over https, the
  browser showed a list of matching installed client certificates that the
  client can choose, but the client could choose not to present his/hers
  certificate and still continue to access the requested resources.
  In WLS 6.1 I have not been able to repeat this behaviour, even if the SSL
  configuration is exactly the same.
  The project I work in wants to have both one-way SSL (using only username
  and password for authentication) and two-way SSL (using both
  username/password and certificate for authentication) in the same server.
  Is it possible to configure the server the way I want or do we have to
  configue two servers; one that does not require mutual authentication, and
  one that requires this?
  Leif Kristian Vadseth