2-Way SSL with a WebService

Similar Messages

• Two way ssl with self signed certificate?

  How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
  Specfically, I don't want to use any CA authority.
  Is it possible to simply have the clients certificate in the servers truststore or not?
  I pull out the certificate via
  javax.servlet.request.X509Certificate
  but when I use a self signed certificate it's never there.
  If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain.

  How can I use a self signed certificate with two-way SSL with weblogic 7sp4?
  Specfically, I don't want to use any CA authority.
  Is it possible to simply have the clients certificate in the servers truststore or not?
  I pull out the certificate via
  javax.servlet.request.X509Certificate
  but when I use a self signed certificate it's never there.
  If I instead use a certificate that was created with CertGen it works. But CertGen uses the GenCertCA to create the certificate chain.

• Two way SSL with jax-ws on weblogic 10.3.1.1

  I'm desperately trying to create a webservice client using jax-ws for two way ssl (mutual authentication). The client shoud be a web service (war) not a normal fat java client (jar).Could someone please give me any help? I've tried with the ssl context but it dosn't work :(
  BlokIzmenjava service= new BlokIzmenjava(new URL("https://wwwt.ajpes.si/wsBlokIzmenjava/BlokIzmenjava.asmx?WSDL"), new QName("http://www.ajpes.si/blok_izmenjava", "BlokIzmenjava"));
  BlokIzmenjavaSoap port=service.getBlokIzmenjavaSoap();
  KeyStore ks = KeyStore.getInstance("JKS");
  ks.load(new FileInputStream("D:/Podatki/Workspace1031/TestWorkSpace/TestWS/src/nkbm/ws/Ajpes.jks"), "trustpass".toCharArray());
  KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
  kmf.init(ks, "trustpass".toCharArray());
  javax.net.ssl.SSLContext sslCtx = SSLContext.getInstance("SSL");
  TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
  tmf.init(ks);
  TrustManager tms[] = tmf.getTrustManagers();
  sslCtx.init(kmf.getKeyManagers(), tms, null);
  javax.net.ssl.SSLSocketFactory ssl = (javax.net.ssl.SSLSocketFactory) sslCtx.getSocketFactory();
  Map<String, Object> requestContext = ((BindingProvider) port).getRequestContext();
  requestContext.put(com.sun.xml.internal.ws.developer.JAXWSProperties.SSL_SOCKET_FACTORY, ssl);
  port.test("aaaaa");
  The thing is that this solution works on a fat client(as a jar) but it dosn't work as a client (webservice) deployed on weblogic server. I've also set the everything in the weblogic console (SSL,keystores) and it still dosn't work :(
  any help would b appretiated!
  thank you!
  Edited by: user10677650 on 30.6.2010 6:37

  Isn't the SSL adapter meant to be used for jax-rpc webservices?
  "JAX-RPC clients can use the SSLAdapter mechanism described in Using a Custom SSL Adapter with Reliable Messaging to persist the state of a request over an SSL connection"
  I have already tried with weblogic.wsee.jaxws.sslclient.SSLClientUtil...still I always get the error (this error is with ssl debug mode on)....
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 31921099>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write SSL_20_RECORD>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 994001646
  Issuer:C=si, O=state-institutions, OU=sigen-ca
  Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
  Not Valid Before:Fri Nov 17 14:26:17 CET 2006
  Not Valid After:Thu Nov 17 14:56:17 CET 2011
  Signature Algorithm:SHA1withRSA
  >
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 994001646
  Issuer:C=si, O=state-institutions, OU=sigen-ca
  Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
  Not Valid Before:Fri Nov 17 14:26:17 CET 2006
  Not Valid After:Thu Nov 17 14:56:17 CET 2011
  Signature Algorithm:SHA1withRSA
  >
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: wwwt.ajpes.si>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(sock): 12457751>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <close(): 27314217>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 31288249>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 262>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received CHANGE_CIPHER_SPEC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Finished>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 342>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 493>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <5095980 read(offset=0, length=8192)>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: HelloRequest>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 147>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 994001646
  Issuer:C=si, O=state-institutions, OU=sigen-ca
  Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
  Not Valid Before:Fri Nov 17 14:26:17 CET 2006
  Not Valid After:Thu Nov 17 14:56:17 CET 2011
  Signature Algorithm:SHA1withRSA
  >
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 994001646
  Issuer:C=si, O=state-institutions, OU=sigen-ca
  Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
  Not Valid Before:Fri Nov 17 14:26:17 CET 2006
  Not Valid After:Thu Nov 17 14:56:17 CET 2011
  Signature Algorithm:SHA1withRSA
  >
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: wwwt.ajpes.si>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateRequest>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <No suitable identity certificate chain has been found.>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 7>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 262>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received CHANGE_CIPHER_SPEC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Finished>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received APPLICATION_DATA: databufferLen 0, contentLength 2073>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <5095980 read databufferLen 2073>
  <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <5095980 read A returns 2073>
  1.7.2010 8:38:39 com.sun.xml.ws.server.sei.EndpointMethodHandler invoke
  SEVERE: The server sent HTTP status code 403: Forbidden
  com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 403: Forbidden
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.checkStatusCode(HttpTransportPipe.java:225)
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:191)
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:101)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
       at com.sun.xml.ws.client.Stub.process(Stub.java:246)
       at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
       at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
       at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
       at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
       at $Proxy166.blokVrni(Unknown Source)
       at nkbm.ws.TestAjpes1.hello(TestAjpes1.java:59)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:101)
       at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:83)
       at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:152)
       at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:264)
       at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:93)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
       at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:249)
       at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:453)
       at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:250)
       at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140)
       at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:298)
       at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:211)
       at weblogic.wsee.jaxws.JAXWSServlet.doPost(JAXWSServlet.java:297)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at weblogic.wsee.jaxws.JAXWSServlet.service(JAXWSServlet.java:87)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3590)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 0
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
       at weblogic.net.http.HttpClient.closeServer(HttpClient.java:528)
       at weblogic.net.http.KeepAliveCache$1.run(KeepAliveCache.java:111)
       at java.util.TimerThread.mainLoop(Timer.java:512)
       at java.util.TimerThread.run(Timer.java:462)
  >
  <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <close(): 5095980>
  <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 31921099>
  any ideas?
  thank you again!
  Edited by: user10677650 on 30.6.2010 23:42

• Enbaling SSL with my remote server

  Hi All,
  I have successfully configured one-way SSL with my normal web application on weblogic server. I am now working on creating a webservice to query with a database server. I would like to know what is the best way to establish SSL between my web service and the remote databaserver.
  Environment:
  Creating a composite application(SOA) using JDeveloper. Only one of the webservice is querying with the database. This communication needs to be secure, so need to establish SSL.
  SOA Suite 11g
  Scenario:
  Webservice-> SSL -> Database server(remote)
  Thanks in advance
  /Shashi
  Edited by: Shashi_sr on Aug 30, 2010 7:50 AM

  Copy the services-config.xml (and friends) to your local project.
  The compiler switch does not support URLs.
  Tom

• Implementing 2-way ssl

  Hi i have configured the keystore as "Custom Identity and Custom Trust", given the key store names for both given the Identity alisa name under the 'SSL' tab, in 'Advanced' i am enforcing for client certificate. But when i start to access the application, i see the following error
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@16a86fc>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090481> <NO_CERTIFICATE alert was received from ASST218297.uk.pri.o2.com - 172.17.247.10. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, checking with TrustManager>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <validationCallback: validateErr = 0>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Required peer certificates not supplied by peer>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: validateErr = 4>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <weblogic user specified trustmanager validation status 4>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090508> <Certificate chain received from ASST218297.uk.pri.o2.com - 172.17.247.10 was incomplete.>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Validation error = 4>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Certificate chain is incomplete>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <SSLTrustValidator returns: 68>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, not trusted, sending HANDSHAKE_FAILURE to peer>
  ####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
       at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
       at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
       at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  any replies please....

  Hi,
  thanks, actually while searching in the net, i found a blog where there were a few steps for implementing 2-way SSL in weblogic.
  http://huyplus.blogspot.com/2010/02/2-way-ssl-with-weblogic-server-103.html?showComment=1267793234806_AIe9_BGsO6q6ENB4YZWtQyX53CzpN8TWcSn08RqNv6z8W3V7NRI3Qlcf4NuEM35O1niTSsYXd4rxjfUT63J2XFXOHjY8W56_sC-E3MGydylLHxDivVEjR0pQnSPv_Tx7CXOqT64AGNhhs06MEM9CBhpOtHcUHwvQMPtPeDAAJcwP1I9TzEIGNzNEQlWn9INrvLzP9_RAYESO3Wcxbl6b9eRgZt_jktfllVbxcvztIV3zoeQ8XlqgpN4S7Z82yCbUS1E7lFl46FZK#c8740869862805814451
  fortunately, this is working, i mean the server is working as expected, but in the console, it says that the certificate chain is incomplete....
  Anyways thanks for the links and suggestions...
  if possible could you please provide me some reference for resolving this issue.
  Thanks again
  Sharma

• Problems setting up 2way SSL with option Client certs requested Not Enfor

  Hi,
  Iam having problems trying to set up 2 way SSL with the option "Clients Certs Requested But Not Enforced". I am using DefaultIdentityAsserter with my own implementation of UserNameMapper. And I have the login-config set to CLIENT-CERT in web.xml. I have tested this setup and it works when I have "Client Certs Requested and Enforced" but when I change it to "Requested and not enforced" it gives an 401 unauthorized exception.
  Any help with this will be greatly appreciated.
  Thanks
  Praveena.

  Hi Peter,
  I'm afraid not, I turned to Apple support forums, followed their advice for troubleshooting Mac Mail (obviously not relevant to you using Outlook) but It involved scanning ports checking firewalls etc, all of this was clear and I just cannot see the problem.
  I even got one of the Livechat BC guys to look into it, by setting up a dummy email address on the client's account, I think he was rather intrigued, but I'm not sure he's had much luck as he still hasn't got back to and that was over 20 hours ago.
  Can your client receive emails? I can only get my client's account receiving emails, when I try to send an email I just keep receiving an message telling me that it cannot connect to smtp!
  According to the BC fact sheet for sending and receiving emails: "By Default, email software will set the SMTP port to 25, which is the standard port for the smtp protocol. However our mail service has two alternative ports available that you can send through. 8025 or 587.
  However it's not blocked and those port settings didn't work either.
  The Apple fact sheet made mention to firewall settings possibly also blocking, but it's not relevant to me using my version of OS.
  Good luck, and please repost if you get any further.
  I am now just looking for a reason that my client's mail WONT work on Mac Mail, just so I can sound professional when I tell them the answer is "no".
  Penny

• Urgent : Problem with Client when OC4J has been setup in 2 way SSL mode

  This is the output that is generated in the JDeveloper console on running the example from b14429.pdf. Examle :
  ====================================================
  import HTTPClient.HTTPConnection;
  import HTTPClient.HTTPResponse;
  import javax.security.cert.X509Certificate;
  import oracle.security.ssl.OracleSSLCredential;
  import java.io.IOException;
  import javax.net.ssl.SSLPeerUnverifiedException;
  public class SSLSocketClientWithClientAuth {
  public static void main(String[] args) {
  if (args.length < 4) {
  System.out.println("Usage: java HTTPSConnectionTest [host] [port] " +
  "[wallet] [password]");
  System.exit(-1);
  String hostname = args[0].toLowerCase();
  int port = Integer.decode(args[1]).intValue();
  String walletPath = args[2];
  String password = args[3];
  HTTPConnection httpsConnection = null;
  OracleSSLCredential credential = null;
  try {
  httpsConnection = new HTTPConnection("https", hostname, port);
  } catch (IOException e) {
  System.out.println("HTTPS Protocol not supported");
  System.exit(-1);
  try {
  credential = new OracleSSLCredential();
  credential.setWallet(walletPath, password);
  } catch (IOException e) {
  System.out.println("Could not open wallet");
  System.exit(-1);
  httpsConnection.setSSLEnabledCipherSuites(new String[]{"SSL_RSA_WITH_3DES_EDE_CBC_SHA"});
  httpsConnection.setSSLCredential(credential);
  try {
  httpsConnection.connect();
  } catch (IOException e) {
  System.out.println("Could not establish connection");
  e.printStackTrace();
  System.exit(-1);
  // X509Certificate x509 = new X509Certificate();
  //javax.servlet.request.
  X509Certificate[] peerCerts = null;
  try {
  peerCerts =
  (httpsConnection.getSSLSession()).getPeerCertificateChain();
  } catch (javax.net.ssl.SSLPeerUnverifiedException e) {
  System.err.println("Unable to obtain peer credentials");
  e.printStackTrace();
  System.exit(-1);
  String peerCertDN =
  peerCerts[peerCerts.length - 1].getSubjectDN().getName();
  peerCertDN = peerCertDN.toLowerCase();
  if (peerCertDN.lastIndexOf("cn=" + hostname) == -1) {
  System.out.println("Certificate for " + hostname +
  " is issued to " + peerCertDN);
  System.out.println("Aborting connection");
  System.exit(-1);
  try {
  HTTPResponse rsp = httpsConnection.Get("/");
  System.out.println("Server Response: ");
  System.out.println(rsp);
  } catch (Exception e) {
  System.out.println("Exception occured during Get");
  e.printStackTrace();
  System.exit(-1);
  ================================================================
  C:\j2sdk1.4.2_09\bin\javaw.exe -client -classpath "D:\eclipse\workspace\OC4JClient\OC4JClient\classes;D:\eclipse\workspace\jdev\extensions\.jar;C:\Documents and Settings\nilesh_bafna\Desktop\Nitin\lib\jssl-1_1.jar;E:\product\10.1.3.1\OracleAS_1\j2ee\home\lib\http_client.jar;E:\product\10.1.3.1\OracleAS_1\jlib\javax-ssl-1_1.jar" -Djava.protocol.handler.pkgs=HTTPClient -Djavax.net.debug=ssl -Djavax.net.ssl.keyStore=F:/oc4jcert/client.keystore -Djavax.net.ssl.keyStorePassword=welcome1 -Djavax.net.ssl.trustStore=F:/oc4jcert/client.keystore -Djavax.net.ssl.trustStorePassword=welcome1 -DOracle.ssl.defaultCipherSuites=SSL_RSA_WITH_RC4_128_MD5 SSLSocketClientWithClientAuth ps4372.persistent.co.in 443 F:/oc4jcert/client.keystore welcome1
  keyStore is : F:/oc4jcert/client.keystore
  keyStore type is : jks
  init keystore
  init keymanager of type SunX509
  found key for : oracle-client
  chain [0] = [
  Version: V3
  Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: SunJSSE RSA public key:
  public exponent:
  010001
  modulus:
  87fcc8e9 0ffcef8e 61f3be10 be7c9715 2792849b 3bbdeb1c cc76b337 4b82bbab
  86972c63 9af3adfd 35b5df99 9078a0d1 6dc760d8 0549a95a bfa7648a 9eadd326
  a6bc4b61 d8f8b42f 44e0b178 ff1dee20 db8406cd d800c26a 9c5a6ed9 4d6f2aef
  bc919814 3b46be39 e129280c e83afe12 c9d4e3d7 fb5787b1 d98bed4a 4f0833d5
  Validity: [From: Thu Jan 18 21:18:14 GMT+05:30 2007,
                 To: Wed Apr 18 21:18:14 GMT+05:30 2007]
  Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  SerialNumber: [    45af96be]
  Algorithm: [MD5withRSA]
  Signature:
  0000: 41 47 35 41 90 10 E3 77 A7 F3 F5 81 37 49 4F 57 AG5A...w....7IOW
  0010: 01 11 82 A2 FB 69 46 E8 18 6C EE 11 23 A6 67 2E .....iF..l..#.g.
  0020: 68 4D D6 A6 E7 09 45 24 58 18 9A E5 44 49 10 9B hM....E$X...DI..
  0030: F1 EC 99 4A 45 5F A4 4F 71 3F 05 3D 45 29 42 CD ...JE_.Oq?.=E)B.
  0040: 11 87 DA 0C AA DC 55 4E CF 22 4A 94 85 CB E5 EB ......UN."J.....
  0050: BA E1 10 D2 C8 80 2C 6B 65 94 13 01 1F 6E 18 C3 ......,ke....n..
  0060: 87 33 8C 65 C7 03 16 03 24 FB 0D B0 6D D8 E7 AA .3.e....$...m...
  0070: A1 A5 48 90 0D D6 8C 47 50 2A AA 7C 7B 14 E5 B7 ..H....GP*......
  trustStore is: F:\oc4jcert\client.keystore
  trustStore type is : jks
  init truststore
  adding as trusted cert:
  Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  Algorithm: RSA; Serial number: 0x45af96be
  Valid from Thu Jan 18 21:18:14 GMT+05:30 2007 until Wed Apr 18 21:18:14 GMT+05:30 2007
  adding as trusted cert:
  Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  Algorithm: RSA; Serial number: 0x45af95dc
  Valid from Thu Jan 18 21:14:28 GMT+05:30 2007 until Wed Apr 18 21:14:28 GMT+05:30 2007
  init context
  trigger seeding of SecureRandom
  done seeding SecureRandom
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1152299454 bytes = { 41, 212, 166, 48, 109, 77, 185, 232, 204, 95, 158, 141, 60, 96, 196, 172, 49, 19, 49, 22, 222, 234, 47, 76, 27, 130, 5, 176 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  main, WRITE: TLSv1 Handshake, length = 73
  main, WRITE: SSLv2 client hello message, length = 98
  main, READ: TLSv1 Handshake, length = 839
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1152299454 bytes = { 206, 186, 162, 116, 179, 72, 44, 198, 189, 25, 70, 227, 170, 235, 83, 186, 152, 49, 194, 222, 248, 3, 191, 170, 248, 95, 134, 35 }
  Session ID: {69, 175, 178, 190, 47, 141, 131, 115, 241, 226, 39, 29, 241, 65, 235, 165, 57, 40, 52, 85, 68, 85, 68, 84, 108, 141, 1, 125, 193, 191, 158, 208}
  Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
  Compression Method: 0
  %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
  ** SSL_RSA_WITH_RC4_128_MD5
  *** Certificate chain
  chain [0] = [
  Version: V3
  Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: SunJSSE RSA public key:
  public exponent:
  010001
  modulus:
  6f24d75b 96919725 ad6ea93a cab0bd96 a49d2f3c e14f5c09 0e228e36 de64e0f2
  f2b82740 1653bdb4 5024d281 21ed8c4c 89bc322b 4dc9ffb2 0e97cd95 16e6fe1e
  380340c9 f3c67e2c 18d06461 f4f30eaf 4394716e 7bc66d80 810a9cb5 9c168b36
  cdd99919 67074ebc edebf02e ebf0accb 2193bc38 7ae1cdda af5ff300 ed0e7763
  Validity: [From: Thu Jan 18 21:14:28 GMT+05:30 2007,
                 To: Wed Apr 18 21:14:28 GMT+05:30 2007]
  Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  SerialNumber: [    45af95dc]
  Algorithm: [MD5withRSA]
  Signature:
  0000: 05 4E EE 12 5B DD 7F 26 92 37 67 C9 D0 73 46 4D .N..[..&.7g..sFM
  0010: 7E A5 1E 67 38 06 D9 5F 9F B7 2F E8 F6 9E BF 88 ...g8.._../.....
  0020: 01 31 7D EA 42 5E 4F 9E D7 8F DA 9F 94 A5 EF 47 .1..B^O........G
  0030: E3 E9 BA DE 94 15 C6 03 DE C9 C0 7D CE 58 C0 27 .............X.'
  0040: 0F 1A 66 EC 73 53 5D 1D DE 7E FA 35 15 E0 2A CC ..f.sS]....5..*.
  0050: C9 74 CC 58 E9 B6 2F 68 A0 89 2B F3 E6 61 7D E1 .t.X../h..+..a..
  0060: 21 AF BE E8 83 49 B1 BD 36 C5 2D 1B 0D A1 0E 63 !....I..6.-....c
  0070: 02 4A 82 71 B0 E1 9C AD 55 67 F9 17 A5 96 18 EB .J.q....Ug......
  Found trusted certificate:
  Version: V3
  Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: SunJSSE RSA public key:
  public exponent:
  010001
  modulus:
  6f24d75b 96919725 ad6ea93a cab0bd96 a49d2f3c e14f5c09 0e228e36 de64e0f2
  f2b82740 1653bdb4 5024d281 21ed8c4c 89bc322b 4dc9ffb2 0e97cd95 16e6fe1e
  380340c9 f3c67e2c 18d06461 f4f30eaf 4394716e 7bc66d80 810a9cb5 9c168b36
  cdd99919 67074ebc edebf02e ebf0accb 2193bc38 7ae1cdda af5ff300 ed0e7763
  Validity: [From: Thu Jan 18 21:14:28 GMT+05:30 2007,
                 To: Wed Apr 18 21:14:28 GMT+05:30 2007]
  Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  SerialNumber: [    45af95dc]
  Algorithm: [MD5withRSA]
  Signature:
  0000: 05 4E EE 12 5B DD 7F 26 92 37 67 C9 D0 73 46 4D .N..[..&.7g..sFM
  0010: 7E A5 1E 67 38 06 D9 5F 9F B7 2F E8 F6 9E BF 88 ...g8.._../.....
  0020: 01 31 7D EA 42 5E 4F 9E D7 8F DA 9F 94 A5 EF 47 .1..B^O........G
  0030: E3 E9 BA DE 94 15 C6 03 DE C9 C0 7D CE 58 C0 27 .............X.'
  0040: 0F 1A 66 EC 73 53 5D 1D DE 7E FA 35 15 E0 2A CC ..f.sS]....5..*.
  0050: C9 74 CC 58 E9 B6 2F 68 A0 89 2B F3 E6 61 7D E1 .t.X../h..+..a..
  0060: 21 AF BE E8 83 49 B1 BD 36 C5 2D 1B 0D A1 0E 63 !....I..6.-....c
  0070: 02 4A 82 71 B0 E1 9C AD 55 67 F9 17 A5 96 18 EB .J.q....Ug......
  *** CertificateRequest
  Cert Types: RSA, DSS,
  Cert Authorities:
  <CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US>
  *** ServerHelloDone
  matching alias: oracle-client
  *** Certificate chain
  chain [0] = [
  Version: V3
  Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key: SunJSSE RSA public key:
  public exponent:
  010001
  modulus:
  87fcc8e9 0ffcef8e 61f3be10 be7c9715 2792849b 3bbdeb1c cc76b337 4b82bbab
  86972c63 9af3adfd 35b5df99 9078a0d1 6dc760d8 0549a95a bfa7648a 9eadd326
  a6bc4b61 d8f8b42f 44e0b178 ff1dee20 db8406cd d800c26a 9c5a6ed9 4d6f2aef
  bc919814 3b46be39 e129280c e83afe12 c9d4e3d7 fb5787b1 d98bed4a 4f0833d5
  Validity: [From: Thu Jan 18 21:18:14 GMT+05:30 2007,
                 To: Wed Apr 18 21:18:14 GMT+05:30 2007]
  Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
  SerialNumber: [    45af96be]
  Algorithm: [MD5withRSA]
  Signature:
  0000: 41 47 35 41 90 10 E3 77 A7 F3 F5 81 37 49 4F 57 AG5A...w....7IOW
  0010: 01 11 82 A2 FB 69 46 E8 18 6C EE 11 23 A6 67 2E .....iF..l..#.g.
  0020: 68 4D D6 A6 E7 09 45 24 58 18 9A E5 44 49 10 9B hM....E$X...DI..
  0030: F1 EC 99 4A 45 5F A4 4F 71 3F 05 3D 45 29 42 CD ...JE_.Oq?.=E)B.
  0040: 11 87 DA 0C AA DC 55 4E CF 22 4A 94 85 CB E5 EB ......UN."J.....
  0050: BA E1 10 D2 C8 80 2C 6B 65 94 13 01 1F 6E 18 C3 ......,ke....n..
  0060: 87 33 8C 65 C7 03 16 03 24 FB 0D B0 6D D8 E7 AA .3.e....$...m...
  0070: A1 A5 48 90 0D D6 8C 47 50 2A AA 7C 7B 14 E5 B7 ..H....GP*......
  JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  Random Secret: { 3, 1, 236, 206, 185, 158, 75, 201, 230, 16, 170, 40, 193, 70, 188, 134, 36, 134, 14, 20, 191, 121, 246, 8, 7, 2, 137, 66, 166, 10, 185, 246, 104, 154, 27, 82, 161, 133, 11, 130, 11, 130, 71, 84, 155, 165, 239, 227 }
  main, WRITE: TLSv1 Handshake, length = 763
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 EC CE B9 9E 4B C9 E6 10 AA 28 C1 46 BC 86 ......K....(.F..
  0010: 24 86 0E 14 BF 79 F6 08 07 02 89 42 A6 0A B9 F6 $....y.....B....
  0020: 68 9A 1B 52 A1 85 0B 82 0B 82 47 54 9B A5 EF E3 h..R......GT....
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 45 AF B2 BE 29 D4 A6 30 6D 4D B9 E8 CC 5F 9E 8D E...)..0mM..._..
  0010: 3C 60 C4 AC 31 13 31 16 DE EA 2F 4C 1B 82 05 B0 <`..1.1.../L....
  Server Nonce:
  0000: 45 AF B2 BE CE BA A2 74 B3 48 2C C6 BD 19 46 E3 E......t.H,...F.
  0010: AA EB 53 BA 98 31 C2 DE F8 03 BF AA F8 5F 86 23 ..S..1......._.#
  Master Secret:
  0000: CA 5C BA B3 D0 C9 26 A9 3A 06 08 8F 27 2E CE 17 .\....&.:...'...
  0010: 93 98 BC DF EF 78 2A 99 DB 3E 50 3B 01 D1 84 5F .....x*..>P;..._
  0020: 28 80 CE 7C 7C C1 12 A4 11 F6 33 9B 2E D9 6F BE (.........3...o.
  Client MAC write Secret:
  0000: 80 FF CE 99 7C 45 4C D8 60 FA 40 79 A2 A4 36 7C .....EL.`[email protected].
  Server MAC write Secret:
  0000: 2D F1 A0 A8 ED A1 7B DD 89 A5 01 90 43 BF F1 19 -...........C...
  Client write key:
  0000: E1 3F 33 54 D3 C5 3A 26 4A 41 65 DA AC 44 3B 28 .?3T..:&JAe..D;(
  Server write key:
  0000: C5 08 52 AE A9 0A 4F D0 AD 54 49 C6 4E 2F 9C 4E ..R...O..TI.N/.N
  ... no IV for cipher
  JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
  *** CertificateVerify
  main, WRITE: TLSv1 Handshake, length = 134
  main, WRITE: TLSv1 Change Cipher Spec, length = 1
  main, handling exception: java.net.SocketException: Software caused connection abort: socket write error
  main, SEND TLSv1 ALERT: fatal, description = unexpected_message
  main, WRITE: TLSv1 Alert, length = 2
  Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
  main, called closeSocket()
  IOException in getSession(): java.net.SocketException: Software caused connection abort: socket write error
  Unable to obtain peer credentials
  javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
       at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA12275)
       at SSLSocketClientWithClientAuth.main(SSLSocketClientWithClientAuth.java:56)
  Process exited with exit code -1.
  =====================================================
  I think this is the problem with ciphers. So can anybody please help me with this!!!. This is very urgent!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  Thanks in advance
  Nilesh

  Thanks for your prompt reply I was able to make it run. Actually I am using the same keystore and truststore at both the client and the server end. I added those properties in opmn.xml as startup parameters.
  I have another query I am using JDev to create a client proxy for my webservice that is deployed in OC4J. I have setup OC4J in 2 way SSL (mutual authentication)
  When I invoke my client proxy with these system properties set
  System.setProperty("javax.net.ssl.keyStore",keyStore);
  System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
  System.setProperty("javax.net.ssl.trustStore", trustStore);
  System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
  System.setProperty("javax.net.ssl.keyStoreType","JKS");
  System.setProperty("javax.net.ssl.trustStoreType","JKS");
  I get an exception in the log.xml which is
  <MSG_TEXT>IOException in ServerSocketAcceptHandler$AcceptHandlerHorse:run</MSG_TEXT>
  <SUPPL_DETAIL><![CDATA[javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
              at com.sun.net.ssl.internal.ssl.ServerHandshaker.handshakeAlert(ServerHandshaker.java:1031)
              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1535)
              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
              at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
              at oracle.oc4j.network.ServerSocketAcceptHandler.doSSLHandShaking(ServerSocketAcceptHandler.java:250)
              at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:868)
              at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
              at java.lang.Thread.run(Thread.java:595)
  ]]></SUPPL_DETAIL>
  Isn't setting these properties enough for sending a client certificate. Please help!!!!
  Thanks,
  Nilesh.

• 2-Way SSL and Webservices

  Greetings,
  After spending some time searching the docs and several dev2dev newsgroups I haven't been able to find a clear cut answer to an urgent question:
  I have a two webservices, the client (.jpd) and the server (.jws) which are installed on a separate weblogic 8.1 instances on different machines. The requirement is that the webservices must communicate with one another only over a 2-Way SSL connection.
  My question is how to setup this 2-way SSL configuration between the client and sever webservices. Do I need to write code or can I configure it using the web.xml files of the two webservies? I don't think it would make sense to configure the two weblogic instances to always use 2-WaySSL (via the startup script or config.xml), in which case the webservies might not inherit the truststore and other SSL connfiguration of the respective instances.
  If someone has already solved this problem, I would appreaciate to hear from you. This is an urgent problem and I am stumped. Any help would be appreciated!
  Regards

  Hi,
  I am trying to use 2 way ssl using webservices client , here is my code :
  AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
  SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
  // clientCredentialFile stores in PEM format the public key and
  // all the CAs associated with it + then the private key. All this in // a concatenated manner
  FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
  // private key password
  String pwd = "password";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
  adapter.setStrictCheckingDefault(false);
  factory.setDefaultAdapter(adapter);
  factory.setUseDefaultAdapter(true);
  boolean idAvailability = false;
  UNSLocator locator = new UNSLocator();
  URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
  UNSPort unsprt = locator.getUNSPort(portAddress);
  idAvailability = unsprt.isIDAvailable("Yulin125", "C");
  System.out.println("Got from method :"+idAvailability);
  After runing this code i am getting the following exception :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: java.net.SocketException: Software caused connection abort: socket write error
  faultActor:
  faultNode:
  faultDetail:
  I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
  I am stuck with for quite sometime.
  Some insight needed from the guru's

• Managed Server will not start with 2-way SSL enabled

  When attempting to start a managed server, using the nodemanager (all of the servers have two-way ssl configured...using the same keystores) the start-up fails, giving the following error:
  <Warning> <Security> <BEA-090497> <HANDSHAKE_FAILURE alert received from hostname - ip address. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings.>
  Hostname verification is off for all of the servers and the trust store should trust the certificate in the identity store.
  Is this an issue with the managed server not being able to pass the identity certificate during the handshake?
  Thanks in advance for any help!

  hi
  the following link may hekpful to you
  http://webservices.bea.com:8080/Clarify/getCaseDetails.do?caseID=537204
  open a support case with bea
  Regards
  Prasanna Yalam

• Help with getting Web Start working with two-way SSL

  I have successfully transferred data (myclient.jnlp) utilizing web browsers (IE and Mozilla) from my web server (which is set up for two-way SSL "CLIENT-CERT" required) after using the browser's utility to "import" my client-side cert (in .p12 format).
  After the browser connects and downloads the "myclient.jnlp" contents and places it in a temporary file, it then kicks off the javaws process with the temporary file as a parameter. The first thing javaws does is utilize the codebase and href values (found in the temporary file) to make a "GET" call to the server for the "myclient.jnlp" file (again).
  However, this fails (with a SSL handshake error) since javaws uses a different keystore than IE - the server does not receive the client-side cert. I have imported the root CA and the client cert (in .pem format) into the $JAVA_HOME/jre/lib/security/cacerts file using the keytool command but alas my server still indicates a lack of a client-side cert.
  Has anyone else tried this and got it working?

  Hi Richard,
  Indeed it appears that the 1.5 version will have more built-in capability for client certs. It has the look of the IE browser import capability. Unfortunately, I am stuck with having to utilize 1.4.2 for the time being. Since I have posted my original message I have found more information but have yet to get it all working. The truststore in javaws 1.4.2 does have a default (the 1.4.2 jre's cacert file - stragely enough not the same one that gets updated when you import the root CA! - but this has been noted in many other threads). The javaws keystore does not have a default and I have tried, to no avail yet, to utilize some command line parameters, see http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#Customization - to get my client cert "available" and recognized by javaws.
  With the help of some debug flags here is the output on my javaws "output" log - all seems to go well up to the point of the client's Certificate chain (which appears to be empty), after the ServerHelloDone :
  trustStore is: C:\j2sdk1.4.2_04\jre\lib\security\cacerts
  trustStore type is : jks
  init truststore
  adding as trusted cert:
  snipped all the regular trusted certs, left my root CA as proof it is recognized...
  adding as trusted cert:
  Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  Algorithm: RSA; Serial number: 0x0
  Valid from Wed May 26 16:38:59 EDT 2004 until Fri Jun 25 16:38:59 EDT 2004
  trigger seeding of SecureRandom
  done seeding SecureRandom
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1070211537 bytes = { 205, 211, 129, 234, 88, 129, 152, 176, 223, 180, 161, 138, 246, 183, 181, 89, 61, 252, 63, 35, 21, 34, 253, 32, 254, 124, 38, 198 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: { 0 }
  [write] MD5 and SHA1 hashes: len = 73
  0000: 01 00 00 45 03 01 40 CA 22 D1 CD D3 81 EA 58 81 ...E..@.".....X.
  0010: 98 B0 DF B4 A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 .........Y=.?#."
  0020: FD 20 FE 7C 26 C6 00 00 1E 00 04 00 05 00 2F 00 . ..&........./.
  0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
  0040: 03 00 08 00 14 00 11 01 00 .........
  Thread-3, WRITE: TLSv1 Handshake, length = 73
  [write] MD5 and SHA1 hashes: len = 98
  0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
  0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
  0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
  0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
  0040: 00 11 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 ..@.".....X.....
  0050: A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C .....Y=.?#.". ..
  0060: 26 C6 &.
  Thread-3, WRITE: SSLv2 client hello message, length = 98
  Thread-3, READ: TLSv1 Handshake, length = 58
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1070211539 bytes = { 81, 106, 82, 45, 233, 226, 89, 6, 38, 240, 71, 122, 90, 226, 255, 207, 9, 102, 205, 127, 223, 211, 4, 84, 79, 16, 101, 89 }
  Session ID: {34, 167, 132, 174, 141, 4, 57, 197, 190, 207, 105, 117, 241, 9, 97, 81}
  Cipher Suite: SSL_RSA_WITH_DES_CBC_SHA
  Compression Method: 0
  %% Created: [Session-1, SSL_RSA_WITH_DES_CBC_SHA]
  ** SSL_RSA_WITH_DES_CBC_SHA
  [read] MD5 and SHA1 hashes: len = 58
  0000: 02 00 00 36 03 01 40 CA 22 D3 51 6A 52 2D E9 E2 ...6..@.".QjR-..
  0010: 59 06 26 F0 47 7A 5A E2 FF CF 09 66 CD 7F DF D3 Y.&.GzZ....f....
  0020: 04 54 4F 10 65 59 10 22 A7 84 AE 8D 04 39 C5 BE .TO.eY.".....9..
  0030: CF 69 75 F1 09 61 51 00 09 00 .iu..aQ...
  Thread-3, READ: TLSv1 Handshake, length = 607
  *** Certificate chain
  chain [0] = [
  Version: V3
  Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
  Key: SunJSSE RSA public key:
  public exponent:
  010001
  modulus:
  e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
  6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
  Validity: [From: Wed May 26 16:38:59 EDT 2004,
                 To: Fri Jun 25 16:38:59 EDT 2004]
  Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  SerialNumber: [    00]
  Certificate Extensions: 3
  [1]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
  0010: 88 76 14 DA .v..
  [2]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
  0010: 88 76 14 DA .v..
  [CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
  SerialNumber: [    00]
  [3]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:true
  PathLen:2147483647
  Algorithm: [SHA1withRSA]
  Signature:
  0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
  0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
  0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
  0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
  Found trusted certificate:
  Version: V3
  Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
  Key: SunJSSE RSA public key:
  public exponent:
  010001
  modulus:
  e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
  6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
  Validity: [From: Wed May 26 16:38:59 EDT 2004,
                 To: Fri Jun 25 16:38:59 EDT 2004]
  Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
  SerialNumber: [    00]
  Certificate Extensions: 3
  [1]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
  0010: 88 76 14 DA .v..
  [2]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
  0010: 88 76 14 DA .v..
  [CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
  SerialNumber: [    00]
  [3]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:true
  PathLen:2147483647
  Algorithm: [SHA1withRSA]
  Signature:
  0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
  0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
  0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
  0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
  [read] MD5 and SHA1 hashes: len = 607
  0000: 0B 00 02 5B 00 02 58 00 02 55 30 82 02 51 30 82 ...[..X..U0..Q0.
  0010: 01 FB A0 03 02 01 02 02 01 00 30 0D 06 09 2A 86 ..........0...*.
  0020: 48 86 F7 0D 01 01 05 05 00 30 57 31 0B 30 09 06 H........0W1.0..
  0030: 03 55 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 .U....US1.0...U.
  0040: 08 13 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 ...Virginia1.0..
  0050: 03 55 04 07 13 07 46 61 69 72 66 61 78 31 11 30 .U....Fairfax1.0
  0060: 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 ...U....Zork.org
  0070: 31 10 30 0E 06 03 55 04 03 13 07 52 6F 6F 74 20 1.0...U....Root
  0080: 43 41 30 1E 17 0D 30 34 30 35 32 36 32 30 33 38 CA0...0405262038
  0090: 35 39 5A 17 0D 30 34 30 36 32 35 32 30 33 38 35 59Z..04062520385
  00A0: 39 5A 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 9Z0W1.0...U....U
  00B0: 53 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 S1.0...U....Virg
  00C0: 69 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 inia1.0...U....F
  00D0: 61 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 airfax1.0...U...
  00E0: 08 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 .Zork.org1.0...U
  00F0: 04 03 13 07 52 6F 6F 74 20 43 41 30 5C 30 0D 06 ....Root CA0\0..
  0100: 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 4B 00 30 .*.H.........K.0
  0110: 48 02 41 00 E2 BD 8D E9 59 8E 07 35 2B ED 20 57 H.A.....Y..5+. W
  0120: 38 00 C8 3D 34 85 50 E2 93 A0 17 C7 98 45 F3 5F 8..=4.P......E._
  0130: CD 7B 4A DA 6E F0 C7 0F 7A 03 3E 69 A9 7C CD 15 ..J.n...z.>i....
  0140: 46 F0 D1 C8 7A 0A E9 09 DD B7 6F 5B CD 80 29 E6 F...z.....o[..).
  0150: 3A 6A 49 65 02 03 01 00 01 A3 81 B1 30 81 AE 30 :jIe........0..0
  0160: 0C 06 03 55 1D 13 04 05 30 03 01 01 FF 30 1D 06 ...U....0....0..
  0170: 03 55 1D 0E 04 16 04 14 3F A7 DF 1F FA 90 1F 98 .U......?.......
  0180: 4F BA 42 9F 21 7D B4 C4 88 76 14 DA 30 7F 06 03 O.B.!....v..0...
  0190: 55 1D 23 04 78 30 76 80 14 3F A7 DF 1F FA 90 1F U.#.x0v..?......
  01A0: 98 4F BA 42 9F 21 7D B4 C4 88 76 14 DA A1 5B A4 .O.B.!....v...[.
  01B0: 59 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 53 Y0W1.0...U....US
  01C0: 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 69 1.0...U....Virgi
  01D0: 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 61 nia1.0...U....Fa
  01E0: 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 08 irfax1.0...U....
  01F0: 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 04 Zork.org1.0...U.
  0200: 03 13 07 52 6F 6F 74 20 43 41 82 01 00 30 0D 06 ...Root CA...0..
  0210: 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 41 00 29 .*.H.........A.)
  0220: CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D 9E ..H../.J.s.q.X..
  0230: 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD C4 .D....<.........
  0240: FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 AE .R..re....ba5...
  0250: FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 .........w..j..
  Thread-3, READ: TLSv1 Handshake, length = 220
  *** CertificateRequest
  Cert Types: RSA, DSS, Ephemeral DH (RSA sig),
  Cert Authorities:
  <CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
  <CN=Server CA, OU=Server Division, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
  [read] MD5 and SHA1 hashes: len = 220
  0000: 0D 00 00 D8 03 01 02 05 00 D2 00 59 30 57 31 0B ...........Y0W1.
  0010: 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0F 06 0...U....US1.0..
  0020: 03 55 04 08 13 08 56 69 72 67 69 6E 69 61 31 10 .U....Virginia1.
  0030: 30 0E 06 03 55 04 07 13 07 46 61 69 72 66 61 78 0...U....Fairfax
  0040: 31 11 30 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 1.0...U....Zork.
  0050: 6F 72 67 31 10 30 0E 06 03 55 04 03 13 07 52 6F org1.0...U....Ro
  0060: 6F 74 20 43 41 00 75 30 73 31 0B 30 09 06 03 55 ot CA.u0s1.0...U
  0070: 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 08 13 ....US1.0...U...
  0080: 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 03 55 .Virginia1.0...U
  0090: 04 07 13 07 46 61 69 72 66 61 78 31 11 30 0F 06 ....Fairfax1.0..
  00A0: 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 31 18 .U....Zork.org1.
  00B0: 30 16 06 03 55 04 0B 13 0F 53 65 72 76 65 72 20 0...U....Server
  00C0: 44 69 76 69 73 69 6F 6E 31 12 30 10 06 03 55 04 Division1.0...U.
  00D0: 03 13 09 53 65 72 76 65 72 20 43 41 ...Server CA
  Thread-3, READ: TLSv1 Handshake, length = 4
  *** ServerHelloDone
  [read] MD5 and SHA1 hashes: len = 4
  0000: 0E 00 00 00 ....
  *** Certificate chain
  JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  Random Secret: { 3, 1, 175, 38, 47, 77, 131, 125, 209, 147, 174, 228, 183, 99, 34, 2, 100, 186, 77, 47, 65, 233, 82, 133, 183, 113, 8, 193, 51, 241, 167, 105, 4, 187, 57, 130, 161, 11, 178, 11, 134, 84, 96, 106, 203, 11, 195, 51 }
  [write] MD5 and SHA1 hashes: len = 77
  0000: 0B 00 00 03 00 00 00 10 00 00 42 00 40 39 9F EC ..........B.@9..
  0010: 5F 92 FA 3D 5E 3D 0C 19 10 72 DA BE B6 14 76 62 _..=^=...r....vb
  0020: AE 39 75 0B 74 10 C7 B1 42 D7 A1 22 C0 0E B8 A2 .9u.t...B.."....
  0030: 22 80 73 20 36 A2 FD BB F9 3E F4 F0 91 CE 95 F8 ".s 6....>......
  0040: 05 D7 22 FC 2C CF 1B AB 19 82 03 D2 F5 ..".,........
  Thread-3, WRITE: TLSv1 Handshake, length = 77
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 AF 26 2F 4D 83 7D D1 93 AE E4 B7 63 22 02 ...&/M.......c".
  0010: 64 BA 4D 2F 41 E9 52 85 B7 71 08 C1 33 F1 A7 69 d.M/A.R..q..3..i
  0020: 04 BB 39 82 A1 0B B2 0B 86 54 60 6A CB 0B C3 33 ..9......T`j...3
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 A1 8A @.".....X.......
  0010: F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C 26 C6 ...Y=.?#.". ..&.
  Server Nonce:
  0000: 40 CA 22 D3 51 6A 52 2D E9 E2 59 06 26 F0 47 7A @.".QjR-..Y.&.Gz
  0010: 5A E2 FF CF 09 66 CD 7F DF D3 04 54 4F 10 65 59 Z....f.....TO.eY
  Master Secret:
  0000: 67 B9 58 74 69 18 0B 2E 00 EB AC 9B 77 15 B4 65 g.Xti.......w..e
  0010: 61 A1 AC D0 F1 D5 4C CA 0E 51 FC 58 A0 11 B7 87 a.....L..Q.X....
  0020: EC 72 26 D0 83 18 27 49 8F B6 32 FF E3 89 1D E4 .r&...'I..2.....
  Client MAC write Secret:
  0000: D5 96 AB F7 1E 46 5F 46 8A E9 3E DF A0 5E 32 5E .....F_F..>..^2^
  0010: 00 FB B8 D8 ....
  Server MAC write Secret:
  0000: E6 7D 8E F5 6A 4C 94 4C D6 2A 3A 4D FC C1 94 A3 ....jL.L.*:M....
  0010: C5 6C 5F B6 .l_.
  Client write key:
  0000: 18 1D 51 8C 74 6D 18 57 ..Q.tm.W
  Server write key:
  0000: 0D 4E 7A F1 5A D6 5F 5B .Nz.Z._[
  Client write IV:
  0000: 4C BB 4D FA 4F EB CB 4E L.M.O..N
  Server write IV:
  0000: B7 6A CA E9 66 7D 25 88 .j..f.%.
  Thread-3, WRITE: TLSv1 Change Cipher Spec, length = 1
  JsseJCE: Using JSSE internal implementation for cipher DES/CBC/NoPadding
  *** Finished
  verify_data: { 20, 20, 38, 13, 43, 235, 102, 72, 75, 212, 21, 21 }
  [write] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
  Padded plaintext before ENCRYPTION: len = 40
  0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
  0010: 90 9C E9 09 F4 48 96 A6 8F AA 04 DF E9 36 72 F0 .....H.......6r.
  0020: 42 F0 60 78 03 03 03 03 B.`x....
  Thread-3, WRITE: TLSv1 Handshake, length = 40
  Thread-3, READ: TLSv1 Alert, length = 2
  Thread-3, RECV TLSv1 ALERT: fatal, handshake_failure
  Thread-3, called closeSocket()
  Thread-3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  Finalizer, called close()
  Finalizer, called closeInternal(true)
  So I'll toil away trying to get *right* combination of settings - please let me know if you have any ideas! FYI here are the command line settings I am using for the keystore:
  -Djavax.net.ssl.keyStore=c:\myClientIdKeyStore -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=myClientIdKeyStorePass
  Thanks,
  Paul

• Debug Weblogic 10.0 with 2-Way SSL: Error 401--Unauthorized

  Hi,
  I am working on Weblogic 10.0 with 2-Way SSL configuration. User uses X.509 certificate to login into the system. I have a default UserNameMapper which maps the CN to the a user name in the LDAP user store. User can login without problem. But after user login, when he tries to hit a new page before the original page fully loaded, he will get a "Error 401--Unauthorized".
  I turned on the Weblogic security debug and got the following warning with stack trace. Can anybody help me to figure out what's wrong? How do I troubleshoot this issue? Any help is really appreciated.
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned PERMIT>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: true>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 167>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 6, length = 1518>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 0
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
       at weblogic.socket.SocketMuxer.closeSocket(SocketMuxer.java:449)
       at weblogic.socket.SocketMuxer.cleanupSocket(SocketMuxer.java:795)
       at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:759)
       at weblogic.socket.SocketMuxer.deliverEndOfStream(SocketMuxer.java:700)
       at weblogic.servlet.internal.VirtualConnection.close(VirtualConnection.java:327)
       at weblogic.servlet.internal.ServletResponseImpl.send(ServletResponseImpl.java:1431)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1375)
       at weblogic.work.ExecuteRequestAdapter.execute(ExecuteRequestAdapter.java:21)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
  >
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 14324285>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 7034906>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 19096081>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <18691735 SSL3/TLS MAC>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <18691735 received HANDSHAKE>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ClientHello>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.5 for algorithm RC4>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5>
  Thanks,
  Wayne

  I decided to use pki with jaas/custom authentication provider to solve this problem. It works. If you want more details, please let me know.

• 2 way ssl, cac card, weblogic 9.2 webservice

  I have 2 way ssl configured in lower environement and I am using WLSSLAdapter to send the client cert and key. It is working perfectly in lower environement when I use JKS and load certificate and private key from JKS.
  But when I use CAC Card reader and pass the X509Certificate and Privatekey, I get following:
  HANDSHAKE_FAILURE alert received from XXX.XX.X.XXX - XXX.XX.X.XXX. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings.>
  Please help as I am close to deploying in Production.
  Pls. Pls. Pls.

  Yes. I am using the 9.2 webservices. This is a new webservice I'm creating. The ant build.xml file to generate it is like this:
  <jwsc srcdir="${SRCDIR}/src" destdir="${EXPDIR}/webservice"
  tempdir="${WRKDIR}/webservice"
  verbose="on" debug="on"
  enableAsyncService="false"
  classpathref="our.custom.classpath" keepGenerated="true">
  <jws file="sdo/webservice/impl/SDOWSImpl.java"
  contextPath="SDO" name="SDOService">
  <WLHttpTransport contextPath="SDO"
  serviceUri="SDOService"
  portName="SDOService"/>
  </jws>
  </jwsc>
  The our.custom.classpath is as follows:
  <path id="our.custom.classpath">
  <pathelement location="${EXPTOP}/log4j/1.29/lib/log4j.jar"/>
  <pathelement location="${EXPTOP}/weblogic/9.23/lib/apache_xbean.jar"/>
  <pathelement location="${EXPTOP}/weblogic/9.23/lib/xbean.jar"/>
  <pathelement location="${EXPTOP}/weblogic/9.23/lib/weblogic.jar"/>
  <pathelement location="${EXPTOP}/weblogic/9.23/lib/wsse.jar"/>
  </path>
  I have to include xbean.jar here because if I didn't, I got "java.lang.NoClassDefFoundError: com/bea/xml/XmlException" during the ant build.
  How do I make sure I use the 9.2 style xbeans?
  thanks!

• Decrypt Error using 2-way SSL

  I am exposing a stateless Session bean as a webservice and have setup truststore/keystore to allow clients access using 2-way SSL. Recently one of the clients beagn to get TLS Alert 51 - Decrypt Error during the SSL handshake, right after "HANDSHAKEMESSAGE: CertificateVerify". Other clients of 2-way SSL don't appear to have any issues.
  Has anyone seen this?
  Thanks
  Peter
  some SSl debug follows:
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <SSLTrustValidator returns: 0>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Trust status (0): NONE>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <HANDSHAKEMESSAGE: ClientKeyExchange RSA>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <SSLFilter.isActivated: false>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <isMuxerActivated: false>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <SSLFilter.isActivated: false>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <30911879 SSL3/TLS MAC>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <30911879 received HANDSHAKE>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <HANDSHAKEMESSAGE: CertificateVerify>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <NEW ALERT with Severity: FATAL, Type: 51
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
       at com.certicom.tls.record.handshake.ServerStateReceivedClientKeyExchange.handle(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
       at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
       at com.bea.sslplus.CerticomSSLContext.forceHandshakeOnAcceptedSocket(Unknown Source)
       at weblogic.security.utils.SSLContextWrapper.forceHandshakeOnAcceptedSocket(SSLContextWrapper.java:128)
       at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:484)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  >
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <write ALERT, offset = 0, length = 2>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <close(): 7828>
  ####<May 22, 2007 1:58:21 PM GMT> <Debug> <TLS> <CPNT> <weblogicPROD> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <SSLIOContextTable.removeContext(ctx): 9723897>

  I too am struggling with SSL but I was given some help by BEA. This does not help me since It seems like the proxy jar I download from the WS Home Page wants to go directly to the JPD not the jws. This example of two way SSL should work for you. I am including the Main class but not the generated files it refers to. I don't know how to attach files to the news groups. The key thing it to make use of the adapters. The Impl and Port are part of the downloaded proxy.
  public static void main(String[] args) throws Exception {
  // set weblogic ServiceFactory
  System.setProperty("javax.xml.rpc.ServiceFactory", "weblogic.webservice.core.rpc.ServiceFactoryImpl");
  // set weblogic client protocol handler
  System.setProperty("java.protocol.handler.pkgs", "weblogic.webservice.client");
  // set the SSL adapter
  SSLAdapterFactory adapterFactory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) adapterFactory.getSSLAdapter();
  // two-way SSL you must loadLocalIdentity to provide certs back to the server
  FileInputStream clientCredentialFile = new FileInputStream ("./client/clientcred.pem");
  String pwd = "canpass";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("./config/ca1024.pem");
  adapter.setStrictChecking(false);
  adapterFactory.setDefaultAdapter(adapter);
  adapterFactory.setUseDefaultAdapter(true);
  String a = null;
  if (args.length < 1) {
  a = "Sample String";
  } else {
  a = args[0];
  ToUpper_Impl lookup = new ToUpper_Impl();
  ToUpperPort value = lookup.gettoUpperPort();
  String result = value.toUpper(a);
  System.out.println(result);
  }

• 2-way SSL using t3s protocol

  Goodmorning,
  I'm trying to get a 2-way SSL connection between two WLS 10.3 in production mode.
  WLS #1 contains the client application and WLS #2 contains the server application.
  I've got a standalone Microsoft CA.
  I've configured WLSs with custom identity and trust JKS Stores.
  In trust store I stored the CA certificate.
  In identity store I created a selfsigned cert with RSA alg and this cert was signed from my CA.
  In identity store I also stored the CA's Certificate.
  I've enabled SSL with custom identity and trust store,
  None host verification,
  Export Key Lifespan 500,
  Two Way Client Cert Behavior: Client cert requested and enforced,
  SSL Rejection Logging Enabled checked,
  Inbound and Outbound Certificate Validation: Builtin SSL Validation Only
  I configured both WLS as explained (except identity certs that are custom for each server).
  I can invoke WLS #2 Webservices from WLS #1 via https.
  So I tried to invoke an EJB deployed on WLS #2 via t3s, but it didn't work.
  During handshake process, the first step is ok; in fact WLS #1 trusts WLS #2 certs.
  The second step goes wrong; here follows some logs.
  WLS #1
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateRequest>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 SSL3/TLS MAC>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 received HANDSHAKE>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> *<No suitable identity certificate chain has been found.>*
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 7>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 134>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 SSL3/TLS MAC>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 received ALERT>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  WLS #2
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> *<Required peer certificates not supplied by peer>*
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 4>
  <2-mar-2011 11.14.12 CET> <Warning> <Security> <BEA-090508> <Certificate chain received from xpr-selex-fel01 - 192.168.60.48 was incomplete.>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 4>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is incomplete>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 68>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  One useful info: if I deploy both EJB application and client application all on the same WLS and alient application invokes the EJB via t3s, all works fine.
  Is there anything missing/wrong in the configuration?
  Thanks.

  Is this a typo?
  In identity store I created a selfsigned cert with RSA alg and this cert was signed from my CA.It can't be both self-signed and signed by a CA.
  In identity store I also stored the CA's Certificate.The identity store should not have a CA certificate in it. Either put the CA in your trust store, or chain your CA and your identity into a single cert within your identity store.
  During the handshake, the server (#2) will send a list of of its trusted CA certs to the client. The client has to look in its identity store for certs which are signed by one of the CAs sent by the server.
  If your client has multiple identity certs ( with the clientAuth key usage ) in its identity store, then there has to be some way to choose which cert to select. Does t3s use the SSL configuration's alias in the client as http does? You can test this by only using a client identity store with a single identity cert which is signed by one of the CA certificates presented by your server.

• Cannot get web service using 2-way SSL to work

  WebLogic 8.1 sp4, using jdk 1.4.2_05 within BEA install dir (not JRockit). Also using WLWorkshop.
  I'm trying to call a web service provided by a third-party requiring 2-way SSL; The third-party provided a server cert to trust and a key/cert to use from our client. After updating my key and trust stores, I'm able to run this with no problem from another web service test product (CapeClear).
  How does one do this from WLS? I did the following (nothing has worked):
  - Started my WLS server; using the console, updated the Configuration|Keystores & SSL section and restarted - the console output indicates that all loaded correctly. I also changed the option on Two Way Client Cert Behavior to 'Client Certs Requested and Enforced'.
  - Updated my setDomainEnv.cmd to include the following options -Dweblogic.security.SSL.ignoreHostnameVerify=true -Dweblogic.security.SSL.enforceConstraints=off; I also added the -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true options.
  - Within Workshop, created my web service control from the provided WSDL and generated a test JPF; when I run the test, I get an exception related to an invalid content type (text\html). This occurs because the client-side SSL piece did not take place and the client was presented with a login-page rather than a web-service XML result.
  - I updated the JDK security jars with domestic strength algorithms; no change in behavior.
  - No SSL errors in the debug trace (I can provide log upon request).
  What other parameter and/or setting do I need to update to get this to work?
  Any help would be tremendously appreciated.
  Thanks,
  Rick

  I too am struggling with SSL but I was given some help by BEA. This does not help me since It seems like the proxy jar I download from the WS Home Page wants to go directly to the JPD not the jws. This example of two way SSL should work for you. I am including the Main class but not the generated files it refers to. I don't know how to attach files to the news groups. The key thing it to make use of the adapters. The Impl and Port are part of the downloaded proxy.
  public static void main(String[] args) throws Exception {
  // set weblogic ServiceFactory
  System.setProperty("javax.xml.rpc.ServiceFactory", "weblogic.webservice.core.rpc.ServiceFactoryImpl");
  // set weblogic client protocol handler
  System.setProperty("java.protocol.handler.pkgs", "weblogic.webservice.client");
  // set the SSL adapter
  SSLAdapterFactory adapterFactory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) adapterFactory.getSSLAdapter();
  // two-way SSL you must loadLocalIdentity to provide certs back to the server
  FileInputStream clientCredentialFile = new FileInputStream ("./client/clientcred.pem");
  String pwd = "canpass";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("./config/ca1024.pem");
  adapter.setStrictChecking(false);
  adapterFactory.setDefaultAdapter(adapter);
  adapterFactory.setUseDefaultAdapter(true);
  String a = null;
  if (args.length < 1) {
  a = "Sample String";
  } else {
  a = args[0];
  ToUpper_Impl lookup = new ToUpper_Impl();
  ToUpperPort value = lookup.gettoUpperPort();
  String result = value.toUpper(a);
  System.out.println(result);
  }