Configuring OSB 2 way SSL

Hi,
We're currently having the following requirement -->
Client<--HTTPS-->OSB PS(Server1)<--HTTPS-->OSB BS(Server 2)<--HTTPS-->ExternalSystem
This is a synchronous service.
Unfortunately, I haven't worked on this requirement previously hence I have little/no knowledge of 2-Way SSL/HTTPS/Client Certificates
Any pointers in this direction would be helpful.
Thanks,
HK^

This has two parts one is inbound security and the other is outbound security. There is not HTTPS between PS and BS.
The following documentation explains all.
http://docs.oracle.com/cd/E21764_01/doc.1111/e15866/model.htm#i1058571

Similar Messages

OSB: Implementing 2 way ssl for a particular proxy

Hi All,
We have a requirement to implement 2 way ssl support for one of our OSB proxy and 1 way ssl support for all other proxies in our project.
we have enabled HTTS on OSB and configured 2-way ssl on weblogic server. It is working fine.
But the 2 way ssl configuration on weblogic server impacts all other proxy services deployed on that node. Because of weblogic configuration "Two Way Client Cert Behavior: Client Certs Requested and Enforced", the server expects all request to present the client certificate..
But our requirement is, Only 1 proxy service should enforce 2-way ssl, all other proxies should only support 1 -way ssl(server authentication).
Is there any way to implement our requirement?.
we want to configure weblogic with "Two Way Client Cert Behavior: Client Certs Requested but not and Enforced OR Client Certs NOT Requested" and then in the proxy service we want to enforce client certificate..
Is it possible to implement? If so can anyone help to explain the steps?
Thanks in advance
Edited by: user13109986 on Oct 24, 2012 9:30 AM

It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

How to configure sso with SSL step by step

Purpose
In this document, you can learn how to configure SSO with SSL. After user have certificate installed in browser, he can login without input username and password.
Overview
In this document we will demonstrate:
1.     How to configure OHS support SSL
2.     How to Register SSO with SSL
3.     Configure SSO for certificates
Prerequisites
Before start this document, you should have:
1.     Oracle AS 10g infrastructure installed (10.1.2)
2.     OCA installed
Note:
1.     “When you install Oracle infrastructure, please make sure you have select OCA.
2.     How Certificate-Enabled Authentication Works:
a.     The user tries to access a partner application.
b.     The partner application redirects the user to the single sign-on server for authentication. As part of this redirection, the browser sends the user's certificate to the login URL of the server (2a). If it is able to verify the certificate, the server returns the user to the requested application.
c.     The application delivers content. Users whose browsers are configured to prompt for a certificate-store password may only have to present this password once, depending upon how their browser is configured. If they log out and then attempt to access a partner application, the browser passes their certificate to the single sign-on server automatically. This means that they never really log out. To effectively log out, they must close the browser.
Enable SSL on the Single Sign-On Middle Tier
The following steps involve configuring the Oracle HTTP Server. Perform them on the single sign-on middle tier. In doing so, keep the following in mind:
l     You must configure SSL on the computer where the single sign-on middle tier is running.
l     You are configuring one-way SSL.
l     You may enable SSL for simple network encryption; PKI authentication is not required. Note though that you must use a valid wallet and server certificate. The default wallet location is ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default.
1.     Back up the opmn.xml file, found at ORACLE_HOME/opmn/conf
2.     In opmn.xml, change the value for the start-mode parameter to ssl-enabled. This parameter appears in boldface in the xml tag immediately following.
<ias-component id="HTTP_Server">
<process-type id="HTTP_Server" module-id="OHS">
<module-data>
<category id="start-parameters">
<data id="start-mode" value="ssl-enabled"/>
</category>
</module-data>
<process-set id="HTTP_Server" numprocs="1"/>
</process-type>
</ias-component>
3.     Update the distributed cluster management database with the change: ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct opmn
4.     Reload the modified opmn configuration file:
ORACLE_HOME/opmn/bin/opmnctl reload
5.     Keep a non-SSL port active. The External Applications portlet communicates with the single sign-on server over a non-SSL port. The HTTP port is enabled by default. If you have not disabled the port, this step requires no action.
6.     Apply the rule mod_rewrite to SSL configuration. This step involves modifying the ssl.conf file on the middle-tier computer. The file is at ORACLE_HOME/Apache/Apache/conf. Back up the file before editing it.
Because the Oracle HTTP Server has to be available over both HTTP and HTTPS, the SSL host must be configured as a virtual host. Add the lines that follow to the SSL Virtual Hosts section of ssl.conf if they are not already there. These lines ensure that the single sign-on login module in OC4J_SECURITY is invoked when a user logs in to the SSL host.
<VirtualHost ssl_host:port>
RewriteEngine on
RewriteOptions inherit
</VirtualHost>
Save and close the file.
7.     Update the distributed cluster management database with the changes:
ORACLE_HOME/dcm/bin/dcmctl updateconfig -ct ohs
8.     Restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl startproc process-type=HTTP_Server
9.     Verify that you have enabled the single sign-on middle tier for SSL by trying to access the OracleAS welcome page, using the format https://host:ssl_port.
Reconfigure the Identity Management Infrastructure Database
Change all references of http in single sign-on URLs to https within the identity management infrastructure database. When you change single sign-on URLs in the database, you must also change these URLs in the targets.xml file on the single sign-on middle tier. targets.xml is the configuration file for the various "targets" that Oracle Enterprise Manager monitors. One of these targets is OracleAS Single Sign-On.
1.     Change Single Sign-On URLs
Run the ssocfg script, taking care to enter the command on the computer where the single sign-on middle tier is located. Use the following syntax:
UNIX:
$ORACLE_HOME/sso/bin/ssocfg.sh protocol host ssl_port
Windows:
%ORACLE_HOME%\sso\bin\ssocfg.bat protocol host ssl_port
In this case, protocol is https. (To change back to HTTP, use http.) The parameter host is the host name, or server name, of the Oracle HTTP listener for the single sign-on server.
Here is an example:
ssocfg.sh https login.acme.com 4443
2. Restart OC4J_SECURITY instance and verify the configuration
To determine the correct port number, examine the ssl.conf file. Port 4443 is the port number that the OracleAS installer assigns during installation.
If you run ssocfg successfully, the script returns a status 0. To confirm that you were successful, restart the OC4J_SECURITY instance:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Then try logging in to the single sign-on server at its SSL address:
https://host:ssl_port/pls/orasso/
     3. Back up the file targets.xml:
cp ORACLE_HOME/sysman/emd/targets.xml ORACLE_HOME/sysman/emd/targets.xml.backup
4. Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:
·     HTTPMachine—the server host name
·     HTTPPort—the server port number
·     HTTPProtocol—the server protocol
If, for example, you run ssocfg like this:
ORACLE_HOME/sso/bin/ssocfg.sh http sso.mydomain.com:4443
Update the three attributes this way:
<Property NAME="HTTPMachine" VALUE="sso.mydomain.com"/>
<Property NAME="HTTPPort" VALUE="4443"/>
<Property NAME="HTTPProtocol" VALUE="HTTPS"/>
5.Save and close the file.
6.     Reload the OracleAS console:
     ORACLE_HOME/bin/emctl reload
7. Issue these two commands:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Registering mod_osso
1.     This command sequence that follows shows a mod_osso instance being reregistered with the single sign-on server.
$ORACLE_HOME/sso/bin/ssoreg.sh
     -oracle_home_path $ORACLE_HOME
     -config_mod_osso TRUE
     -mod_osso_url https://myhost.mydomain.com:4443
2.     Restarting the Oracle HTTP Server
After running ssoreg, restart the Oracle HTTP Server:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
Configuring the Single Sign-On System for Certificates
1.     Configure policy.properties with the Default Authentication Plugin
Update the DefaultAuthLevel section of the policy.properties file with the correct authentication level for certificate sign-on. This file is at ORACLE_HOME/sso/conf. Set the default authentication level to this value:
DefaultAuthLevel = MediumHighSecurity
Then, in the Authentication plugins section, pair this authentication level with the default authentication plugin:
MediumHighSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOX509CertAuth
2.     Restart the Single Sign-On Middle Tier
After configuring the server, restart the middle tier:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Bringing the SSO Users to OCA User Certificate Request URL
The OCA server reduces the administrative and maintenance cost of provisioning a user certificate. The OCA server achieves this by authenticating users by using OracleAS SSO server authentication. All users who have an Oracle AS SSO server account can directly get a certificate by using the OCA user interface. This reduces the time normoally requidred to provision a certificate by a certificate authority.
The URL for the SSO certificate Request is:
https://<Oracle_HTTP_host>:<oca_ssl_port>/oca/sso_oca_link
You can configure OCA to provide the user certificate request interface URL to SSO server for display whenever SSO is not using a sertificate to authenticate a user. After the OracleAS SSO server authenticates a user, it then display the OCA screen enabling that user to request a certificate.
To link the OCA server to OracleAS SSO server, use the following command:
ocactl linksso
opmnctl stoproc type=oc4j instancename=oca
opmnctl startproc type=oc4j instancename=oca
You also can use ocactl unlinksso to unlink the OCA to SSO.

I have read the SSO admin guide, and performed the steps for enabling SSL on the SSO, and followed the steps to configure mod_osso with virtual host on port 4443 as mentioned in the admin guide.
The case now is that when I call my form (which is developed by forms developer suite 10g and deployed on the forms server which is SSO enabled) , it calls the SSO module on port 7777 using http (the default behaviour).
on a URL that looks like this :
http://myhostname:7777/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
and gives the error :
( Forbidden
You don't have permisission to access /sso/auth on this server at port 7777)
when I manually change the URL to :
https://myhostname:4443/pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=.......
the SSO works correctly.
The question is :
How can I change this default behaviour and make it call SSO on port 4443 using https instead ?
Any ideas ?
Thanks in advance

WebLogic 10.3.3 - 2-Way SSL setup between WLS JMS Foregin Server & IBM MQ 6

Hi,
I am trying to configure 2-Way SSL between WebLogic 10.3.3 using JMS Foreign Server and IBM MQ 6. I could not find any documentation on this.
Can someone provide with steps for setting up 2-Way between WebLogic and IBM MQ?
Also I want to use SSLPEERNAME attribute in MQ Connection Factory and generate bindings so that I can connect to correct queuemanager on MQ side. Please let me know the configuration steps and check's that have to be done on WLS and IBM MQ side on this.
Thanks in advance
- BoyelT

Check this:
http://www.ibm.com/developerworks/websphere/library/techarticles/0510_fehners/0510_fehners.html

How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

Hi,
I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
Please suggest how to pass both the certs from client Application..

Hi,
This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
And for more information, you could refer to:
http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
Regards

What should be done in certmap.conf for 2-way SSL support from a standalone Java application to an SSL enabled LDAP Server

To support certficate based client authentication using 2-way SSL from a standalone java application which uses JNDI and JSSE1.0.2 to connect to an SSL enabled LDAP Server how do we configure the certmap.conf?Is there any additional setup required at the LDAP Server side apart from enablinf SSL with the option"Required Client Authentication" enabled.The 2 way SSL handshake goes through but the access log file (After configuring the certmap.conf for the issuer DN of the client certficate etc..)shows SSL failed to LDAP DN?But inspite of this access log error the Java client does get an SSL Connection object with which it is able to connect to the LDAP.IS the certmap.conf file being looked up by the LDAP Server at all?

have you out.flush() and out.close() before you call connection.getInputStream()?

2-way SSL using t3s protocol

Goodmorning,
I'm trying to get a 2-way SSL connection between two WLS 10.3 in production mode.
WLS #1 contains the client application and WLS #2 contains the server application.
I've got a standalone Microsoft CA.
I've configured WLSs with custom identity and trust JKS Stores.
In trust store I stored the CA certificate.
In identity store I created a selfsigned cert with RSA alg and this cert was signed from my CA.
In identity store I also stored the CA's Certificate.
I've enabled SSL with custom identity and trust store,
None host verification,
Export Key Lifespan 500,
Two Way Client Cert Behavior: Client cert requested and enforced,
SSL Rejection Logging Enabled checked,
Inbound and Outbound Certificate Validation: Builtin SSL Validation Only
I configured both WLS as explained (except identity certs that are custom for each server).
I can invoke WLS #2 Webservices from WLS #1 via https.
So I tried to invoke an EJB deployed on WLS #2 via t3s, but it didn't work.
During handshake process, the first step is ok; in fact WLS #1 trusts WLS #2 certs.
The second step goes wrong; here follows some logs.
WLS #1
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateRequest>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 SSL3/TLS MAC>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 received HANDSHAKE>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> *<No suitable identity certificate chain has been found.>*
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 7>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 134>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACSHA1>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACSHA1>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 SSL3/TLS MAC>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 received ALERT>
<2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
WLS #2
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> *<Required peer certificates not supplied by peer>*
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 4>
<2-mar-2011 11.14.12 CET> <Warning> <Security> <BEA-090508> <Certificate chain received from xpr-selex-fel01 - 192.168.60.48 was incomplete.>
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 4>
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is incomplete>
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 68>
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
<2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
One useful info: if I deploy both EJB application and client application all on the same WLS and alient application invokes the EJB via t3s, all works fine.
Is there anything missing/wrong in the configuration?
Thanks.

Is this a typo?
In identity store I created a selfsigned cert with RSA alg and this cert was signed from my CA.It can't be both self-signed and signed by a CA.
In identity store I also stored the CA's Certificate.The identity store should not have a CA certificate in it. Either put the CA in your trust store, or chain your CA and your identity into a single cert within your identity store.
During the handshake, the server (#2) will send a list of of its trusted CA certs to the client. The client has to look in its identity store for certs which are signed by one of the CAs sent by the server.
If your client has multiple identity certs ( with the clientAuth key usage ) in its identity store, then there has to be some way to choose which cert to select. Does t3s use the SSL configuration's alias in the client as http does? You can test this by only using a client identity store with a single identity cert which is signed by one of the CA certificates presented by your server.

I am having trouble Trouble implementing one-way SSL on WebLogic 9.2...

I am having trouble Trouble implementing one-way SSL on WebLogic 9.2. I am using Demo Identity and Demo Trust certificates with a SSL Listen Port Enabled on 7002, and a Two Way Client Cert Behavior of Client Certs Not Requested. I assume that by using Client Certs Not Requested that there is no need to install certificates on user's computers.
When weblogic is restarted, I get the following log telling me it works...
<Sep 11, 2012 9:35:16 AM PDT> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoIdentity.jks.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoTrust.jks.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file e:\bea\jdk150_12\jre\lib\security\cacerts.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.9.20.172:7000 for protocols iiop, t3, ldap, http.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.9.20.172:7002 for protocols iiops, t3s, ldaps, https.>
However, when I open the console in https://server:7002/console, I get the following error in log file...
<Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090481> <NO_CERTIFICATE alert was received from x.y.z.com - 10.37.10.54. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
<Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090508> <Certificate chain received from x.y.z.com - 10.37.10.54 was incomplete.>
I do not understand why I am getting this error when I assume there is no need to install certificates on user's computers. Can't someone please explain what is going on? Thanks in advance.

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/extension http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd">
<name>nctcis</name>
<domain-version>9.2.3.0</domain-version>
<security-configuration>
<name>nctcis</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<sec:name>DefaultAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:name>DefaultIdentityAsserter</sec:name>
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
<default-realm>myrealm</default-realm>
<anonymous-admin-lookup-enabled>true</anonymous-admin-lookup-enabled>
<credential-encrypted>{3DES}PyUkjWRp8JGpk75BYSbvQ6OWYgA9SZq2nj2IuENa2vxrMy835GMRZ+GGKhJiWapjt0mMC2ohcxxlIMNUZJUH2gCjbB5kQUmA</credential-encrypted>
<node-manager-username>system</node-manager-username>
<node-manager-password-encrypted>{3DES}KmaZDZGQC6spYVY12CbJGA==</node-manager-password-encrypted>
</security-configuration>
<jta>
<timeout-seconds>1800</timeout-seconds>
<abandon-timeout-seconds>3600</abandon-timeout-seconds>
<max-transactions>100000</max-transactions>
<max-resource-unavailable-millis>100000</max-resource-unavailable-millis>
</jta>
<log>
<name>nctcis</name>
<file-name>e:/netcracker/logs/wl-domain.log</file-name>
<file-min-size>5120</file-min-size>
</log>
<server>
<name>nctcisAdmin</name>
<ssl>
<enabled>true</enabled>
<hostname-verifier xsi:nil="true"></hostname-verifier>
<hostname-verification-ignored>false</hostname-verification-ignored>
<client-certificate-enforced>true</client-certificate-enforced>
<two-way-ssl-enabled>false</two-way-ssl-enabled>
<server-private-key-alias>tcisdevbpagov_cert</server-private-key-alias>
<server-private-key-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</server-private-key-pass-phrase-encrypted>
<use-server-certs>false</use-server-certs>
</ssl>
<log>
<name>nctcisAdmin</name>
<file-name>e:/netcracker/logs/weblogic.log</file-name>
<file-min-size>5120</file-min-size>
</log>
<listen-port>7000</listen-port>
<web-server>
<name>nctcisAdmin</name>
<web-server-log>
<name>nctcisAdmin</name>
<file-name>e:/netcracker/logs/access.log</file-name>
<file-min-size>5120</file-min-size>
</web-server-log>
</web-server>
<listen-address>tcis.dev.bpa.gov</listen-address>
<key-stores>DemoIdentityAndDemoTrust</key-stores>
<custom-identity-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_identity.jks</custom-identity-key-store-file-name>
<custom-identity-key-store-type>JKS</custom-identity-key-store-type>
<custom-identity-key-store-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</custom-identity-key-store-pass-phrase-encrypted>
<custom-trust-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_trust.jks</custom-trust-key-store-file-name>
<custom-trust-key-store-type>JKS</custom-trust-key-store-type>
<custom-trust-key-store-pass-phrase-encrypted>{3DES}I++r0/FEMRGFrqF47pYZJA==</custom-trust-key-store-pass-phrase-encrypted>
</server>
<embedded-ldap>
<name>nctcis</name>
<credential-encrypted>{3DES}i51JYfmoGyFTxPjiCjjtXWwza1t13k56Ls7fmdqtKB0=</credential-encrypted>
</embedded-ldap>
<configuration-version>9.2.3.0</configuration-version>
<app-deployment>
<name>NetCracker</name>
<target>nctcisAdmin</target>
<module-type>ear</module-type>
<source-path>applications\NetCracker</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<app-deployment>
<name>pictures</name>
<target>nctcisAdmin</target>
<module-type>war</module-type>
<source-path>e:\pictures</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<jms-server>
<name>NCJMSServer</name>
<target>nctcisAdmin</target>
<temporary-template-resource>NCJMSModule</temporary-template-resource>
<temporary-template-name>NetCrackerTemplate</temporary-template-name>
<message-buffer-size>100000</message-buffer-size>
</jms-server>
<self-tuning>
<max-threads-constraint>
<name>MaxThreadsConstraint</name>
<target>nctcisAdmin</target>
<count>40</count>
</max-threads-constraint>
<work-manager>
<name>default</name>
<target>nctcisAdmin</target>
<max-threads-constraint>MaxThreadsConstraint</max-threads-constraint>
<work-manager-shutdown-trigger>
<stuck-thread-count>1000</stuck-thread-count>
</work-manager-shutdown-trigger>
</work-manager>
</self-tuning>
<jms-system-resource>
<name>NCJMSModule</name>
<target>nctcisAdmin</target>
<sub-deployment>
<name>BEA_JMS_MODULE_SUBDEPLOYMENT_NCJMSServer</name>
<target>NCJMSServer</target>
</sub-deployment>
<descriptor-file-name>jms/ncjmsmodule-jms.xml</descriptor-file-name>
</jms-system-resource>
<admin-server-name>nctcisAdmin</admin-server-name>
<jdbc-system-resource>
<name>NetCrackerDataSource</name>
<target>nctcisAdmin</target>
<descriptor-file-name>jdbc/NetCrackerDataSource-5713-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>NetCrackerDataSourceNonTX</name>
<target>nctcisAdmin</target>
<descriptor-file-name>jdbc/NetCrackerDataSourceNonTX-6926-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain>
Edited by: user6904153 on Sep 12, 2012 6:57 AM

Cannot get web service using 2-way SSL to work

WebLogic 8.1 sp4, using jdk 1.4.2_05 within BEA install dir (not JRockit). Also using WLWorkshop.
I'm trying to call a web service provided by a third-party requiring 2-way SSL; The third-party provided a server cert to trust and a key/cert to use from our client. After updating my key and trust stores, I'm able to run this with no problem from another web service test product (CapeClear).
How does one do this from WLS? I did the following (nothing has worked):
- Started my WLS server; using the console, updated the Configuration|Keystores & SSL section and restarted - the console output indicates that all loaded correctly. I also changed the option on Two Way Client Cert Behavior to 'Client Certs Requested and Enforced'.
- Updated my setDomainEnv.cmd to include the following options -Dweblogic.security.SSL.ignoreHostnameVerify=true -Dweblogic.security.SSL.enforceConstraints=off; I also added the -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true options.
- Within Workshop, created my web service control from the provided WSDL and generated a test JPF; when I run the test, I get an exception related to an invalid content type (text\html). This occurs because the client-side SSL piece did not take place and the client was presented with a login-page rather than a web-service XML result.
- I updated the JDK security jars with domestic strength algorithms; no change in behavior.
- No SSL errors in the debug trace (I can provide log upon request).
What other parameter and/or setting do I need to update to get this to work?
Any help would be tremendously appreciated.
Thanks,
Rick

I too am struggling with SSL but I was given some help by BEA. This does not help me since It seems like the proxy jar I download from the WS Home Page wants to go directly to the JPD not the jws. This example of two way SSL should work for you. I am including the Main class but not the generated files it refers to. I don't know how to attach files to the news groups. The key thing it to make use of the adapters. The Impl and Port are part of the downloaded proxy.
public static void main(String[] args) throws Exception {
// set weblogic ServiceFactory
System.setProperty("javax.xml.rpc.ServiceFactory", "weblogic.webservice.core.rpc.ServiceFactoryImpl");
// set weblogic client protocol handler
System.setProperty("java.protocol.handler.pkgs", "weblogic.webservice.client");
// set the SSL adapter
SSLAdapterFactory adapterFactory = SSLAdapterFactory.getDefaultFactory();
WLSSLAdapter adapter = (WLSSLAdapter) adapterFactory.getSSLAdapter();
// two-way SSL you must loadLocalIdentity to provide certs back to the server
FileInputStream clientCredentialFile = new FileInputStream ("./client/clientcred.pem");
String pwd = "canpass";
adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
adapter.setVerbose(true);
adapter.setTrustedCertificatesFile("./config/ca1024.pem");
adapter.setStrictChecking(false);
adapterFactory.setDefaultAdapter(adapter);
adapterFactory.setUseDefaultAdapter(true);
String a = null;
if (args.length < 1) {
a = "Sample String";
} else {
a = args[0];
ToUpper_Impl lookup = new ToUpper_Impl();
ToUpperPort value = lookup.gettoUpperPort();
String result = value.toUpper(a);
System.out.println(result);
}

2-Way SSL and Webservices

Greetings,
After spending some time searching the docs and several dev2dev newsgroups I haven't been able to find a clear cut answer to an urgent question:
I have a two webservices, the client (.jpd) and the server (.jws) which are installed on a separate weblogic 8.1 instances on different machines. The requirement is that the webservices must communicate with one another only over a 2-Way SSL connection.
My question is how to setup this 2-way SSL configuration between the client and sever webservices. Do I need to write code or can I configure it using the web.xml files of the two webservies? I don't think it would make sense to configure the two weblogic instances to always use 2-WaySSL (via the startup script or config.xml), in which case the webservies might not inherit the truststore and other SSL connfiguration of the respective instances.
If someone has already solved this problem, I would appreaciate to hear from you. This is an urgent problem and I am stumped. Any help would be appreciated!
Regards

Hi,
I am trying to use 2 way ssl using webservices client , here is my code :
AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
// clientCredentialFile stores in PEM format the public key and
// all the CAs associated with it + then the private key. All this in // a concatenated manner
FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
// private key password
String pwd = "password";
adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
adapter.setVerbose(true);
adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
adapter.setStrictCheckingDefault(false);
factory.setDefaultAdapter(adapter);
factory.setUseDefaultAdapter(true);
boolean idAvailability = false;
UNSLocator locator = new UNSLocator();
URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
UNSPort unsprt = locator.getUNSPort(portAddress);
idAvailability = unsprt.isIDAvailable("Yulin125", "C");
System.out.println("Got from method :"+idAvailability);
After runing this code i am getting the following exception :
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: java.net.SocketException: Software caused connection abort: socket write error
faultActor:
faultNode:
faultDetail:
I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
I am stuck with for quite sometime.
Some insight needed from the guru's

1 WAY SSL issue.

Our Domain has one proxy server and a weblogic cluster with 2 managed server running on Weblogic Integration Server 8.1 SP5.
The proxy will forward the request to the cluster in a round robin.
The environment is configured for 2 way SSL and the configuration works fine.
The authorization used is perimeter authorization using HttpClusterServlet.
Now I need one way ssl.
Since the managed servers are configured for 1 way ssl I am trying to access the managed servers by bypassing the proxy.
I am getting the following error.
"Error 401--Unauthorized xxx
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
I cehcked the server logs are getting the following error.
Any help?
Thanks && Regards,
Rajeev
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <Filtering JSSE SSLSocket>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.addContext(ctx): 10330858>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLSocket will be Muxing>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(is): 20100894>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 received HANDSHAKE>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientHello>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE offset = 0 length = 58>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE offset = 0 length = 2120>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE offset = 0 length = 4>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 received HANDSHAKE>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientKeyExchange>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: ClientKeyExchange RSA>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 received CHANGE_CIPHER_SPEC>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: false>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <31630577 received HANDSHAKE>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: Finished>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write CHANGE_CIPHER_SPEC offset = 0 length = 1>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <write HANDSHAKE offset = 0 length = 40>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(sock): 9712642>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <activateNoRegister()>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <avalable(): 31630577 : 0 + 0 = 0>
<Nov 27, 2006 4:33:45 PM EST> <Debug> <TLS> <000000> <SSLFilter.activate(): activated: 20100894 31630577>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read( offset: 0 length: 4080 )>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord()>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord returns true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 readRecord()>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 SSL3/TLS MAC>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 received APPLICATION_DATA>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 APPDATA databufferLen 0>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 APPDATA contentLength 572>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read databufferLen 572>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read A returns 572>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read( offset: 572 length: 3508 )>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord()>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord returns false 1>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 Rethrowing InterruptedIOException>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.findContext(sock): 9712642>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <activateNoRegister()>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <avalable(): 31630577 : 0 + 0 = 0>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.activate(): activated: 20100894 31630577>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 read( offset: 572 length: 3508 )>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <isMuxerActivated: true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLFilter.isActivated: true>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord()>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <hasSSLRecord returns false 1>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <31630577 Rethrowing InterruptedIOException>
*** ServletRequestImpl.setClientCertProxy.x509ProxyClientCert ***null
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <write APPLICATION_DATA offset = 0 length = 339>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <write APPLICATION_DATA offset = 6 length = 1526>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <NEW ALERT: com.certicom.tls.record.alert.Alert@89314f Severity: 1 Type: 0
java.lang.Throwable: Stack trace
at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:265)
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
at weblogic.socket.SocketMuxer.closeSocket(SocketMuxer.java:267)
at weblogic.socket.SocketMuxer.cleanupSocket(SocketMuxer.java:605)
at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:569)
at weblogic.socket.SocketMuxer.deliverEndOfStream(SocketMuxer.java:513)
at weblogic.servlet.internal.ServletResponseImpl.send(ServletResponseImpl.java:1221)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2637)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <avalable(): 31630577 : 0 + 0 = 0>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <write ALERT offset = 0 length = 2>
<Nov 27, 2006 4:33:46 PM EST> <Debug> <TLS> <000000> <SSLIOContextTable.removeContext(ctx): 10330858>

I have exactly the same problem, except that I regularly open up the npr site. But here is the real problem. I open firefox>preferences>advanced>encryption>view certificates>add exception. But here is the problem. I can not click on the box to permanently store exception. This box appears permanently closed.
I am currently running firefox 9.01, and I've got to say I never had any problems with firefox in all the years I've used it. But ever since it went through this dizzying series of upgrades from 3.6 to the present it has given me problems.
I am a regular npr listener, and so this annoying error message is really making me consider permanently leaving firefox for chrome or safari.

Weblogic 6.1's 2-way SSL

I'm using wsl proxy plug-in between iPlanet Webserver 4.1SP9 and
wsl 6.1.
The obj.conf of iPlanet web server was configured to use path proxy:
-------- httpd.conf --------
Init fn="load-modules" funcs="wl_proxy,wl_init" shlib="/usr/netscape/web/plugin\
s/lib/libproxy.so"
Init fn="wl_init"
<Object name="weblogic" ppath="*/weblogic/*">
Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7001" Pat
hTrim="/weblogic"
</Object>
The "Seccurity" parameter "magnus.conf" is set to on and an certificate
was installed on this iPlnet web server.
I was able to open:
https://iplanet.test.com:443/weblogic/console
to set 'Client Certificate Enforced' option in
Petstore's SSL section with port 7002.
I can also access:
https://iplanet.test.com:443/weblogic/estore
to bring up the top page and some pages of the petstore sample
program. But the browser got no data fromt the web server
when I clicked on "Enter the "Store". I then tried to "Enter the Store"
directly through port 7002 (without proxying through iPlanet web server)
and it also returned on data.
I suppose that I have to modify petstore sample codes SSL protocol -
even in 1-way SSL verification. Is this true?
I also tried to change WebLogicPort="7001" to "7002" in obj.conf.
which is tied to the SSL port of wsl61 with some sample certificates.
When I open:
https://iplanet.test.com:443/weblogic/console
The server couldn't locate that object. I checked the adminGuide of
of wsl6.1 on page 13-10. It mentioned 'SecurieProxy' parameter in
the 'Service' directive in the obj.conf has to be set to ON.
So I appended SecureProxy="on" as the following:
<Object name="weblogic" ppath="*/weblogic/*">
Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7002" Pat
hTrim="/weblogic" SecureProxy="on"
</Object>
But it still failed to connect to port 7002 of wsl61.
In the FAQs of wsl61 has the section:
Does the 6.1 plug-in support two-way SSL?
No. But the plug-in can be set-up to require the client certificate and
pass it on to WebLogic Server. For example:
apache ssl
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
+StrictRequire
I am confused with adminGuide's page 14-49. It talked about how to
confiure 'Mutual Authentification' breifly - it only mentioned
the opton of 'Client Certificate Enforced' besides copying root
certificates into 'config' directory.
Can someone explain to me whether the 2-way authentication can be done
via plug-in proxy? If not, what is the right way/best way for 2-way
authentication? Is anyone have some sample programs like petstore
that work with iPlnet Web server and wsl61 with 2-way authentication?
Thanks in advance.
-kl

I got some progress after digging into appendix
of adminGuide.
I added two more paramaters into obj.conf
service directive:
<Object name="weblogics" ppath="*/weblogics/*">
Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7002" Pat\
hTrim="/weblogics" SecureProxy="ON" TrustedCAFile="/usr/netscape/server4/alias/\
ca.pem"
</Object>
When I tried:
https://iplanet.test.com:443/weblogics/
It didn't hang. The browser showed:
No backend server available for connection: timed out after 10 seconds.
But I tested backend server. It was alive.
Anyone got this working?
Thanks.
-kl

Java sp 2-way SSL authentication

I've written a java stored proc that uses JSSE to implement an HTTPS client to a partner's server. In the past, this strategy has worked well, and we have several successful projects under our belts.
This time, the partner's server is configured for 2-way ssl authentication. When I try to open the connection from my client, it is reporting-
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate.
I'm not 100% sure what that means, but I think that it means the server is asking for a public cert from the client, and it isn't happy with what it is getting back.
Can anyone tell me how to configure the client-side cert in a way that will make it available for my java code running in the Oracle JVM. I understand how to set up the keystore so that it is available for Tomcat, for example, but I'm at a loss to find how to setup client certs for access within an Oracle Java Stored Procedure...
I hope that I have explained this clearly. If I need to provide more information, just ask.
Thanks in advance for any help.
Cole

http://www.weblogic.com/docs51/classdocs/API_acl.html
Michael Girdley
BEA Systems Inc
"gennot" <[email protected]> wrote in message
news:[email protected]..
Could you send me the complete URL of these example, please?
Thanks
Enrico
Michael Girdley <[email protected]> wrote in message
39b87078$[email protected]..
The passing of the client's certificate should be automatic to WebLogic.We
have an example of getting the client side certificate from inside of
WebLogic in our documentation.
This does not require for SSL to be used from the Web server to
WebLogic.
>>
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Bob Simonoff" <[email protected]> wrote in message
news:[email protected]..
I have read through the docs and haven't found anything that would
address
the following confusion:
Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
the back end application server (obviously). I have the need to use 2way
SSL authentication. As I understand it the following applies:
Client (browser) has a certificate as does the web server. Theyauthenticate
each other.
Now, the web server and weblogic need to communicate. WebLogic, in our
environment does authentication via the security realm.
What do I have to do to get the the web server (Apache or IPlanet) to
communicate the client's certificate to WebLogic so the WebLogic canperform
the authentication?
Does the communication between the web server and WebLogic also need
to
be
SSL?
Thanks
Bob Simonoff

Implementing 2-way ssl

Hi i have configured the keystore as "Custom Identity and Custom Trust", given the key store names for both given the Identity alisa name under the 'SSL' tab, in 'Advanced' i am enforcing for client certificate. But when i start to access the application, i see the following error
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@16a86fc>
####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090481> <NO_CERTIFICATE alert was received from ASST218297.uk.pri.o2.com - 172.17.247.10. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, checking with TrustManager>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <validationCallback: validateErr = 0>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Required peer certificates not supplied by peer>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: validateErr = 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <weblogic user specified trustmanager validation status 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090508> <Certificate chain received from ASST218297.uk.pri.o2.com - 172.17.247.10 was incomplete.>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Validation error = 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Certificate chain is incomplete>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <SSLTrustValidator returns: 68>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, not trusted, sending HANDSHAKE_FAILURE to peer>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
java.lang.Exception: New alert stack
     at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
     at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
     at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
     at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
     at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
     at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
any replies please....

Hi,
thanks, actually while searching in the net, i found a blog where there were a few steps for implementing 2-way SSL in weblogic.
http://huyplus.blogspot.com/2010/02/2-way-ssl-with-weblogic-server-103.html?showComment=1267793234806_AIe9_BGsO6q6ENB4YZWtQyX53CzpN8TWcSn08RqNv6z8W3V7NRI3Qlcf4NuEM35O1niTSsYXd4rxjfUT63J2XFXOHjY8W56_sC-E3MGydylLHxDivVEjR0pQnSPv_Tx7CXOqT64AGNhhs06MEM9CBhpOtHcUHwvQMPtPeDAAJcwP1I9TzEIGNzNEQlWn9INrvLzP9_RAYESO3Wcxbl6b9eRgZt_jktfllVbxcvztIV3zoeQ8XlqgpN4S7Z82yCbUS1E7lFl46FZK#c8740869862805814451
fortunately, this is working, i mean the server is working as expected, but in the console, it says that the certificate chain is incomplete....
Anyways thanks for the links and suggestions...
if possible could you please provide me some reference for resolving this issue.
Thanks again
Sharma

2 way SSL: How does Sun implement handling malformed certificate requests?

Hi
I'd like to know how sun implements the following 2 way ssl-scenario:
When an SSL server requests client authentication, it sends a message
to the client that says "here is a list of the names of CAs that I trust
to issue client certs. If you have a client cert from one of these
CAs, then send it to me". That list is NEVER supposed to be empty.
But the hint above suggests that it is. If your server has not been
configured with the names of CAs that it trusts to issue client certs,
it's sending an empty list.
When an SSL client receives such a malformed request, with an empty
list of trusted client CA names, it may either (a) choose to send
back a response that means "I have no cert issued by any of the
issuers you have named", ***or (b) send back any certificate you have***
***and hope the misconfigured server will accept it.***
Please advice? What is the switch to tell the client to send any certificate?
Thanks a lot
Christian

That list is NEVER supposed to be empty.It doesn't actually say that anywhere in the RFC.
When an SSL client receives such a malformed request, with an empty
list of trusted client CA names, it may either (a) choose to send
back a response that means "I have no cert issued by any of the
issuers you have named", ***or (b) send back any certificate you have***
***and hope the misconfigured server will accept it.***That's not how I read the RFC. I would say the client should decide there is no suitable certificate available, and send back an empty ClientCertificate message. That in turn may provoke the server into sending a fatal handshake failure alert.
What is the switch to tell the client to send any certificate?There is no such switch.
More to the point, why is the server's CA list empty? That must mean that it has an empty truststore. That's the problem you should fix.

Configuring OSB 2 way SSL

Similar Messages

Maybe you are looking for