Decrypt Error using 2-way SSL

Similar Messages

• Cannot get web service using 2-way SSL to work

  WebLogic 8.1 sp4, using jdk 1.4.2_05 within BEA install dir (not JRockit). Also using WLWorkshop.
  I'm trying to call a web service provided by a third-party requiring 2-way SSL; The third-party provided a server cert to trust and a key/cert to use from our client. After updating my key and trust stores, I'm able to run this with no problem from another web service test product (CapeClear).
  How does one do this from WLS? I did the following (nothing has worked):
  - Started my WLS server; using the console, updated the Configuration|Keystores & SSL section and restarted - the console output indicates that all loaded correctly. I also changed the option on Two Way Client Cert Behavior to 'Client Certs Requested and Enforced'.
  - Updated my setDomainEnv.cmd to include the following options -Dweblogic.security.SSL.ignoreHostnameVerify=true -Dweblogic.security.SSL.enforceConstraints=off; I also added the -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true options.
  - Within Workshop, created my web service control from the provided WSDL and generated a test JPF; when I run the test, I get an exception related to an invalid content type (text\html). This occurs because the client-side SSL piece did not take place and the client was presented with a login-page rather than a web-service XML result.
  - I updated the JDK security jars with domestic strength algorithms; no change in behavior.
  - No SSL errors in the debug trace (I can provide log upon request).
  What other parameter and/or setting do I need to update to get this to work?
  Any help would be tremendously appreciated.
  Thanks,
  Rick

  I too am struggling with SSL but I was given some help by BEA. This does not help me since It seems like the proxy jar I download from the WS Home Page wants to go directly to the JPD not the jws. This example of two way SSL should work for you. I am including the Main class but not the generated files it refers to. I don't know how to attach files to the news groups. The key thing it to make use of the adapters. The Impl and Port are part of the downloaded proxy.
  public static void main(String[] args) throws Exception {
  // set weblogic ServiceFactory
  System.setProperty("javax.xml.rpc.ServiceFactory", "weblogic.webservice.core.rpc.ServiceFactoryImpl");
  // set weblogic client protocol handler
  System.setProperty("java.protocol.handler.pkgs", "weblogic.webservice.client");
  // set the SSL adapter
  SSLAdapterFactory adapterFactory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) adapterFactory.getSSLAdapter();
  // two-way SSL you must loadLocalIdentity to provide certs back to the server
  FileInputStream clientCredentialFile = new FileInputStream ("./client/clientcred.pem");
  String pwd = "canpass";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("./config/ca1024.pem");
  adapter.setStrictChecking(false);
  adapterFactory.setDefaultAdapter(adapter);
  adapterFactory.setUseDefaultAdapter(true);
  String a = null;
  if (args.length < 1) {
  a = "Sample String";
  } else {
  a = args[0];
  ToUpper_Impl lookup = new ToUpper_Impl();
  ToUpperPort value = lookup.gettoUpperPort();
  String result = value.toUpper(a);
  System.out.println(result);
  }

• 2-way SSL and access control using the client certificate

  Hi,
  I'd like to configure WLS 8.1 so that the server will use the client identity extracted from the client certificate to determine whether permissions should be granted. I am having some problems.
  Details: The client can be either a Web service or a web application. The steps for authentication and authorization should be:
  - The client sends a request to an Apache server (DMZ) which will then be forwarded to WLS.
  - The client's identity, common name from the X.509 certificate, is mapped to the "username" (using WLS default identity assertion provider).
  - Validate whether the client should be trusted (via the list in the trusted credentials)
  - Check whether the resource should be granted based on the "username".
  The on-line manual says
  "If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires that the Web browser or Java client have an identity."
  "The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource. For information on configuring users on the server, see Creating Users in Managing WebLogic Security."
  So the questions I have are:
  - If the client identity is certificate based, why should we configure users with the "user name" and "password"? How can we get around it?
  - Once I defined the security condition for my app to use "user name of the caller," a default username and password prompt automatically popped up.
  Apparently, the SSL mutual authentication configuration and the default authentication provider to use the X.509 type didn't take any effect.
  - Without defining the security policy for the application, the debugging messages show that
  getRoles(): input arguments: subject:0
  Entitlement - <Role:Annonymous with expr:Grp(everyone)>
  Any suggestions? Thanks.

  Hi,
  I am trying to use 2 way ssl using webservices client , here is my code :
  AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
  SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
  // clientCredentialFile stores in PEM format the public key and
  // all the CAs associated with it + then the private key. All this in // a concatenated manner
  FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
  // private key password
  String pwd = "password";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
  adapter.setStrictCheckingDefault(false);
  factory.setDefaultAdapter(adapter);
  factory.setUseDefaultAdapter(true);
  boolean idAvailability = false;
  UNSLocator locator = new UNSLocator();
  URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
  UNSPort unsprt = locator.getUNSPort(portAddress);
  idAvailability = unsprt.isIDAvailable("Yulin125", "C");
  System.out.println("Got from method :"+idAvailability);
  After runing this code i am getting the following exception :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: java.net.SocketException: Software caused connection abort: socket write error
  faultActor:
  faultNode:
  faultDetail:
  I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
  I am stuck with for quite sometime.
  Some insight needed from the guru's

• What should be done in certmap.conf for 2-way SSL support from a standalone Java application to an SSL enabled LDAP Server

  To support certficate based client authentication using 2-way SSL from a standalone java application which uses JNDI and JSSE1.0.2 to connect to an SSL enabled LDAP Server how do we configure the certmap.conf?Is there any additional setup required at the LDAP Server side apart from enablinf SSL with the option"Required Client Authentication" enabled.The 2 way SSL handshake goes through but the access log file (After configuring the certmap.conf for the issuer DN of the client certficate etc..)shows SSL failed to LDAP DN?But inspite of this access log error the Java client does get an SSL Connection object with which it is able to connect to the LDAP.IS the certmap.conf file being looked up by the LDAP Server at all?

  have you out.flush() and out.close() before you call connection.getInputStream()?

• 2-Way SSL and Webservices

  Greetings,
  After spending some time searching the docs and several dev2dev newsgroups I haven't been able to find a clear cut answer to an urgent question:
  I have a two webservices, the client (.jpd) and the server (.jws) which are installed on a separate weblogic 8.1 instances on different machines. The requirement is that the webservices must communicate with one another only over a 2-Way SSL connection.
  My question is how to setup this 2-way SSL configuration between the client and sever webservices. Do I need to write code or can I configure it using the web.xml files of the two webservies? I don't think it would make sense to configure the two weblogic instances to always use 2-WaySSL (via the startup script or config.xml), in which case the webservies might not inherit the truststore and other SSL connfiguration of the respective instances.
  If someone has already solved this problem, I would appreaciate to hear from you. This is an urgent problem and I am stumped. Any help would be appreciated!
  Regards

  Hi,
  I am trying to use 2 way ssl using webservices client , here is my code :
  AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
  SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
  // clientCredentialFile stores in PEM format the public key and
  // all the CAs associated with it + then the private key. All this in // a concatenated manner
  FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
  // private key password
  String pwd = "password";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
  adapter.setStrictCheckingDefault(false);
  factory.setDefaultAdapter(adapter);
  factory.setUseDefaultAdapter(true);
  boolean idAvailability = false;
  UNSLocator locator = new UNSLocator();
  URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
  UNSPort unsprt = locator.getUNSPort(portAddress);
  idAvailability = unsprt.isIDAvailable("Yulin125", "C");
  System.out.println("Got from method :"+idAvailability);
  After runing this code i am getting the following exception :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: java.net.SocketException: Software caused connection abort: socket write error
  faultActor:
  faultNode:
  faultDetail:
  I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
  I am stuck with for quite sometime.
  Some insight needed from the guru's

• 2-way SSL when WL7 is client; get "Required peer certificates not supplied by peer"

  Background: WL7 is properly configured to use 2-way SSL, and works fine whenever
  its acting as the Server; i.e., I have 2-way SSL working between a Web Browser
  and WL7, or between Tomcat and WL7. However, when trying to get 2-way SSL (mutual
  authentication) working between a WL7 server acting as a client and another server
  such as Tomcat, acting as the server, I get a "Required peer certificates not
  supplied by peer" error. The initial ServerHello handshake is fine; the problem
  arises when the Tomcat server, for example, then requests WL7 to serve up its
  client certificate. It's as if WL7 does not know where to locate its "client"
  certificate.
  I had the same problem with Tomcat initially, where it would also not know how
  to locate its "client" certificte. I resolved the problem by setting the following
  system properties:
  javax.net.ssl.keyStore=...
  javax.net.ssl.keyStorePassword=...
  javax.net.ssl.trustStore=...
  javax.net.ssl.trustStorePassword=...
  Are their analogous system properties I need to set on the WL7 side of things,
  as I noticed that WL7 seems to use its own proprietary version of JSSE API's?
  How do I configure WL7 to locate its "client" certificate?
  Thanks! Your help is greatly appreciated.
  -Dan

  Weblogic uses Certicom SSL implementation which has classes that conflict with
  JSSE classes. As a result opening SSL connection from WLS over JSSE or API like
  SOAPConnection that uses JSSE does not work as expected. The javax.net.ssl properties
  are not supported and there is no replacement for the default identity keystore
  property.
  The best workaround I can think of in this case is to pass as the second parameter
  to SOAPConnection.call() method a URL instance created with a custom URLStreamHandler
  extending the weblogic.net.http.Handler. This handler can override the Handler.openConnection(URL)
  method and use the HttpsURLConnection.loadLocalIdentity method to initialize identity
  of the returned connection. For example:
  public class MyHandler extends weblogic.net.http.Handler {
  protected URLConnection openConnection(URL u) throws IOException {
  URLConnection c = super.openConnection();
  if (c instanceof weblogic.net.http.HttpsURLConnection) {
  // initialize ssl identity
  ((weblogic.net.http.HttpsURLConnection) c).loadLocalIdentity(certChain,
  privateKey);
  return c;
  URL someHTTPSUrlEndpoint = new URL("https", "localhost", 7002, "myfile", new MyHandler());
  replyMessage = con.call(someSOAPMessageInstance, someHTTPSUrlEndpoint);
  Pavel.
  "ddumitru" <[email protected]> wrote:
  >
  Thanks, Pavel, for replying,
  I've been reading and re-reading that page for quite a while now. Unfortunately,
  the examples given are for when WL7 is acting as the "server" and not
  the "client";
  i.e., when some other server, such as Tomcat, WebSphere, or Oracle 9IAS,
  reaches
  out to the WL7 instance first, or when one WL7 instance talks to another
  WL7 instance
  via JNDI.
  In my case, my WL7 instance needs to initiate a Web Service call; i.e.,
  needs
  to reach out to another server via a SAAJ (SOAP with Attachments) API
  call. My
  sending servlet uses the SAAJ (SOAP with attachments) API to make a Web
  Service
  call to another server, as follows:
  SOAPConnectionFactory scf = SOAPConnectionFactory.newInstance();
  SOAPConnection con = scf.createConnection();
  SOAPMessage replyMessage = con.call( someSOAPMessageInstance, someHTTPSUrlEndpoint
  With the SAAJ API, as illustrated above, I don't see a direct way of
  configuring
  (using URLConnection, SSLContext, SSLSocketFactory, etc.) the SSL connection
  prior
  to making a call, as suggested in the link you mentioned. Also, the
  receiving
  server may implement its Web Services using a non-BEA application server
  that
  may not even use the J2EE platorm. As such, I don't believe I can use
  the JNDI
  solution provided in that same link.
  Again, I was able to make 2-way SSL (Mutual Authentication) connections
  between
  Tomcat and WL7 instances using the SAAJ API's when Tomcat was the client
  initiating
  the SAAJ call. In this scenario, Tomcat requested WL7 for its certificate,
  WL7
  served it up, and Tomcat then verified it. Then, in turn, WL7 asked
  Tomcat for
  its certificate, Tomcat presented it, and WL7 was able to verify Tomcat's
  certificate.
  I suppose I was able to make it all work under this scenario because
  I was able
  to configure Tomcat, which is using native JSSE API's, to locate its
  "client"
  certificate by setting the following system properties, as mentioned
  previously:
  javax.net.ssl.keyStore=...
  javax.net.ssl.keyStorePassword=...
  javax.net.ssl.trustStore=...
  javax.net.ssl.trustStorePassword=...
  Based upon your feedback, I now understand that WL7 cannot be configured
  in a
  similar manner because WL7 uses its own version of the JSSE API's. Any
  ideas
  on what I might try next?
  Thanks!
  -Dan
  "Pavel" <[email protected]> wrote:
  WLS SSL API does not support any system properties for SSL identity.
  The client's
  identity has to be configured via methods of SSL API. The trust configuration
  of SSL client running on WL server and using WLS SSL API will be the
  same as of
  the WL server.
  See http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1019570
  for more information on this. "Writing Applications that Use SSL" contains
  code
  examples that use different SSL APIs to connect over two-way SSL.
  Pavel.
  "ddumitru" <[email protected]> wrote:
  Background: WL7 is properly configured to use 2-way SSL, and worksfine
  whenever
  its acting as the Server; i.e., I have 2-way SSL working between a
  Web
  Browser
  and WL7, or between Tomcat and WL7. However, when trying to get 2-way
  SSL (mutual
  authentication) working between a WL7 server acting as a client andanother
  server
  such as Tomcat, acting as the server, I get a "Required peer certificates
  not
  supplied by peer" error. The initial ServerHello handshake is fine;
  the problem
  arises when the Tomcat server, for example, then requests WL7 to serve
  up its
  client certificate. It's as if WL7 does not know where to locate its
  "client"
  certificate.
  I had the same problem with Tomcat initially, where it would also not
  know how
  to locate its "client" certificte. I resolved the problem by setting
  the following
  system properties:
  javax.net.ssl.keyStore=...
  javax.net.ssl.keyStorePassword=...
  javax.net.ssl.trustStore=...
  javax.net.ssl.trustStorePassword=...
  Are their analogous system properties I need to set on the WL7 sideof
  things,
  as I noticed that WL7 seems to use its own proprietary version of JSSE
  API's?
  How do I configure WL7 to locate its "client" certificate?
  Thanks! Your help is greatly appreciated.
  -Dan

• 2-Way SSL for a single web app

  Hi all,
  I have got 2-way SSL working on my WLS 8.1.4.
  However we have an existing app that uses 1-way SSL already running on the same WLS.
  Is it possible to allow 1-way SSL for the existing app and only use 2-way on my new app?
  Looking at the console enforcing client certificates seems to be a server wide setting. I was hoping that maybe I would be able to restrict it in the web.xml file.
  Any advice would be appreciated.
  Thanks
  Alan

  It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

• 2-way SSL using t3s protocol

  Goodmorning,
  I'm trying to get a 2-way SSL connection between two WLS 10.3 in production mode.
  WLS #1 contains the client application and WLS #2 contains the server application.
  I've got a standalone Microsoft CA.
  I've configured WLSs with custom identity and trust JKS Stores.
  In trust store I stored the CA certificate.
  In identity store I created a selfsigned cert with RSA alg and this cert was signed from my CA.
  In identity store I also stored the CA's Certificate.
  I've enabled SSL with custom identity and trust store,
  None host verification,
  Export Key Lifespan 500,
  Two Way Client Cert Behavior: Client cert requested and enforced,
  SSL Rejection Logging Enabled checked,
  Inbound and Outbound Certificate Validation: Builtin SSL Validation Only
  I configured both WLS as explained (except identity certs that are custom for each server).
  I can invoke WLS #2 Webservices from WLS #1 via https.
  So I tried to invoke an EJB deployed on WLS #2 via t3s, but it didn't work.
  During handshake process, the first step is ok; in fact WLS #1 trusts WLS #2 certs.
  The second step goes wrong; here follows some logs.
  WLS #1
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateRequest>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 SSL3/TLS MAC>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 received HANDSHAKE>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> *<No suitable identity certificate chain has been found.>*
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 7>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 134>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 SSL3/TLS MAC>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 received ALERT>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  WLS #2
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> *<Required peer certificates not supplied by peer>*
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 4>
  <2-mar-2011 11.14.12 CET> <Warning> <Security> <BEA-090508> <Certificate chain received from xpr-selex-fel01 - 192.168.60.48 was incomplete.>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 4>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is incomplete>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 68>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  One useful info: if I deploy both EJB application and client application all on the same WLS and alient application invokes the EJB via t3s, all works fine.
  Is there anything missing/wrong in the configuration?
  Thanks.

  Is this a typo?
  In identity store I created a selfsigned cert with RSA alg and this cert was signed from my CA.It can't be both self-signed and signed by a CA.
  In identity store I also stored the CA's Certificate.The identity store should not have a CA certificate in it. Either put the CA in your trust store, or chain your CA and your identity into a single cert within your identity store.
  During the handshake, the server (#2) will send a list of of its trusted CA certs to the client. The client has to look in its identity store for certs which are signed by one of the CAs sent by the server.
  If your client has multiple identity certs ( with the clientAuth key usage ) in its identity store, then there has to be some way to choose which cert to select. Does t3s use the SSL configuration's alias in the client as http does? You can test this by only using a client identity store with a single identity cert which is signed by one of the CA certificates presented by your server.

• Debug Weblogic 10.0 with 2-Way SSL: Error 401--Unauthorized

  Hi,
  I am working on Weblogic 10.0 with 2-Way SSL configuration. User uses X.509 certificate to login into the system. I have a default UserNameMapper which maps the CN to the a user name in the LDAP user store. User can login without problem. But after user login, when he tries to hit a new page before the original page fully loaded, he will get a "Error 401--Unauthorized".
  I turned on the Weblogic security debug and got the following warning with stack trace. Can anybody help me to figure out what's wrong? How do I troubleshoot this issue? Any help is really appreciated.
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned PERMIT>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: true>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 167>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 6, length = 1518>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 0
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
       at weblogic.socket.SocketMuxer.closeSocket(SocketMuxer.java:449)
       at weblogic.socket.SocketMuxer.cleanupSocket(SocketMuxer.java:795)
       at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:759)
       at weblogic.socket.SocketMuxer.deliverEndOfStream(SocketMuxer.java:700)
       at weblogic.servlet.internal.VirtualConnection.close(VirtualConnection.java:327)
       at weblogic.servlet.internal.ServletResponseImpl.send(ServletResponseImpl.java:1431)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1375)
       at weblogic.work.ExecuteRequestAdapter.execute(ExecuteRequestAdapter.java:21)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
  >
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 14324285>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 7034906>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 19096081>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <18691735 SSL3/TLS MAC>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <18691735 received HANDSHAKE>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ClientHello>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.5 for algorithm RC4>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5>
  Thanks,
  Wayne

  I decided to use pki with jaas/custom authentication provider to solve this problem. It works. If you want more details, please let me know.

• Two-Way SSL does not work until "Use Server Certs" is selected on client

  We have a web service application and a client application. Both applications are deployed in WebLogic 10.3. The web service application is secured by Two-Way SSL. When the client attempts to access the service, we got the following error logs on the server side:
  <Dec 8, 2009 3:25:42 PM EST> <Warning> <Security> <BEA-090508> <Certificate chain received from ... was incomplete.>
  CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0
  CertPathTrustManagerUtils.certificateCallback: validateErr = 4
  CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors
  We got the same error even if the WebLogic 10.3 domain on the client side uses the same identity and trust keystores as the server side.
  The problem was solved when we selected Environment -> Servers -> <server> -> SSL, expanded "Advanced" and selected "Use Server Certs". Could anyone tell me what "Use Server Certs" does to make the difference?
  Another question is how we can invoke this web service in a Java application since "Use Server Certs" solution only works for web application deployed in weblogic.

  "Use Server Certs" means that a client application running within Weblogic will use the WL managed server's identity certificate as its client certificate. Otherwise, the client application is responsible for selecting the keystore, and presenting the certificate as part of the handshake.
  This is a great feature in 9 & 10; client SSL was much more difficult in WL 8.
  If you are using a standalone client application to invoke anything over 2-way SSL, you are responsible for presenting the certificate. For instance, if you invoke the page from your browser, your browser can maintain client certificates and you'll get a popup to select which cert to use.

• How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

  Hi,
  I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
  Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
  Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
  Please suggest how to pass both the certs from client Application..

  Hi,
  This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
  And for more information, you could refer to:
  http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
  Regards

• HT4864 I am using Entourage and followed all the instructions above and still getting IMAP Server error.  Error msg:Security failure.  Data decryption error.

  I am using Entourage and followed all the instructions above and still getting IMAP Server error.  Error msg:Security failure.  Data decryption error.

• Photoshop elements quit working, I uninstalled it, tried to re-install using the cd, but getting errorPhotoshop elements quit working, I uninstalled it, tried to re-install using the cd, but getting error, any other way to re-install it without the disk ?

  Photoshop elements quit working, I uninstalled it, tried to re-install using the cd, but getting error, any other way to re-install it without the disk ?

  Yes.
  Download Photoshop Elements products | 13, 12, 11, 10
  However, the real issue is why the program is not working. Did you install anything recently?
  When you tried to re-install from the disk, did you shut off the antivirus program temporarily?
  Have you tried a system restore to a point in time when the program was working properly?

• I've tried several times to use iTunes Match that I purchased but keep getting an error message half way through the process

  I've tried several times to use iTunes Match that I purchased but keep getting an error message half way through the process

  sheltonrt wrote:
  I've tried several times to use iTunes Match that I purchased but keep getting an error message half way through the process
  That is strange, sheltonrt.
  What kind of an error?

• 2 way SSL in web services [using Axis]

  Hi,
  Can anyone tell me how to implement 2 way SSL handshake before making a web service call , using Axis.
  This is what i have to start off with:
  1. wsdl, which i use to create the client side files [using eclipse] do meet the business needs.
  2. I also have my [client] key and cert and the servers root cert, required for SSL handshake
  Thanks for the help,
  Sandy

  Hi,
  Do you have created a Service Key provider and attached the same to proxy service.
  Oracle Service Bus verifies that you have associated a service key provider with the proxy service and that the service key provider contains a key-pair binding that can be used as a digital signature.
  Service Key Providers
  Regards,
  Abhinav