Hostname verification 8.53

I've recently upgraded our demo environment to tools 8.53. This environment runs behind a proxy on a HTTPS connection (we demo the environment at clients and want the connection to be secure). So far so good, everything worked great in 8.52. You'd always get a certificate warning when opening the environment, but as long as the certificates were installed in Java, Weblogic and Security objects everything worked. There was a certificate installed on the main domain, but that certificate didn't contain the subdomain as subject alternative name.
Now with 8.53 and the new JRE version this suddenly didn't work for the Integration broker anymore. When loading the gateway connectors the Application server would give the following error:
"java.io.IOException: HTTPS hostname wrong:  should be <*.*.*.*>, but cert says <CN=www.hostname.com, O=City Province, L=City, ST=ProvinceBogota, C=CO>"
I ended up requesting an addition to the current certificate, but after that was added the error remains. When opening the environment in the browser you'd no longer get an error message about the certificate from the browser itself, but that's it. I already searched Oracle support, but all the support articles basically say that the "CN=" should contain the actual URL of the PeopleSoft environment. It is also mentioned that subject alternative names in certificates are not supported. I find it hard to believe that this feature cannot be turned of in JRE. Some articles on the internet mention using a custom trustmanager or something, but I have no idea how to set this up in the JRE installation. Has anyone struggled with this before? Any experience and/or suggestions are more than welcome.

Okay, I think I was misunderstanding the error and your configuration originally, but I wanted to get that thought of wildcard certs out there since it immediately popped in my head as a solution to any naming mismatch.
Can you explain your setup in more detail... your at a client, demo'ing PS, and connecting back to the home office.  What cert is where, is the proxy a reverse proxy? I thought I had it figured out but then what I was thinking should not have created a cert warning at the browser.  But I've never done SSL over RPS so I might be missing something.  Plus it's the weekend now so my brain is on vacation for 2 days.
Anyway, I'll pull the old PeopleSoft response out of the bag and say it sounds like "it's working as intended".   If you have a name mismatch you should be warned/denied access.  Perhaps it was working due to a bug.
For what it's worth I tried putting the wrong cert on my 8.52.07 environment and got the following right away when trying to reload the connectors.
HTTPS hostname wrong:  should be <psweb1.domain.com>, but cert says <CN=psweb2.domain.com
Another option for now would be to drop the app to gateway connectivity back to non-ssl.  Or depending on your setup can you get a new external only DNS entry added just for your env. So say from external you hit ps.yourdomain.com which hits your inbound firewall device and sends it on in to ps.yourdomain.com.  Even if it's going through an RPS then at least names match along the way.

Similar Messages

  • How to disable hostname verification without code

    Hello.
    Is there a way to disable the hostname verification during SSL connection, ? I mean something like a system property, since i use an existing application and i've not the source to set my own custom hostname verifier.
    Thanks.
    Ephemeris Lappis

    Hi
    I faced the same problem and as I see now I'm not the only one :o)
    Did you find the way to do it, please?
    Very appreciating any inputs,
    Sincerely,
    Jabb
    null

  • Certificate chain received from localhost 127.0.0.1 failed hostname verification check.

    Hello friends. The dns name of our server recently changed. Since that time,
    nothing except the administration node will start up. Server logs reveal the
    following information:
    Certificate chain received from localhost - 127.0.0.1 failed hostname verification
    check. Certificate contained COTHUBT but check expected localhost>
    There is one trusted certificate that was added to the cacerts keystore. Does
    it need to be removed and re added? Any other insight would be appreciated.

    "brain" <[email protected]> wrote:
    Try this if you're running version 8
    In the admin node gui.
    Click on machines
    Click on the NodeManager tab for the machine that you are interested in.
    Change hostname in listen address.
    Bounce the app server
    >
    Hello friends. The dns name of our server recently changed. Since that
    time,
    nothing except the administration node will start up. Server logs reveal
    the
    following information:
    Certificate chain received from localhost - 127.0.0.1 failed hostname
    verification
    check. Certificate contained COTHUBT but check expected localhost>
    There is one trusted certificate that was added to the cacerts keystore.
    Does
    it need to be removed and re added? Any other insight would be appreciated.

  • Failed hostname verification check - even when disabled

    Hello Experts,
    I'm using WLS 923 configured as Admin Server that controls two Managed Servers.
    When i go to "Environment ---> Machines ---> Managed Machine ---> Monitoring ---> Node Manager Status
    It says:
    Status - Inactive
    failed hostname verification check. Certificate contained +v-ebpqadmz1+ but check expected +v-ebpqadmz1.dmzntqa.corp.adija.co.il+
    I've disabled verification check in:
    Servers ---> Managed Server -->SSL ---> Advanced ---> Hostname Verification = NONE
    How come hostname verification check is still being performed ?
    Does anyone knows how can i fix this ?
    Meanwhile i had to edit my hostsfile in order to work around it...
    Regards
    Adi J

    Please add the following parameter in your startup argument.
    -Dweblogic.security.SSL.ignoreHostnameVerification=true
    Thanks
    Togotutor
    <b><a class="jive-link-external" href="http://www.togotutor.com">http://www.togotutor.com</a> (Learn Programming and Administration for Free)</b>
    Edited by: togotutor on Aug 12, 2010 3:38 PM

  • Nodemanager hostname verification failure

    Hi, on some of my machines I installed WL 9.1 on, registry.xml had the fully qualified hostname (this is good), others did not (this is bad). When the admin server tries to connect to the node manager on these machines, I get hostname verification failure because the certificate has the non qual hostname but is expecting fully qual. Simply editing registry.xml to the good value did not fix the issue.
    How does weblogic determine the value that goes in the certificate and in registry.xml?
    Can I force it somehow?
    Can I have it just regenerate the certificate?
    Any help would be appreciated.
    Thanks

    Matthew Sacks <> wrote:
    does anyone know how i might resolve this issue?
    [[NodeManager:300033]Could not execute command ping on the node manager.
    [[Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker:
    [[Failed to send command: 'ping to server 'null' to NodeManager at host:
    [['10.32.33.2:5555' with exception [Security:090504]Certificate chain
    [[received from 10.32.33.2 - 10.32.33.2 failed hostname verification
    [[check. Certificate contained qa153 but check expected 10.32.33.2.
    [[Please ensure that the NodeManager is active on the target machine].]Hi,
    - If you are using scripts:
    you can use the following options in your
    scripts: -Dweblogic.security.SSL.ignoreHostnameVerification=true
    - If you want to use it from the adminserver:
    Go to the adminserver in the console
    Go to 'SSL'
    Select 'Advanced'
    Set 'Hostname Verification' to 'none'
    And restart the adminserver.
    cheers,
    Bart
    Schelstraete Bart
    [email protected]
    http://www.schelstraete.org

  • How to disable hostname verification on iplanet reverse proxy

    I am looking for a way to disable hostname verification of the application server url specified in teh reverse proxy setup.
    I am using the following setting in my Object definitions. It is failing due to the certificate CN is not matching the url I specified
    The error is :
    for host xx.yy.zz.ww trying to GET /uri/loginAction.do, service-http reports: HTTP7758: error sending request (SSL_ERROR_BAD_CERT_DOMAIN: Requested domain name does not match the server's certificate.)
    Route fn="set-origin-server" server="https://bbb.com:7002/" poll-timeout="20000" retries="2"
    My tomcat certificate CN has  aaa.com
    While I am using the tomcat on bbb.com.
    Is there any way to disable hostname verification on a reverproxy setup. I am unable to find any relevant documentation on this.
    The closest discussion I found was https://forums.oracle.com/thread/1943116 but it did not conclude anything.

    Found a solution from Oracle Knowledge base:
    This fixed our issue
    <Object name="reverse-proxy-/abc">
    ObjectType fn="ssl-client-config" validate-server-cert="false"
    Route fn="set-origin-server" server="https://server1.test.com:11011" server="https://server2.test.com:11011"
    </Object>

  • X509 certificates, hostname verification and SunCluster 3.1 failover.

    Hi,
    A newbie question - having an existing non clustered architecture and trying to decide how to use the SunCluster features.
    I have some self signed x509 certificates that are used by a process. When this process is (going to be) failed over to another machine, and the filsystem that contains the certificates also follows, what is the recommened way of ensuring that I can use the same certificates and that hostname verification etc still works.
    When I define a resource group for the filesystem and network interfaces required by this, can I also create a virtual hostname that will work on either of my cluster machines and will not confuse my SSL code when it verifies the certificates and the host?
    I think this is not a question of DNS, but a question of what happens when I want to type 'hostname' and would like to get the same result on either box that is part of our cluster. This way my certificates and application configuration would not need to be changed during a failover event.
    Thanks!

    Forget about the local hostname question - all that is important at the moment is that my keystores and truststores (created using Sun JVM keytool) are transportable and usuable on the other host without change. The network resources associated with the names in the certificates are planned to move across as part of the resource gorup).
    In theory I guess this shoud work, but I wanted to know if anyone has had any experience of doing this and there were any gotchas.
    Thanks.

  • How to disable the certificate hostname verification?

    In JSSE changes file <http://java.sun.com/products/jsse/CHANGES.txt>
    It states the following:
    "It is sometimes useful to "disable" the certificate hostname
    verification during project development. A single certificate can now be shared among many development machines so that the hostnames don't need to match. A bug was fixed in the HttpsURLConnection hostname verifier code that now allows this functionality to work."
    Any idea on how to disable it
    Thanks
    - rayed

    this is easily achieved :
    create your own class (for example 'MyHostNameVerifier' ..) as a subclass of the JSSE HostNameVerifier and overwrite the method :
    public boolean verify(String parm1, String parm2)
    to your special needs. This method implements the verifying of hostnames..
    For your HttpsURLConnection then call
    setHostnameVerifier(new MyHostNameVerifier());
    so the HttpsURLConnection will then use MyHostNameVerifier in order to verify the hostname registered in the certificate.

  • Hostname Verification failed for certificate with CommonName 'gawlsdev02.ss

    Hi All,
    I want to know the meaning and the reason of this exception:
    <Jun 17, 2010 2:05:52 PM EDT> <Warning> <Security> <BEA-090504> <Certificate chain received from gawlsdev02 - 147.141.83.104 failed
    hostname verification check. Certificate contained gawlsdev02.ssga.statestr.com but check expected gawlsdev02>
    <Jun 17, 2010 2:05:52 PM EDT> <Debug> <TLS> <000000> <Hostname Verification failed for certificate with CommonName 'gawlsdev02.ssga.
    statestr.com' against hostname: gawlsdev02>
    thanks in advance.

    When Webloigic Server tries to validate the certificate, it compares te CN of the certificate with the hostname from where the request is coming from.
    If they don't match, hostname verfication fails and SSL connection is not established.
    In your case I see the CN is gawlsdev02.ssga.statestr.com whereas WLS is expecting it to be gawlsdev02.
    U can use this option to ignore host name verification
    -Dweblogic.security.SSL.ignoreHostnameVerification=true
    To know about other SSL issues, u can refer this
    http://weblogic-wonders.com/weblogic/2010/01/28/troubleshooting-ssl-issues/
    -Faisal

  • Nodemanager fails hostname verification check

    does anyone know how i might resolve this issue?
    [[NodeManager:300033]Could not execute command ping on the node manager. Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker: Failed to send command: 'ping to server 'null' to NodeManager at host: '10.32.33.2:5555' with exception [Security:090504]Certificate chain received from 10.32.33.2 - 10.32.33.2 failed hostname verification check. Certificate contained qa153 but check expected 10.32.33.2. Please ensure that the NodeManager is active on the target machine].]

    Matthew Sacks <> wrote:
    does anyone know how i might resolve this issue?
    [[NodeManager:300033]Could not execute command ping on the node manager.
    [[Reason: weblogic.nodemanager.NodeManagerException: [CommandInvoker:
    [[Failed to send command: 'ping to server 'null' to NodeManager at host:
    [['10.32.33.2:5555' with exception [Security:090504]Certificate chain
    [[received from 10.32.33.2 - 10.32.33.2 failed hostname verification
    [[check. Certificate contained qa153 but check expected 10.32.33.2.
    [[Please ensure that the NodeManager is active on the target machine].]Hi,
    - If you are using scripts:
    you can use the following options in your
    scripts: -Dweblogic.security.SSL.ignoreHostnameVerification=true
    - If you want to use it from the adminserver:
    Go to the adminserver in the console
    Go to 'SSL'
    Select 'Advanced'
    Set 'Hostname Verification' to 'none'
    And restart the adminserver.
    cheers,
    Bart
    Schelstraete Bart
    [email protected]
    http://www.schelstraete.org

  • Complication if Hostname Verification Ignored enabled?

    Currently we are testing our application. The application need to
    connect to a remote system through an SSL connection. However,
    without the 'Hostname Verification Ignored' enabled, the application
    always received a UnknownHostException just until we enable the option
    above, the application can connect succesfully.
    The cert on the remote system is not a real cert yet (it will be once
    we move to production). However, we already add the CA into our
    trusted list. We are using JVM bundled with BEA WLS 6.1 SP3.
    The concern that our customer has right now is how it will affect
    production system? With this option enabled, is that meant any cert
    from any server will be accepted by the JVM/WLS as trusted?
    Currently looking at the trusted CA in the key ring, there are only 2
    company supported by default (Verisign and Thawte), is there any
    specific documentation on how to include another CA into WLS trusted
    list?
    Thank you,
    Irawan.

    I did some more research for the issue mentioned which I yet to get rid of.
    1) I wrote a REST web service which makes a call to another REST service deployed on another weblogic using HTTPs (same code as mentioned above is used). I delpoyed the war and made a http call to the first webservice, the other REST service was invoked successfully using HTTPs. So this confirmed that there is no problem with the certificates or keystore or hostname verifictaion.
    2) My actual application still throws the handshake exception as below -
    <Warning> <Security> <BEA-090542> <Certificate chain received from xx.yy.zz.rrr - xx.yy.zz.rrr was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
    So I think the problem is something else but weblogic is priniting the exception message wrong.
    The process hierarchy ( in UNIX ) is as shown below -
    bea 31914 31913 0 14:29 ? 00:00:00 /bin/sh <DOMAIN HOME>//bin/startWebLogic.sh
    bea 31989 31914 0 14:29 ? 00:01:25 /opt/bea/jdk160_24/bin/java <The weblogic start server process> started by startWebLogic.sh
    bea 32107 31989 0 14:29 ? 00:00:09 /opt/bea/jdk160_24/bin/java <One of custom process>
    bea 2038 32107 0 18:38 ? 00:00:15 /opt/bea/jdk160_24/bin/java <Another custom process which contains my java classes containing the REST client>
    The problem is there in both Weblogic 11 and 10.3 version.
    I will be grateful if someone gives any clue about the problem.

  • Custom SSL Hostname Verifier - SSL Hostname Verification Failed

    Background:
    I am using a java client deployed in weblogic which connects to a 3rd party url over HTTPS.
    version: WebLogic server 10.3.0
    Issue:
    I am connecting to say www.abc.com and the site is presenting its certificate as **.ABC.com*. and I am getting Hostname verification failed.
    I am using weblogic's default hotname verifier.
    Setting hostname verification to false resolving this error, but I want to keep it for security.
    Can anybody please share some best practices to write a custom HostnameVerifier to overcome this kind of problems?
    Thanks in advance!

    An example - this validates that a cert sent to a cluster member ( such as by OSB's internals ) will be validated when the cluster uses a a load balancer address ( defined in the cluster's http tab )
    private final String QA_LB_NAME = "my_loadbalancer.net";
    private final String QA_HOST1 = "my_serverhost1.net";
    private final String QA_HOST2 = "my_serverhost2.net";
    public boolean verify(String hostname, SSLSession session) {
    try {
    Certificate cert = session.getPeerCertificates()[0];
    byte[] encoded = cert.getEncoded();
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    ByteArrayInputStream bais = new ByteArrayInputStream(encoded);
    X509Certificate xcert = (X509Certificate)cf.generateCertificate(bais);
    String cn = getCanonicalName(xcert.getSubjectDN().getName());
    if (cn.equals(hostname))
    return true;
    // Allow a match if the load balancer cert is presented from one of its
    // servers
    if (cn.equals(QA_LB_NAME) &&
    ((hostname.equals(QA_HOST1)) || (hostname.equals(QA_HOST2))))
    return true;
    // all other certs fail
    return false ;
    You can do something similar with your wildcard example - allow the validation if the cn is "*.abc.com" and the hostname is "www.abc.com"
    As far as best practices, I would suggest only have specific hard-coded validation entries for known certificates such as your wild card example. You want the default behavior ( of the hostname matching the CN name ) plus your particular case - and nothing else

  • HTTPS hostname verification...

    I am using JDK1.3.1 with JSSE 1.0.1. In my dev environment, we installed a trial SSL certificate. But the host name on the certificate is different from the actual host name.
    Because of this, I am getting an exception saying that, cetificate host name is different from the server name.
    But there is a possiblity that, you can disable this hostname checking. Does anybody know about this.
    --Bala                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

    Maybe this will help
    http://forum.java.sun.com/thread.jsp?forum=60&thread=130200

  • Hostname verifier does not get invoked

    Hi All,
    I am new to weblogic and currently facing an issue with SSL. I checked this forum but none of the solutions really worked for me, so seeking advice starting a new thread. Kindly help.
    Problem 1
    I have a REST webservice running in one weblogic server and another weblogic server contains a client which is based on the code from the following link -
    http://wiki.open-esb.java.net/attach/RestBCEchoSSL/SslClient.java
    One way handshaking is enabled in both the weblogic and the KeyStore and Truststore are read from configurable directory in the client java code. I specify a directory which resides outside weblogic home.
    Even though there is an HostnameVerifier implemented in the code to return true always, it does not get invoked and I get a certificate exception as below -
    <Warning> <Security> <BEA-090542> <Certificate chain received from xx.yy.zz.rrr - xx.yy.zz.rrr was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
    But when I run the java client from Eclipse I am able to invoke the webservice methods using HTTPs.
    So is not it possible to add a default hostname verifier as in the java code when the application is deployed in weblogic?
    Problem 2
    I another attempt to solve the above issue I turned off the hostname verification from weblogic admin console in the client weblogic side. In the console for the server Configuration > SSL->Hostname Verification field is set to "None". But that did not help.
    Then I added the '-Dweblogic.security.SSL.ignoreHostnameVerification=true' flag into the <domain>/bin/startWebLogic.sh file and restarted the weblogic. No luck again.
    ${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy -Dweblogic.security.SSL.ignoreHostnameVerification=true ${PROXY_SETTINGS} ${SERVER_CLASS}
    I tried recreating the certificate using the' hostname' instead of the ip address ( also added an entry into the /etc/hosts file putting the ip and hostname so that I can do ping <hostname> from the client and get response returned from the server side). Again no luck :(. I keep getting the same handshake failure as mentioned above.
    The weblogic version is 10.x.
    Thanks,
    Amrit

    I did some more research for the issue mentioned which I yet to get rid of.
    1) I wrote a REST web service which makes a call to another REST service deployed on another weblogic using HTTPs (same code as mentioned above is used). I delpoyed the war and made a http call to the first webservice, the other REST service was invoked successfully using HTTPs. So this confirmed that there is no problem with the certificates or keystore or hostname verifictaion.
    2) My actual application still throws the handshake exception as below -
    <Warning> <Security> <BEA-090542> <Certificate chain received from xx.yy.zz.rrr - xx.yy.zz.rrr was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
    So I think the problem is something else but weblogic is priniting the exception message wrong.
    The process hierarchy ( in UNIX ) is as shown below -
    bea 31914 31913 0 14:29 ? 00:00:00 /bin/sh <DOMAIN HOME>//bin/startWebLogic.sh
    bea 31989 31914 0 14:29 ? 00:01:25 /opt/bea/jdk160_24/bin/java <The weblogic start server process> started by startWebLogic.sh
    bea 32107 31989 0 14:29 ? 00:00:09 /opt/bea/jdk160_24/bin/java <One of custom process>
    bea 2038 32107 0 18:38 ? 00:00:15 /opt/bea/jdk160_24/bin/java <Another custom process which contains my java classes containing the REST client>
    The problem is there in both Weblogic 11 and 10.3 version.
    I will be grateful if someone gives any clue about the problem.

  • Host Name Verification problem

    Weblogic (8.1+) Host Name Verification is failing when I think it should succeed. I've read the docs but it doesn't sounds like there's an easy way to get it working other than to disable host name verification all together - is there?
    I get:
    <Warning> <Security> <BEA-090504> <Certificate chain received from test.authorize.net - 64.94.118.75 failed hostname verification check. Certificate contained *.authorize.net but check expected test.authorize.net>
    Thanks for any advice.

    Thanks for the reply.
    Unfortunately, it's not my certificate - it belongs to authorize.net and my code is trying to connect to them from my weblogic application.
    Apparently their production certificate doesn't use wildcards, so this won't be an issue. Still, it's unfortunate that wildcards don't work with Host Name Verification. I suppose a workaround if it becomes a production issue to write my own verifier, but I was hoping not to.

Maybe you are looking for

  • ITunes won't sync some music videos to iPhone?

    Hey gang- I have lots of iTunes purchased music videos in iTunes that I also sync and enjoy on my iPhone 3gs. But I also have some music videos that I made myself from video I shot. They display and play fine in iTunes on my Mac. But the weird thing

  • Need help adding a page to an existing website

    Hey guys....I'm, as the subject states, a newbie to Dreamweaver.  I am needing to add a page to an existing website.  Simple enough...or so it seems...anyway, I went to the site, copied the source coding, went back to Dreamweaver, pasted into the cod

  • [SOLVED] Typing delayed in pidgin and evolution

    When I type something in pidgin or evolution, after a couple of seconds the screen stops updating even though the apps are receiving my keypresses. If I stop and wait for a while or move the mouse it updates the screen. This doesn't happen in firefox

  • SQL*Loader Error Field in data file exceeds maximum length", version 8.1.6

    Hi All, I am trying to load a data file into a database table using SQL loader. I received the data in an data file but I saved it as a pipe delimited file. When I run the SQL Loader command no records are loaded - looking at the log file I get the f

  • My system disk icon has a question mark in it and does not open now

    my system disk icon has a question mark in it and does not open now and my devices name is gone when i click on FINDER, my favourites is there with the following listed under it- ALL MY FILES AIRDROP APPLICATIONS DESKTOP DOCUMENTS and under documents