Implementing 2-way ssl
Hi i have configured the keystore as "Custom Identity and Custom Trust", given the key store names for both given the Identity alisa name under the 'SSL' tab, in 'Advanced' i am enforcing for client certificate. But when i start to access the application, i see the following error
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@16a86fc>
####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090481> <NO_CERTIFICATE alert was received from ASST218297.uk.pri.o2.com - 172.17.247.10. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, checking with TrustManager>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <validationCallback: validateErr = 0>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Required peer certificates not supplied by peer>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: validateErr = 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <weblogic user specified trustmanager validation status 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090508> <Certificate chain received from ASST218297.uk.pri.o2.com - 172.17.247.10 was incomplete.>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Validation error = 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Certificate chain is incomplete>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <SSLTrustValidator returns: 68>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, not trusted, sending HANDSHAKE_FAILURE to peer>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
any replies please....
Hi,
thanks, actually while searching in the net, i found a blog where there were a few steps for implementing 2-way SSL in weblogic.
http://huyplus.blogspot.com/2010/02/2-way-ssl-with-weblogic-server-103.html?showComment=1267793234806_AIe9_BGsO6q6ENB4YZWtQyX53CzpN8TWcSn08RqNv6z8W3V7NRI3Qlcf4NuEM35O1niTSsYXd4rxjfUT63J2XFXOHjY8W56_sC-E3MGydylLHxDivVEjR0pQnSPv_Tx7CXOqT64AGNhhs06MEM9CBhpOtHcUHwvQMPtPeDAAJcwP1I9TzEIGNzNEQlWn9INrvLzP9_RAYESO3Wcxbl6b9eRgZt_jktfllVbxcvztIV3zoeQ8XlqgpN4S7Z82yCbUS1E7lFl46FZK#c8740869862805814451
fortunately, this is working, i mean the server is working as expected, but in the console, it says that the certificate chain is incomplete....
Anyways thanks for the links and suggestions...
if possible could you please provide me some reference for resolving this issue.
Thanks again
Sharma
Similar Messages
-
I am having trouble Trouble implementing one-way SSL on WebLogic 9.2...
I am having trouble Trouble implementing one-way SSL on WebLogic 9.2. I am using Demo Identity and Demo Trust certificates with a SSL Listen Port Enabled on 7002, and a Two Way Client Cert Behavior of Client Certs Not Requested. I assume that by using Client Certs Not Requested that there is no need to install certificates on user's computers.
When weblogic is restarted, I get the following log telling me it works...
<Sep 11, 2012 9:35:16 AM PDT> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoIdentity.jks.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoTrust.jks.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file e:\bea\jdk150_12\jre\lib\security\cacerts.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.9.20.172:7000 for protocols iiop, t3, ldap, http.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.9.20.172:7002 for protocols iiops, t3s, ldaps, https.>
However, when I open the console in https://server:7002/console, I get the following error in log file...
<Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090481> <NO_CERTIFICATE alert was received from x.y.z.com - 10.37.10.54. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
<Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090508> <Certificate chain received from x.y.z.com - 10.37.10.54 was incomplete.>
I do not understand why I am getting this error when I assume there is no need to install certificates on user's computers. Can't someone please explain what is going on? Thanks in advance.<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/extension http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd">
<name>nctcis</name>
<domain-version>9.2.3.0</domain-version>
<security-configuration>
<name>nctcis</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<sec:name>DefaultAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:name>DefaultIdentityAsserter</sec:name>
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
<default-realm>myrealm</default-realm>
<anonymous-admin-lookup-enabled>true</anonymous-admin-lookup-enabled>
<credential-encrypted>{3DES}PyUkjWRp8JGpk75BYSbvQ6OWYgA9SZq2nj2IuENa2vxrMy835GMRZ+GGKhJiWapjt0mMC2ohcxxlIMNUZJUH2gCjbB5kQUmA</credential-encrypted>
<node-manager-username>system</node-manager-username>
<node-manager-password-encrypted>{3DES}KmaZDZGQC6spYVY12CbJGA==</node-manager-password-encrypted>
</security-configuration>
<jta>
<timeout-seconds>1800</timeout-seconds>
<abandon-timeout-seconds>3600</abandon-timeout-seconds>
<max-transactions>100000</max-transactions>
<max-resource-unavailable-millis>100000</max-resource-unavailable-millis>
</jta>
<log>
<name>nctcis</name>
<file-name>e:/netcracker/logs/wl-domain.log</file-name>
<file-min-size>5120</file-min-size>
</log>
<server>
<name>nctcisAdmin</name>
<ssl>
<enabled>true</enabled>
<hostname-verifier xsi:nil="true"></hostname-verifier>
<hostname-verification-ignored>false</hostname-verification-ignored>
<client-certificate-enforced>true</client-certificate-enforced>
<two-way-ssl-enabled>false</two-way-ssl-enabled>
<server-private-key-alias>tcisdevbpagov_cert</server-private-key-alias>
<server-private-key-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</server-private-key-pass-phrase-encrypted>
<use-server-certs>false</use-server-certs>
</ssl>
<log>
<name>nctcisAdmin</name>
<file-name>e:/netcracker/logs/weblogic.log</file-name>
<file-min-size>5120</file-min-size>
</log>
<listen-port>7000</listen-port>
<web-server>
<name>nctcisAdmin</name>
<web-server-log>
<name>nctcisAdmin</name>
<file-name>e:/netcracker/logs/access.log</file-name>
<file-min-size>5120</file-min-size>
</web-server-log>
</web-server>
<listen-address>tcis.dev.bpa.gov</listen-address>
<key-stores>DemoIdentityAndDemoTrust</key-stores>
<custom-identity-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_identity.jks</custom-identity-key-store-file-name>
<custom-identity-key-store-type>JKS</custom-identity-key-store-type>
<custom-identity-key-store-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</custom-identity-key-store-pass-phrase-encrypted>
<custom-trust-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_trust.jks</custom-trust-key-store-file-name>
<custom-trust-key-store-type>JKS</custom-trust-key-store-type>
<custom-trust-key-store-pass-phrase-encrypted>{3DES}I++r0/FEMRGFrqF47pYZJA==</custom-trust-key-store-pass-phrase-encrypted>
</server>
<embedded-ldap>
<name>nctcis</name>
<credential-encrypted>{3DES}i51JYfmoGyFTxPjiCjjtXWwza1t13k56Ls7fmdqtKB0=</credential-encrypted>
</embedded-ldap>
<configuration-version>9.2.3.0</configuration-version>
<app-deployment>
<name>NetCracker</name>
<target>nctcisAdmin</target>
<module-type>ear</module-type>
<source-path>applications\NetCracker</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<app-deployment>
<name>pictures</name>
<target>nctcisAdmin</target>
<module-type>war</module-type>
<source-path>e:\pictures</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<jms-server>
<name>NCJMSServer</name>
<target>nctcisAdmin</target>
<temporary-template-resource>NCJMSModule</temporary-template-resource>
<temporary-template-name>NetCrackerTemplate</temporary-template-name>
<message-buffer-size>100000</message-buffer-size>
</jms-server>
<self-tuning>
<max-threads-constraint>
<name>MaxThreadsConstraint</name>
<target>nctcisAdmin</target>
<count>40</count>
</max-threads-constraint>
<work-manager>
<name>default</name>
<target>nctcisAdmin</target>
<max-threads-constraint>MaxThreadsConstraint</max-threads-constraint>
<work-manager-shutdown-trigger>
<stuck-thread-count>1000</stuck-thread-count>
</work-manager-shutdown-trigger>
</work-manager>
</self-tuning>
<jms-system-resource>
<name>NCJMSModule</name>
<target>nctcisAdmin</target>
<sub-deployment>
<name>BEA_JMS_MODULE_SUBDEPLOYMENT_NCJMSServer</name>
<target>NCJMSServer</target>
</sub-deployment>
<descriptor-file-name>jms/ncjmsmodule-jms.xml</descriptor-file-name>
</jms-system-resource>
<admin-server-name>nctcisAdmin</admin-server-name>
<jdbc-system-resource>
<name>NetCrackerDataSource</name>
<target>nctcisAdmin</target>
<descriptor-file-name>jdbc/NetCrackerDataSource-5713-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>NetCrackerDataSourceNonTX</name>
<target>nctcisAdmin</target>
<descriptor-file-name>jdbc/NetCrackerDataSourceNonTX-6926-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain>
Edited by: user6904153 on Sep 12, 2012 6:57 AM -
OSB: Implementing 2 way ssl for a particular proxy
Hi All,
We have a requirement to implement 2 way ssl support for one of our OSB proxy and 1 way ssl support for all other proxies in our project.
we have enabled HTTS on OSB and configured 2-way ssl on weblogic server. It is working fine.
But the 2 way ssl configuration on weblogic server impacts all other proxy services deployed on that node. Because of weblogic configuration "Two Way Client Cert Behavior: Client Certs Requested and Enforced", the server expects all request to present the client certificate..
But our requirement is, Only 1 proxy service should enforce 2-way ssl, all other proxies should only support 1 -way ssl(server authentication).
Is there any way to implement our requirement?.
we want to configure weblogic with "Two Way Client Cert Behavior: Client Certs Requested but not and Enforced OR Client Certs NOT Requested" and then in the proxy service we want to enforce client certificate..
Is it possible to implement? If so can anyone help to explain the steps?
Thanks in advance
Edited by: user13109986 on Oct 24, 2012 9:30 AMIt is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.
-
How to implement 2-way SSL in OSB web services
Hi ,
I need to implement secured SSL communication in my OSB web services . For this I have used the self signed certificates in weblogic console and configured them .
I also enabled the https parameter in my proxy service but now when I am trying to open the proxy wsdl in browser it says unauthorised access.
Even in SOAP UI when I am trying to access it says "Error loading wsdl" .
Please help.Hi,
Do you have created a Service Key provider and attached the same to proxy service.
Oracle Service Bus verifies that you have associated a service key provider with the proxy service and that the service key provider contains a key-pair binding that can be used as a digital signature.
Service Key Providers
Regards,
Abhinav -
Apache 2.2 21 forward Proxy 2 way SSL for weblogic server as a client
Hi All,
Currently, i am trying to implement a forward SSL proxy. The client will hit my apache server which in return will hit a IIS Server.
scenarios 1
client(weblogic)--*2 way SSL*Apache(forward proxy)*2 way SSL*-- IIS
If i were to implement 1 way ssl, i am able to see the content of the website.
client(weblogic) --- Apache(forward proxy) --- IIS
If i were to launch the web browser from the client machine (with the client certificate imported in the browser), i am able to view the content in the IIS. But if i were to simulate the connection from weblogic server, it just give me end of file exception (response contain no data) on the logs.
Below is my configuration
Listen 8080
<VirtualHost default:8080>
ServerName serverA
ErrorLog "logs/ssl_error_log"
CustomLog "logs/ssl_access_log" common
SSLProxyEngine On
SSLProxyMachineCertificateFile /certificate/servercert.cer
SSLProxyCACertificateFile /certificate/rootCA.cer
SSLProxyVerify require
SSLProxyVerifyDepth 10
ProxyRequests On
ProxyVia On
AllowConnect 12345
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
</VirtualHost>
For 2 way SSL, will the client forward their client certificate to my apache proxy server and apache will on the client behalf forward the client certificate to the IIS server for authenication?
Or the SSL authenication still happen between the client (weblogic) and the end server (IIS) bypassing the proxy server.
Please help.It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.
-
2 way SSL in web services [using Axis]
Hi,
Can anyone tell me how to implement 2 way SSL handshake before making a web service call , using Axis.
This is what i have to start off with:
1. wsdl, which i use to create the client side files [using eclipse] do meet the business needs.
2. I also have my [client] key and cert and the servers root cert, required for SSL handshake
Thanks for the help,
SandyHi,
Do you have created a Service Key provider and attached the same to proxy service.
Oracle Service Bus verifies that you have associated a service key provider with the proxy service and that the service key provider contains a key-pair binding that can be used as a digital signature.
Service Key Providers
Regards,
Abhinav -
2 way SSL: How does Sun implement handling malformed certificate requests?
Hi
I'd like to know how sun implements the following 2 way ssl-scenario:
When an SSL server requests client authentication, it sends a message
to the client that says "here is a list of the names of CAs that I trust
to issue client certs. If you have a client cert from one of these
CAs, then send it to me". That list is NEVER supposed to be empty.
But the hint above suggests that it is. If your server has not been
configured with the names of CAs that it trusts to issue client certs,
it's sending an empty list.
When an SSL client receives such a malformed request, with an empty
list of trusted client CA names, it may either (a) choose to send
back a response that means "I have no cert issued by any of the
issuers you have named", ***or (b) send back any certificate you have***
***and hope the misconfigured server will accept it.***
Please advice? What is the switch to tell the client to send any certificate?
Thanks a lot
ChristianThat list is NEVER supposed to be empty.It doesn't actually say that anywhere in the RFC.
When an SSL client receives such a malformed request, with an empty
list of trusted client CA names, it may either (a) choose to send
back a response that means "I have no cert issued by any of the
issuers you have named", ***or (b) send back any certificate you have***
***and hope the misconfigured server will accept it.***That's not how I read the RFC. I would say the client should decide there is no suitable certificate available, and send back an empty ClientCertificate message. That in turn may provoke the server into sending a fatal handshake failure alert.
What is the switch to tell the client to send any certificate?There is no such switch.
More to the point, why is the server's CA list empty? That must mean that it has an empty truststore. That's the problem you should fix. -
Help with getting Web Start working with two-way SSL
I have successfully transferred data (myclient.jnlp) utilizing web browsers (IE and Mozilla) from my web server (which is set up for two-way SSL "CLIENT-CERT" required) after using the browser's utility to "import" my client-side cert (in .p12 format).
After the browser connects and downloads the "myclient.jnlp" contents and places it in a temporary file, it then kicks off the javaws process with the temporary file as a parameter. The first thing javaws does is utilize the codebase and href values (found in the temporary file) to make a "GET" call to the server for the "myclient.jnlp" file (again).
However, this fails (with a SSL handshake error) since javaws uses a different keystore than IE - the server does not receive the client-side cert. I have imported the root CA and the client cert (in .pem format) into the $JAVA_HOME/jre/lib/security/cacerts file using the keytool command but alas my server still indicates a lack of a client-side cert.
Has anyone else tried this and got it working?Hi Richard,
Indeed it appears that the 1.5 version will have more built-in capability for client certs. It has the look of the IE browser import capability. Unfortunately, I am stuck with having to utilize 1.4.2 for the time being. Since I have posted my original message I have found more information but have yet to get it all working. The truststore in javaws 1.4.2 does have a default (the 1.4.2 jre's cacert file - stragely enough not the same one that gets updated when you import the root CA! - but this has been noted in many other threads). The javaws keystore does not have a default and I have tried, to no avail yet, to utilize some command line parameters, see http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#Customization - to get my client cert "available" and recognized by javaws.
With the help of some debug flags here is the output on my javaws "output" log - all seems to go well up to the point of the client's Certificate chain (which appears to be empty), after the ServerHelloDone :
trustStore is: C:\j2sdk1.4.2_04\jre\lib\security\cacerts
trustStore type is : jks
init truststore
adding as trusted cert:
snipped all the regular trusted certs, left my root CA as proof it is recognized...
adding as trusted cert:
Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Algorithm: RSA; Serial number: 0x0
Valid from Wed May 26 16:38:59 EDT 2004 until Fri Jun 25 16:38:59 EDT 2004
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1070211537 bytes = { 205, 211, 129, 234, 88, 129, 152, 176, 223, 180, 161, 138, 246, 183, 181, 89, 61, 252, 63, 35, 21, 34, 253, 32, 254, 124, 38, 198 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 40 CA 22 D1 CD D3 81 EA 58 81 ...E..@.".....X.
0010: 98 B0 DF B4 A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 .........Y=.?#."
0020: FD 20 FE 7C 26 C6 00 00 1E 00 04 00 05 00 2F 00 . ..&........./.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 01 00 .........
Thread-3, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 ............@...
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 ..@.".....X.....
0050: A1 8A F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C .....Y=.?#.". ..
0060: 26 C6 &.
Thread-3, WRITE: SSLv2 client hello message, length = 98
Thread-3, READ: TLSv1 Handshake, length = 58
*** ServerHello, TLSv1
RandomCookie: GMT: 1070211539 bytes = { 81, 106, 82, 45, 233, 226, 89, 6, 38, 240, 71, 122, 90, 226, 255, 207, 9, 102, 205, 127, 223, 211, 4, 84, 79, 16, 101, 89 }
Session ID: {34, 167, 132, 174, 141, 4, 57, 197, 190, 207, 105, 117, 241, 9, 97, 81}
Cipher Suite: SSL_RSA_WITH_DES_CBC_SHA
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_DES_CBC_SHA]
** SSL_RSA_WITH_DES_CBC_SHA
[read] MD5 and SHA1 hashes: len = 58
0000: 02 00 00 36 03 01 40 CA 22 D3 51 6A 52 2D E9 E2 ...6..@.".QjR-..
0010: 59 06 26 F0 47 7A 5A E2 FF CF 09 66 CD 7F DF D3 Y.&.GzZ....f....
0020: 04 54 4F 10 65 59 10 22 A7 84 AE 8D 04 39 C5 BE .TO.eY.".....9..
0030: CF 69 75 F1 09 61 51 00 09 00 .iu..aQ...
Thread-3, READ: TLSv1 Handshake, length = 607
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
Validity: [From: Wed May 26 16:38:59 EDT 2004,
To: Fri Jun 25 16:38:59 EDT 2004]
Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
SerialNumber: [ 00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
SerialNumber: [ 00]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [SHA1withRSA]
Signature:
0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
Found trusted certificate:
Version: V3
Subject: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
e2bd8de9 598e0735 2bed2057 3800c83d 348550e2 93a017c7 9845f35f cd7b4ada
6ef0c70f 7a033e69 a97ccd15 46f0d1c8 7a0ae909 ddb76f5b cd8029e6 3a6a4965
Validity: [From: Wed May 26 16:38:59 EDT 2004,
To: Fri Jun 25 16:38:59 EDT 2004]
Issuer: CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US
SerialNumber: [ 00]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 3F A7 DF 1F FA 90 1F 98 4F BA 42 9F 21 7D B4 C4 ?.......O.B.!...
0010: 88 76 14 DA .v..
[CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US]
SerialNumber: [ 00]
[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
Algorithm: [SHA1withRSA]
Signature:
0000: 29 CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D )..H../.J.s.q.X.
0010: 9E 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD ..D....<........
0020: C4 FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 ..R..re....ba5..
0030: AE FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 ..........w..j..
[read] MD5 and SHA1 hashes: len = 607
0000: 0B 00 02 5B 00 02 58 00 02 55 30 82 02 51 30 82 ...[..X..U0..Q0.
0010: 01 FB A0 03 02 01 02 02 01 00 30 0D 06 09 2A 86 ..........0...*.
0020: 48 86 F7 0D 01 01 05 05 00 30 57 31 0B 30 09 06 H........0W1.0..
0030: 03 55 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 .U....US1.0...U.
0040: 08 13 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 ...Virginia1.0..
0050: 03 55 04 07 13 07 46 61 69 72 66 61 78 31 11 30 .U....Fairfax1.0
0060: 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 ...U....Zork.org
0070: 31 10 30 0E 06 03 55 04 03 13 07 52 6F 6F 74 20 1.0...U....Root
0080: 43 41 30 1E 17 0D 30 34 30 35 32 36 32 30 33 38 CA0...0405262038
0090: 35 39 5A 17 0D 30 34 30 36 32 35 32 30 33 38 35 59Z..04062520385
00A0: 39 5A 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 9Z0W1.0...U....U
00B0: 53 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 S1.0...U....Virg
00C0: 69 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 inia1.0...U....F
00D0: 61 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 airfax1.0...U...
00E0: 08 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 .Zork.org1.0...U
00F0: 04 03 13 07 52 6F 6F 74 20 43 41 30 5C 30 0D 06 ....Root CA0\0..
0100: 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 4B 00 30 .*.H.........K.0
0110: 48 02 41 00 E2 BD 8D E9 59 8E 07 35 2B ED 20 57 H.A.....Y..5+. W
0120: 38 00 C8 3D 34 85 50 E2 93 A0 17 C7 98 45 F3 5F 8..=4.P......E._
0130: CD 7B 4A DA 6E F0 C7 0F 7A 03 3E 69 A9 7C CD 15 ..J.n...z.>i....
0140: 46 F0 D1 C8 7A 0A E9 09 DD B7 6F 5B CD 80 29 E6 F...z.....o[..).
0150: 3A 6A 49 65 02 03 01 00 01 A3 81 B1 30 81 AE 30 :jIe........0..0
0160: 0C 06 03 55 1D 13 04 05 30 03 01 01 FF 30 1D 06 ...U....0....0..
0170: 03 55 1D 0E 04 16 04 14 3F A7 DF 1F FA 90 1F 98 .U......?.......
0180: 4F BA 42 9F 21 7D B4 C4 88 76 14 DA 30 7F 06 03 O.B.!....v..0...
0190: 55 1D 23 04 78 30 76 80 14 3F A7 DF 1F FA 90 1F U.#.x0v..?......
01A0: 98 4F BA 42 9F 21 7D B4 C4 88 76 14 DA A1 5B A4 .O.B.!....v...[.
01B0: 59 30 57 31 0B 30 09 06 03 55 04 06 13 02 55 53 Y0W1.0...U....US
01C0: 31 11 30 0F 06 03 55 04 08 13 08 56 69 72 67 69 1.0...U....Virgi
01D0: 6E 69 61 31 10 30 0E 06 03 55 04 07 13 07 46 61 nia1.0...U....Fa
01E0: 69 72 66 61 78 31 11 30 0F 06 03 55 04 0A 13 08 irfax1.0...U....
01F0: 5A 6F 72 6B 2E 6F 72 67 31 10 30 0E 06 03 55 04 Zork.org1.0...U.
0200: 03 13 07 52 6F 6F 74 20 43 41 82 01 00 30 0D 06 ...Root CA...0..
0210: 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 41 00 29 .*.H.........A.)
0220: CB D0 48 E2 89 2F 8D 4A A6 73 11 71 EB 58 9D 9E ..H../.J.s.q.X..
0230: 0C 44 1F 87 C2 A3 3C C0 E7 9A E3 C4 BC A7 DD C4 .D....<.........
0240: FC 52 F1 A9 72 65 14 99 C1 A7 62 61 35 91 D8 AE .R..re....ba5...
0250: FF FB FF 82 D8 1C EE 03 02 77 03 19 6A B0 06 .........w..j..
Thread-3, READ: TLSv1 Handshake, length = 220
*** CertificateRequest
Cert Types: RSA, DSS, Ephemeral DH (RSA sig),
Cert Authorities:
<CN=Root CA, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
<CN=Server CA, OU=Server Division, O=Zork.org, L=Fairfax, ST=Virginia, C=US>
[read] MD5 and SHA1 hashes: len = 220
0000: 0D 00 00 D8 03 01 02 05 00 D2 00 59 30 57 31 0B ...........Y0W1.
0010: 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0F 06 0...U....US1.0..
0020: 03 55 04 08 13 08 56 69 72 67 69 6E 69 61 31 10 .U....Virginia1.
0030: 30 0E 06 03 55 04 07 13 07 46 61 69 72 66 61 78 0...U....Fairfax
0040: 31 11 30 0F 06 03 55 04 0A 13 08 5A 6F 72 6B 2E 1.0...U....Zork.
0050: 6F 72 67 31 10 30 0E 06 03 55 04 03 13 07 52 6F org1.0...U....Ro
0060: 6F 74 20 43 41 00 75 30 73 31 0B 30 09 06 03 55 ot CA.u0s1.0...U
0070: 04 06 13 02 55 53 31 11 30 0F 06 03 55 04 08 13 ....US1.0...U...
0080: 08 56 69 72 67 69 6E 69 61 31 10 30 0E 06 03 55 .Virginia1.0...U
0090: 04 07 13 07 46 61 69 72 66 61 78 31 11 30 0F 06 ....Fairfax1.0..
00A0: 03 55 04 0A 13 08 5A 6F 72 6B 2E 6F 72 67 31 18 .U....Zork.org1.
00B0: 30 16 06 03 55 04 0B 13 0F 53 65 72 76 65 72 20 0...U....Server
00C0: 44 69 76 69 73 69 6F 6E 31 12 30 10 06 03 55 04 Division1.0...U.
00D0: 03 13 09 53 65 72 76 65 72 20 43 41 ...Server CA
Thread-3, READ: TLSv1 Handshake, length = 4
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 175, 38, 47, 77, 131, 125, 209, 147, 174, 228, 183, 99, 34, 2, 100, 186, 77, 47, 65, 233, 82, 133, 183, 113, 8, 193, 51, 241, 167, 105, 4, 187, 57, 130, 161, 11, 178, 11, 134, 84, 96, 106, 203, 11, 195, 51 }
[write] MD5 and SHA1 hashes: len = 77
0000: 0B 00 00 03 00 00 00 10 00 00 42 00 40 39 9F EC ..........B.@9..
0010: 5F 92 FA 3D 5E 3D 0C 19 10 72 DA BE B6 14 76 62 _..=^=...r....vb
0020: AE 39 75 0B 74 10 C7 B1 42 D7 A1 22 C0 0E B8 A2 .9u.t...B.."....
0030: 22 80 73 20 36 A2 FD BB F9 3E F4 F0 91 CE 95 F8 ".s 6....>......
0040: 05 D7 22 FC 2C CF 1B AB 19 82 03 D2 F5 ..".,........
Thread-3, WRITE: TLSv1 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 AF 26 2F 4D 83 7D D1 93 AE E4 B7 63 22 02 ...&/M.......c".
0010: 64 BA 4D 2F 41 E9 52 85 B7 71 08 C1 33 F1 A7 69 d.M/A.R..q..3..i
0020: 04 BB 39 82 A1 0B B2 0B 86 54 60 6A CB 0B C3 33 ..9......T`j...3
CONNECTION KEYGEN:
Client Nonce:
0000: 40 CA 22 D1 CD D3 81 EA 58 81 98 B0 DF B4 A1 8A @.".....X.......
0010: F6 B7 B5 59 3D FC 3F 23 15 22 FD 20 FE 7C 26 C6 ...Y=.?#.". ..&.
Server Nonce:
0000: 40 CA 22 D3 51 6A 52 2D E9 E2 59 06 26 F0 47 7A @.".QjR-..Y.&.Gz
0010: 5A E2 FF CF 09 66 CD 7F DF D3 04 54 4F 10 65 59 Z....f.....TO.eY
Master Secret:
0000: 67 B9 58 74 69 18 0B 2E 00 EB AC 9B 77 15 B4 65 g.Xti.......w..e
0010: 61 A1 AC D0 F1 D5 4C CA 0E 51 FC 58 A0 11 B7 87 a.....L..Q.X....
0020: EC 72 26 D0 83 18 27 49 8F B6 32 FF E3 89 1D E4 .r&...'I..2.....
Client MAC write Secret:
0000: D5 96 AB F7 1E 46 5F 46 8A E9 3E DF A0 5E 32 5E .....F_F..>..^2^
0010: 00 FB B8 D8 ....
Server MAC write Secret:
0000: E6 7D 8E F5 6A 4C 94 4C D6 2A 3A 4D FC C1 94 A3 ....jL.L.*:M....
0010: C5 6C 5F B6 .l_.
Client write key:
0000: 18 1D 51 8C 74 6D 18 57 ..Q.tm.W
Server write key:
0000: 0D 4E 7A F1 5A D6 5F 5B .Nz.Z._[
Client write IV:
0000: 4C BB 4D FA 4F EB CB 4E L.M.O..N
Server write IV:
0000: B7 6A CA E9 66 7D 25 88 .j..f.%.
Thread-3, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher DES/CBC/NoPadding
*** Finished
verify_data: { 20, 20, 38, 13, 43, 235, 102, 72, 75, 212, 21, 21 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
Padded plaintext before ENCRYPTION: len = 40
0000: 14 00 00 0C 14 14 26 0D 2B EB 66 48 4B D4 15 15 ......&.+.fHK...
0010: 90 9C E9 09 F4 48 96 A6 8F AA 04 DF E9 36 72 F0 .....H.......6r.
0020: 42 F0 60 78 03 03 03 03 B.`x....
Thread-3, WRITE: TLSv1 Handshake, length = 40
Thread-3, READ: TLSv1 Alert, length = 2
Thread-3, RECV TLSv1 ALERT: fatal, handshake_failure
Thread-3, called closeSocket()
Thread-3, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Finalizer, called close()
Finalizer, called closeInternal(true)
So I'll toil away trying to get *right* combination of settings - please let me know if you have any ideas! FYI here are the command line settings I am using for the keystore:
-Djavax.net.ssl.keyStore=c:\myClientIdKeyStore -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=myClientIdKeyStorePass
Thanks,
Paul -
Urgent : Problem with Client when OC4J has been setup in 2 way SSL mode
This is the output that is generated in the JDeveloper console on running the example from b14429.pdf. Examle :
====================================================
import HTTPClient.HTTPConnection;
import HTTPClient.HTTPResponse;
import javax.security.cert.X509Certificate;
import oracle.security.ssl.OracleSSLCredential;
import java.io.IOException;
import javax.net.ssl.SSLPeerUnverifiedException;
public class SSLSocketClientWithClientAuth {
public static void main(String[] args) {
if (args.length < 4) {
System.out.println("Usage: java HTTPSConnectionTest [host] [port] " +
"[wallet] [password]");
System.exit(-1);
String hostname = args[0].toLowerCase();
int port = Integer.decode(args[1]).intValue();
String walletPath = args[2];
String password = args[3];
HTTPConnection httpsConnection = null;
OracleSSLCredential credential = null;
try {
httpsConnection = new HTTPConnection("https", hostname, port);
} catch (IOException e) {
System.out.println("HTTPS Protocol not supported");
System.exit(-1);
try {
credential = new OracleSSLCredential();
credential.setWallet(walletPath, password);
} catch (IOException e) {
System.out.println("Could not open wallet");
System.exit(-1);
httpsConnection.setSSLEnabledCipherSuites(new String[]{"SSL_RSA_WITH_3DES_EDE_CBC_SHA"});
httpsConnection.setSSLCredential(credential);
try {
httpsConnection.connect();
} catch (IOException e) {
System.out.println("Could not establish connection");
e.printStackTrace();
System.exit(-1);
// X509Certificate x509 = new X509Certificate();
//javax.servlet.request.
X509Certificate[] peerCerts = null;
try {
peerCerts =
(httpsConnection.getSSLSession()).getPeerCertificateChain();
} catch (javax.net.ssl.SSLPeerUnverifiedException e) {
System.err.println("Unable to obtain peer credentials");
e.printStackTrace();
System.exit(-1);
String peerCertDN =
peerCerts[peerCerts.length - 1].getSubjectDN().getName();
peerCertDN = peerCertDN.toLowerCase();
if (peerCertDN.lastIndexOf("cn=" + hostname) == -1) {
System.out.println("Certificate for " + hostname +
" is issued to " + peerCertDN);
System.out.println("Aborting connection");
System.exit(-1);
try {
HTTPResponse rsp = httpsConnection.Get("/");
System.out.println("Server Response: ");
System.out.println(rsp);
} catch (Exception e) {
System.out.println("Exception occured during Get");
e.printStackTrace();
System.exit(-1);
================================================================
C:\j2sdk1.4.2_09\bin\javaw.exe -client -classpath "D:\eclipse\workspace\OC4JClient\OC4JClient\classes;D:\eclipse\workspace\jdev\extensions\.jar;C:\Documents and Settings\nilesh_bafna\Desktop\Nitin\lib\jssl-1_1.jar;E:\product\10.1.3.1\OracleAS_1\j2ee\home\lib\http_client.jar;E:\product\10.1.3.1\OracleAS_1\jlib\javax-ssl-1_1.jar" -Djava.protocol.handler.pkgs=HTTPClient -Djavax.net.debug=ssl -Djavax.net.ssl.keyStore=F:/oc4jcert/client.keystore -Djavax.net.ssl.keyStorePassword=welcome1 -Djavax.net.ssl.trustStore=F:/oc4jcert/client.keystore -Djavax.net.ssl.trustStorePassword=welcome1 -DOracle.ssl.defaultCipherSuites=SSL_RSA_WITH_RC4_128_MD5 SSLSocketClientWithClientAuth ps4372.persistent.co.in 443 F:/oc4jcert/client.keystore welcome1
keyStore is : F:/oc4jcert/client.keystore
keyStore type is : jks
init keystore
init keymanager of type SunX509
found key for : oracle-client
chain [0] = [
Version: V3
Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
87fcc8e9 0ffcef8e 61f3be10 be7c9715 2792849b 3bbdeb1c cc76b337 4b82bbab
86972c63 9af3adfd 35b5df99 9078a0d1 6dc760d8 0549a95a bfa7648a 9eadd326
a6bc4b61 d8f8b42f 44e0b178 ff1dee20 db8406cd d800c26a 9c5a6ed9 4d6f2aef
bc919814 3b46be39 e129280c e83afe12 c9d4e3d7 fb5787b1 d98bed4a 4f0833d5
Validity: [From: Thu Jan 18 21:18:14 GMT+05:30 2007,
To: Wed Apr 18 21:18:14 GMT+05:30 2007]
Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
SerialNumber: [ 45af96be]
Algorithm: [MD5withRSA]
Signature:
0000: 41 47 35 41 90 10 E3 77 A7 F3 F5 81 37 49 4F 57 AG5A...w....7IOW
0010: 01 11 82 A2 FB 69 46 E8 18 6C EE 11 23 A6 67 2E .....iF..l..#.g.
0020: 68 4D D6 A6 E7 09 45 24 58 18 9A E5 44 49 10 9B hM....E$X...DI..
0030: F1 EC 99 4A 45 5F A4 4F 71 3F 05 3D 45 29 42 CD ...JE_.Oq?.=E)B.
0040: 11 87 DA 0C AA DC 55 4E CF 22 4A 94 85 CB E5 EB ......UN."J.....
0050: BA E1 10 D2 C8 80 2C 6B 65 94 13 01 1F 6E 18 C3 ......,ke....n..
0060: 87 33 8C 65 C7 03 16 03 24 FB 0D B0 6D D8 E7 AA .3.e....$...m...
0070: A1 A5 48 90 0D D6 8C 47 50 2A AA 7C 7B 14 E5 B7 ..H....GP*......
trustStore is: F:\oc4jcert\client.keystore
trustStore type is : jks
init truststore
adding as trusted cert:
Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
Algorithm: RSA; Serial number: 0x45af96be
Valid from Thu Jan 18 21:18:14 GMT+05:30 2007 until Wed Apr 18 21:18:14 GMT+05:30 2007
adding as trusted cert:
Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
Algorithm: RSA; Serial number: 0x45af95dc
Valid from Thu Jan 18 21:14:28 GMT+05:30 2007 until Wed Apr 18 21:14:28 GMT+05:30 2007
init context
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1152299454 bytes = { 41, 212, 166, 48, 109, 77, 185, 232, 204, 95, 158, 141, 60, 96, 196, 172, 49, 19, 49, 22, 222, 234, 47, 76, 27, 130, 5, 176 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 839
*** ServerHello, TLSv1
RandomCookie: GMT: 1152299454 bytes = { 206, 186, 162, 116, 179, 72, 44, 198, 189, 25, 70, 227, 170, 235, 83, 186, 152, 49, 194, 222, 248, 3, 191, 170, 248, 95, 134, 35 }
Session ID: {69, 175, 178, 190, 47, 141, 131, 115, 241, 226, 39, 29, 241, 65, 235, 165, 57, 40, 52, 85, 68, 85, 68, 84, 108, 141, 1, 125, 193, 191, 158, 208}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
6f24d75b 96919725 ad6ea93a cab0bd96 a49d2f3c e14f5c09 0e228e36 de64e0f2
f2b82740 1653bdb4 5024d281 21ed8c4c 89bc322b 4dc9ffb2 0e97cd95 16e6fe1e
380340c9 f3c67e2c 18d06461 f4f30eaf 4394716e 7bc66d80 810a9cb5 9c168b36
cdd99919 67074ebc edebf02e ebf0accb 2193bc38 7ae1cdda af5ff300 ed0e7763
Validity: [From: Thu Jan 18 21:14:28 GMT+05:30 2007,
To: Wed Apr 18 21:14:28 GMT+05:30 2007]
Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
SerialNumber: [ 45af95dc]
Algorithm: [MD5withRSA]
Signature:
0000: 05 4E EE 12 5B DD 7F 26 92 37 67 C9 D0 73 46 4D .N..[..&.7g..sFM
0010: 7E A5 1E 67 38 06 D9 5F 9F B7 2F E8 F6 9E BF 88 ...g8.._../.....
0020: 01 31 7D EA 42 5E 4F 9E D7 8F DA 9F 94 A5 EF 47 .1..B^O........G
0030: E3 E9 BA DE 94 15 C6 03 DE C9 C0 7D CE 58 C0 27 .............X.'
0040: 0F 1A 66 EC 73 53 5D 1D DE 7E FA 35 15 E0 2A CC ..f.sS]....5..*.
0050: C9 74 CC 58 E9 B6 2F 68 A0 89 2B F3 E6 61 7D E1 .t.X../h..+..a..
0060: 21 AF BE E8 83 49 B1 BD 36 C5 2D 1B 0D A1 0E 63 !....I..6.-....c
0070: 02 4A 82 71 B0 E1 9C AD 55 67 F9 17 A5 96 18 EB .J.q....Ug......
Found trusted certificate:
Version: V3
Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
6f24d75b 96919725 ad6ea93a cab0bd96 a49d2f3c e14f5c09 0e228e36 de64e0f2
f2b82740 1653bdb4 5024d281 21ed8c4c 89bc322b 4dc9ffb2 0e97cd95 16e6fe1e
380340c9 f3c67e2c 18d06461 f4f30eaf 4394716e 7bc66d80 810a9cb5 9c168b36
cdd99919 67074ebc edebf02e ebf0accb 2193bc38 7ae1cdda af5ff300 ed0e7763
Validity: [From: Thu Jan 18 21:14:28 GMT+05:30 2007,
To: Wed Apr 18 21:14:28 GMT+05:30 2007]
Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
SerialNumber: [ 45af95dc]
Algorithm: [MD5withRSA]
Signature:
0000: 05 4E EE 12 5B DD 7F 26 92 37 67 C9 D0 73 46 4D .N..[..&.7g..sFM
0010: 7E A5 1E 67 38 06 D9 5F 9F B7 2F E8 F6 9E BF 88 ...g8.._../.....
0020: 01 31 7D EA 42 5E 4F 9E D7 8F DA 9F 94 A5 EF 47 .1..B^O........G
0030: E3 E9 BA DE 94 15 C6 03 DE C9 C0 7D CE 58 C0 27 .............X.'
0040: 0F 1A 66 EC 73 53 5D 1D DE 7E FA 35 15 E0 2A CC ..f.sS]....5..*.
0050: C9 74 CC 58 E9 B6 2F 68 A0 89 2B F3 E6 61 7D E1 .t.X../h..+..a..
0060: 21 AF BE E8 83 49 B1 BD 36 C5 2D 1B 0D A1 0E 63 !....I..6.-....c
0070: 02 4A 82 71 B0 E1 9C AD 55 67 F9 17 A5 96 18 EB .J.q....Ug......
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US>
*** ServerHelloDone
matching alias: oracle-client
*** Certificate chain
chain [0] = [
Version: V3
Subject: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
87fcc8e9 0ffcef8e 61f3be10 be7c9715 2792849b 3bbdeb1c cc76b337 4b82bbab
86972c63 9af3adfd 35b5df99 9078a0d1 6dc760d8 0549a95a bfa7648a 9eadd326
a6bc4b61 d8f8b42f 44e0b178 ff1dee20 db8406cd d800c26a 9c5a6ed9 4d6f2aef
bc919814 3b46be39 e129280c e83afe12 c9d4e3d7 fb5787b1 d98bed4a 4f0833d5
Validity: [From: Thu Jan 18 21:18:14 GMT+05:30 2007,
To: Wed Apr 18 21:18:14 GMT+05:30 2007]
Issuer: CN=ps4372.persistent.co.in, OU=Marketing, O=Oracle, L=Atlanta, ST=Georgia, C=US
SerialNumber: [ 45af96be]
Algorithm: [MD5withRSA]
Signature:
0000: 41 47 35 41 90 10 E3 77 A7 F3 F5 81 37 49 4F 57 AG5A...w....7IOW
0010: 01 11 82 A2 FB 69 46 E8 18 6C EE 11 23 A6 67 2E .....iF..l..#.g.
0020: 68 4D D6 A6 E7 09 45 24 58 18 9A E5 44 49 10 9B hM....E$X...DI..
0030: F1 EC 99 4A 45 5F A4 4F 71 3F 05 3D 45 29 42 CD ...JE_.Oq?.=E)B.
0040: 11 87 DA 0C AA DC 55 4E CF 22 4A 94 85 CB E5 EB ......UN."J.....
0050: BA E1 10 D2 C8 80 2C 6B 65 94 13 01 1F 6E 18 C3 ......,ke....n..
0060: 87 33 8C 65 C7 03 16 03 24 FB 0D B0 6D D8 E7 AA .3.e....$...m...
0070: A1 A5 48 90 0D D6 8C 47 50 2A AA 7C 7B 14 E5 B7 ..H....GP*......
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 236, 206, 185, 158, 75, 201, 230, 16, 170, 40, 193, 70, 188, 134, 36, 134, 14, 20, 191, 121, 246, 8, 7, 2, 137, 66, 166, 10, 185, 246, 104, 154, 27, 82, 161, 133, 11, 130, 11, 130, 71, 84, 155, 165, 239, 227 }
main, WRITE: TLSv1 Handshake, length = 763
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 EC CE B9 9E 4B C9 E6 10 AA 28 C1 46 BC 86 ......K....(.F..
0010: 24 86 0E 14 BF 79 F6 08 07 02 89 42 A6 0A B9 F6 $....y.....B....
0020: 68 9A 1B 52 A1 85 0B 82 0B 82 47 54 9B A5 EF E3 h..R......GT....
CONNECTION KEYGEN:
Client Nonce:
0000: 45 AF B2 BE 29 D4 A6 30 6D 4D B9 E8 CC 5F 9E 8D E...)..0mM..._..
0010: 3C 60 C4 AC 31 13 31 16 DE EA 2F 4C 1B 82 05 B0 <`..1.1.../L....
Server Nonce:
0000: 45 AF B2 BE CE BA A2 74 B3 48 2C C6 BD 19 46 E3 E......t.H,...F.
0010: AA EB 53 BA 98 31 C2 DE F8 03 BF AA F8 5F 86 23 ..S..1......._.#
Master Secret:
0000: CA 5C BA B3 D0 C9 26 A9 3A 06 08 8F 27 2E CE 17 .\....&.:...'...
0010: 93 98 BC DF EF 78 2A 99 DB 3E 50 3B 01 D1 84 5F .....x*..>P;..._
0020: 28 80 CE 7C 7C C1 12 A4 11 F6 33 9B 2E D9 6F BE (.........3...o.
Client MAC write Secret:
0000: 80 FF CE 99 7C 45 4C D8 60 FA 40 79 A2 A4 36 7C .....EL.`[email protected].
Server MAC write Secret:
0000: 2D F1 A0 A8 ED A1 7B DD 89 A5 01 90 43 BF F1 19 -...........C...
Client write key:
0000: E1 3F 33 54 D3 C5 3A 26 4A 41 65 DA AC 44 3B 28 .?3T..:&JAe..D;(
Server write key:
0000: C5 08 52 AE A9 0A 4F D0 AD 54 49 C6 4E 2F 9C 4E ..R...O..TI.N/.N
... no IV for cipher
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 134
main, WRITE: TLSv1 Change Cipher Spec, length = 1
main, handling exception: java.net.SocketException: Software caused connection abort: socket write error
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
IOException in getSession(): java.net.SocketException: Software caused connection abort: socket write error
Unable to obtain peer credentials
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(DashoA12275)
at SSLSocketClientWithClientAuth.main(SSLSocketClientWithClientAuth.java:56)
Process exited with exit code -1.
=====================================================
I think this is the problem with ciphers. So can anybody please help me with this!!!. This is very urgent!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thanks in advance
NileshThanks for your prompt reply I was able to make it run. Actually I am using the same keystore and truststore at both the client and the server end. I added those properties in opmn.xml as startup parameters.
I have another query I am using JDev to create a client proxy for my webservice that is deployed in OC4J. I have setup OC4J in 2 way SSL (mutual authentication)
When I invoke my client proxy with these system properties set
System.setProperty("javax.net.ssl.keyStore",keyStore);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
System.setProperty("javax.net.ssl.trustStore", trustStore);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
System.setProperty("javax.net.ssl.keyStoreType","JKS");
System.setProperty("javax.net.ssl.trustStoreType","JKS");
I get an exception in the log.xml which is
<MSG_TEXT>IOException in ServerSocketAcceptHandler$AcceptHandlerHorse:run</MSG_TEXT>
<SUPPL_DETAIL><![CDATA[javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
at com.sun.net.ssl.internal.ssl.ServerHandshaker.handshakeAlert(ServerHandshaker.java:1031)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1535)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
at oracle.oc4j.network.ServerSocketAcceptHandler.doSSLHandShaking(ServerSocketAcceptHandler.java:250)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:868)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
]]></SUPPL_DETAIL>
Isn't setting these properties enough for sending a client certificate. Please help!!!!
Thanks,
Nilesh. -
Java sp 2-way SSL authentication
I've written a java stored proc that uses JSSE to implement an HTTPS client to a partner's server. In the past, this strategy has worked well, and we have several successful projects under our belts.
This time, the partner's server is configured for 2-way ssl authentication. When I try to open the connection from my client, it is reporting-
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate.
I'm not 100% sure what that means, but I think that it means the server is asking for a public cert from the client, and it isn't happy with what it is getting back.
Can anyone tell me how to configure the client-side cert in a way that will make it available for my java code running in the Oracle JVM. I understand how to set up the keystore so that it is available for Tomcat, for example, but I'm at a loss to find how to setup client certs for access within an Oracle Java Stored Procedure...
I hope that I have explained this clearly. If I need to provide more information, just ask.
Thanks in advance for any help.
Colehttp://www.weblogic.com/docs51/classdocs/API_acl.html
Michael Girdley
BEA Systems Inc
"gennot" <[email protected]> wrote in message
news:[email protected]..
Could you send me the complete URL of these example, please?
Thanks
Enrico
Michael Girdley <[email protected]> wrote in message
39b87078$[email protected]..
The passing of the client's certificate should be automatic to WebLogic.We
have an example of getting the client side certificate from inside of
WebLogic in our documentation.
This does not require for SSL to be used from the Web server to
WebLogic.
>>
Thanks,
Michael
Michael Girdley
BEA Systems Inc
"Bob Simonoff" <[email protected]> wrote in message
news:[email protected]..
I have read through the docs and haven't found anything that would
address
the following confusion:
Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
the back end application server (obviously). I have the need to use 2way
SSL authentication. As I understand it the following applies:
Client (browser) has a certificate as does the web server. Theyauthenticate
each other.
Now, the web server and weblogic need to communicate. WebLogic, in our
environment does authentication via the security realm.
What do I have to do to get the the web server (Apache or IPlanet) to
communicate the client's certificate to WebLogic so the WebLogic canperform
the authentication?
Does the communication between the web server and WebLogic also need
to
be
SSL?
Thanks
Bob Simonoff -
Difference Between One-way SSL and Two Way SSL
Hi ,
Can any tell difference between one way and two ssl. apache to weblogic server which type of ssl we can configure. Please provide information on this.
thanksIn short below is the difference:
One Way SSL - Only the client authenticates the server
- This means that the public cert of the server needs to configured in the trust store of the client for this to happen.
Two Way SSL - The client authenticates the server & the server also authenticates the client.
- This means that the public cert of the server needs to configured in the trust store of the client for this to happen.
- Also the public cert of the client needs to be configured on the server's trust store
Please refer to http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10660_.htm. In case of Two way SSL the step numbers 5 & 6 also occur.
You can implement either of them between apache and weblogic.
Hope this helps.
Thanks,
Patrick -
Whats the difference between 2 way SSL over HTTPS & 2 way SSL over TCP
also, is there an implementation on web for 2 way SSL/TCP .
PS: plz donot give me the definition for 2 way SSL :)whats the difference between 2 way SSL over HTTPS & 2 way SSL over TCP?The difference is that '2 way SSL over HTTPS' doesn't exist.
HTTPS is HTTP over SSL, so SSL over that would be SSL over SSL which would be pointless. -
2-way SSL when WL7 is client; get "Required peer certificates not supplied by peer"
Background: WL7 is properly configured to use 2-way SSL, and works fine whenever
its acting as the Server; i.e., I have 2-way SSL working between a Web Browser
and WL7, or between Tomcat and WL7. However, when trying to get 2-way SSL (mutual
authentication) working between a WL7 server acting as a client and another server
such as Tomcat, acting as the server, I get a "Required peer certificates not
supplied by peer" error. The initial ServerHello handshake is fine; the problem
arises when the Tomcat server, for example, then requests WL7 to serve up its
client certificate. It's as if WL7 does not know where to locate its "client"
certificate.
I had the same problem with Tomcat initially, where it would also not know how
to locate its "client" certificte. I resolved the problem by setting the following
system properties:
javax.net.ssl.keyStore=...
javax.net.ssl.keyStorePassword=...
javax.net.ssl.trustStore=...
javax.net.ssl.trustStorePassword=...
Are their analogous system properties I need to set on the WL7 side of things,
as I noticed that WL7 seems to use its own proprietary version of JSSE API's?
How do I configure WL7 to locate its "client" certificate?
Thanks! Your help is greatly appreciated.
-DanWeblogic uses Certicom SSL implementation which has classes that conflict with
JSSE classes. As a result opening SSL connection from WLS over JSSE or API like
SOAPConnection that uses JSSE does not work as expected. The javax.net.ssl properties
are not supported and there is no replacement for the default identity keystore
property.
The best workaround I can think of in this case is to pass as the second parameter
to SOAPConnection.call() method a URL instance created with a custom URLStreamHandler
extending the weblogic.net.http.Handler. This handler can override the Handler.openConnection(URL)
method and use the HttpsURLConnection.loadLocalIdentity method to initialize identity
of the returned connection. For example:
public class MyHandler extends weblogic.net.http.Handler {
protected URLConnection openConnection(URL u) throws IOException {
URLConnection c = super.openConnection();
if (c instanceof weblogic.net.http.HttpsURLConnection) {
// initialize ssl identity
((weblogic.net.http.HttpsURLConnection) c).loadLocalIdentity(certChain,
privateKey);
return c;
URL someHTTPSUrlEndpoint = new URL("https", "localhost", 7002, "myfile", new MyHandler());
replyMessage = con.call(someSOAPMessageInstance, someHTTPSUrlEndpoint);
Pavel.
"ddumitru" <[email protected]> wrote:
>
Thanks, Pavel, for replying,
I've been reading and re-reading that page for quite a while now. Unfortunately,
the examples given are for when WL7 is acting as the "server" and not
the "client";
i.e., when some other server, such as Tomcat, WebSphere, or Oracle 9IAS,
reaches
out to the WL7 instance first, or when one WL7 instance talks to another
WL7 instance
via JNDI.
In my case, my WL7 instance needs to initiate a Web Service call; i.e.,
needs
to reach out to another server via a SAAJ (SOAP with Attachments) API
call. My
sending servlet uses the SAAJ (SOAP with attachments) API to make a Web
Service
call to another server, as follows:
SOAPConnectionFactory scf = SOAPConnectionFactory.newInstance();
SOAPConnection con = scf.createConnection();
SOAPMessage replyMessage = con.call( someSOAPMessageInstance, someHTTPSUrlEndpoint
With the SAAJ API, as illustrated above, I don't see a direct way of
configuring
(using URLConnection, SSLContext, SSLSocketFactory, etc.) the SSL connection
prior
to making a call, as suggested in the link you mentioned. Also, the
receiving
server may implement its Web Services using a non-BEA application server
that
may not even use the J2EE platorm. As such, I don't believe I can use
the JNDI
solution provided in that same link.
Again, I was able to make 2-way SSL (Mutual Authentication) connections
between
Tomcat and WL7 instances using the SAAJ API's when Tomcat was the client
initiating
the SAAJ call. In this scenario, Tomcat requested WL7 for its certificate,
WL7
served it up, and Tomcat then verified it. Then, in turn, WL7 asked
Tomcat for
its certificate, Tomcat presented it, and WL7 was able to verify Tomcat's
certificate.
I suppose I was able to make it all work under this scenario because
I was able
to configure Tomcat, which is using native JSSE API's, to locate its
"client"
certificate by setting the following system properties, as mentioned
previously:
javax.net.ssl.keyStore=...
javax.net.ssl.keyStorePassword=...
javax.net.ssl.trustStore=...
javax.net.ssl.trustStorePassword=...
Based upon your feedback, I now understand that WL7 cannot be configured
in a
similar manner because WL7 uses its own version of the JSSE API's. Any
ideas
on what I might try next?
Thanks!
-Dan
"Pavel" <[email protected]> wrote:
WLS SSL API does not support any system properties for SSL identity.
The client's
identity has to be configured via methods of SSL API. The trust configuration
of SSL client running on WL server and using WLS SSL API will be the
same as of
the WL server.
See http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1019570
for more information on this. "Writing Applications that Use SSL" contains
code
examples that use different SSL APIs to connect over two-way SSL.
Pavel.
"ddumitru" <[email protected]> wrote:
Background: WL7 is properly configured to use 2-way SSL, and worksfine
whenever
its acting as the Server; i.e., I have 2-way SSL working between a
Web
Browser
and WL7, or between Tomcat and WL7. However, when trying to get 2-way
SSL (mutual
authentication) working between a WL7 server acting as a client andanother
server
such as Tomcat, acting as the server, I get a "Required peer certificates
not
supplied by peer" error. The initial ServerHello handshake is fine;
the problem
arises when the Tomcat server, for example, then requests WL7 to serve
up its
client certificate. It's as if WL7 does not know where to locate its
"client"
certificate.
I had the same problem with Tomcat initially, where it would also not
know how
to locate its "client" certificte. I resolved the problem by setting
the following
system properties:
javax.net.ssl.keyStore=...
javax.net.ssl.keyStorePassword=...
javax.net.ssl.trustStore=...
javax.net.ssl.trustStorePassword=...
Are their analogous system properties I need to set on the WL7 sideof
things,
as I noticed that WL7 seems to use its own proprietary version of JSSE
API's?
How do I configure WL7 to locate its "client" certificate?
Thanks! Your help is greatly appreciated.
-Dan -
Two-way SSL: Private key is incorrectly read if the charset is set to UTF8
Looks like PEMInputStream and other related classes assumes the application charset
"iso81", but if the charset is something else, then "java.security.KeyManagementException"
is thrown.
We have everything setup and two-way ssl works when the encoding is not set. but
brakes if the encoding is UTF8.
WLS 7.0
OS - HP-UX
Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
app).
ThanksI would suggest posting this to the security newsgroup.
-- Rob
Govinda Raj wrote:
Looks like PEMInputStream and other related classes assumes the application charset
"iso81", but if the charset is something else, then "java.security.KeyManagementException"
is thrown.
We have everything setup and two-way ssl works when the encoding is not set. but
brakes if the encoding is UTF8.
WLS 7.0
OS - HP-UX
Is there any other workaround (not setting UTF8 is not a solution, ours is a WW
app).
Thanks -
Hi,
I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
Please suggest how to pass both the certs from client Application..Hi,
This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
And for more information, you could refer to:
http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
Regards
Maybe you are looking for
-
Blocking Locks - What Was Likely Going On?
I had a blocking lock yesterday that showed up in OEM under Cluster Database --> Cluster Database Locks. The blocking lock was a row exclusive (RX) table lock that was blocking 175 other sessions that were listed under the blocking lock as having req
-
Macbook and laptop_mode.
I've just discovered laptop_mode, but it doesn't seem to work correctly. $ laptop_mode auto Laptop Mode Tools 1.34Laptop Mode Tools 1.34 On AC power: Deactivating, because ENABLE_LAPTOP_MODE_ON_AC is not set. Laptop mode Checking if desired state is
-
How to get the incoming file name using JMS adapter and SOAP adapter
Hi Everybody, In one of my interface i need to get the file name of incoming flat file using JMS adapter at sender side. and then i am using xslt to convert it to IDOC and then posting to SAP IDOC. my incoming filname are in this form price<DateT
-
How do i get past apple id login after updating to iOS 8 on iPad 2
I recently updated my iPad 2 to iOS 8 and now it is asking for my iCloud password to log in. I have read some of the other posts on this matter. However non of them seem to work. I have logged into i message and face time with new current account. I
-
Magic Trackpad works with one iMac ..not another?
I have both an earlier Intel iMac and a 27", i5 iMac .. the Magic trackpad is a wonder. I love it, but I have lost contact with my 27" ... there seems to be nothing I can do for it to make contact?! I've done all sorts of fixes, but neither Bluetoo