[Java 1.4.2] Rmi over SSL : bind/rebind hangs

Similar Messages

• Rmi over ssl in jdk1.5.0

  hi,
  i am trying to connect a remote machine with rmi over ssl. but i got the following exceptions;
  java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
  Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error
  Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/PKCS1Padding
  Caused by: java.lang.IllegalArgumentException: can't support mode ECB
  i am using jdk1.5.0. i have tried many samples but i have not run them successfully however they were running successfully in j2sdk1.4.2.
  also i downloaded the bouncycastle provider but it did not work.
  is there anybody who knows about a running sample about rmi and ssl in jdk1.5.0? please send me....
  email: [email protected]

  Hi!
  I know it's not the exactly right topic, but I've nearly the same problem with a https connection for a webService. I'm not using turkish locale, I'm using BouncyCastle and the "Unlimited Strength" policy files. I've no problems if i start my application with eclipse, starting it with jdk1.5.0_03\jre\bin\java or jre1.5.0_03\bin\java form commandline i get the same stacktrace:
  javax.net.ssl.SSLKeyException: RSA premaster secret error
  Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error
  Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/ECB/PKCS1Padding
  Caused by: java.lang.IllegalArgumentException: can't support mode ECB
  if i try to get the cipher with
  Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
  I'll get the same stacktrace, with
  Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding", "BC");
  i works fine, but I've no idea how to run this code out of axis...
  Thanks & Regards
  Helmut

• RMI over SSL under Web Start can't find trusted certificate

  I have implemented RMI over SSL to get a Java EJB Client application talking to a JRun server over SSL. It works fine from the command line, but when I try to run it as a Web Start application, I get
  java.security.cert.CertificateException: Couldn't find trusted certificate
  (More complete stack trace below)
  I am using a test certificate, not one from a bona fide CA.
  I have tried putting the key store file in one of the jars used by the application, and adding:
  <argument>-Djavax.net.ssl.trustStore=jssecacerts</argument>
  and
  <argument>-Djavax.net.ssl.trustStore=jar:http://ip/app/xxx/lib/JarWithCacs.jar!/jssecacerts</argument>
  to no avail.
  If I copy the jssecacerts to Web Start's jre/lib/security directory, it works fine.
  I have seen other postings that say to use keytool to update the JRE used by Web Start, but that kind of defeats the purpose of Web Start: zero admin client. I can't touch each user's machine.
  I have seen other posts saying to implement a more relaxed trust manager, but that doesn't seem right either.
  I am using JDK 1.4.1_02b6 on Win2k. This should be irrelevant: JRun 4 sp1a.
  Is there a way to specify the jssecacerts file in the jnlp file so Web Start will recognize it?
  Thanks for any help,
  John

  I think I have an answer:
  1) Package the truststore file in the client JAR file
  2) Add code to the client to copy the truststore from the JAR file to the client hard drive
  3) Add code to the client to set the truststore properties to refer to the file on the client hard drive
  <<code>>
  private void setupTrustStore() {
  try {
  // save truststore file to local disk
  File homeDir = new File(System.getProperty("user.home"));
  File trustStoreFile = new File(homeDir, "mytruststore");
  URL url =
  this.getClass().getClassLoader().getResource("mytruststore");
  BufferedInputStream in =
  new BufferedInputStream(url.openStream());
  BufferedOutputStream out =
  new BufferedOutputStream(new FileOutputStream(trustStoreFile));
  while(true) {
  int data = in.read();
  if(data < 0) break;
  out.write(data);
  in.close();
  out.flush();
  out.close();
  // set truststore properties
  System.setProperty("javax.net.ssl.trustStore",
  trustStoreFile.getPath());
  System.setProperty("javax.net.ssl.trustStorePassword", "mypasswd");
  } catch(Exception e) {
  e.printStackTrace();
  }

• Problem with socket factory in RMI over SSL in proxy setup

  Hi
  The following is the setup I have;
  1. I have an application in which the server is running in https mode and I have exported my remote objects using ServerSocketFactory and ClientSocketFactory which will create SSLServerSocket and SSLSocket respectively.
  2. When I run my connect a client to this server and invoke some method on any of the remote objects, I get the following exception:
  java.lang.NullPointerException
  at sun.rmi.transport.tcp.TCPConnection.getOutputStream(Unknown Source)
  at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
  at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
  at sun.rmi.server.UnicastRef.invoke(Unknown Source)
  at com.acme.ems.server.app.main.TestSumImpl_Stub.addOne(Unknown Source)
  at com.acme.ems.client.app.tools.EMSHaSftpSettings.okButtonActionPerformed(EMSHaSftpSettings.java:216)
  at com.acme.ems.client.app.tools.EMSHaSftpSettings.access$000(EMSHaSftpSettings.java:28)
  at com.acme.ems.client.app.tools.EMSHaSftpSettings$1.actionPerformed(EMSHaSftpSettings.java:183)
  at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
  at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
  at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
  at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
  at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
  at java.awt.Component.processMouseEvent(Unknown Source)
  at javax.swing.JComponent.processMouseEvent(Unknown Source)
  at java.awt.Component.processEvent(Unknown Source)
  at java.awt.Container.processEvent(Unknown Source)
  at java.awt.Component.dispatchEventImpl(Unknown Source)
  at java.awt.Container.dispatchEventImpl(Unknown Source)
  at java.awt.Component.dispatchEvent(Unknown Source)
  at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
  at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
  at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
  at java.awt.Container.dispatchEventImpl(Unknown Source)
  at java.awt.Window.dispatchEventImpl(Unknown Source)
  at java.awt.Component.dispatchEvent(Unknown Source)
  at java.awt.EventQueue.dispatchEvent(Unknown Source)
  at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
  at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
  at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
  at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
  at java.awt.Dialog$1.run(Unknown Source)
  at java.awt.Dialog$3.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at java.awt.Dialog.show(Unknown Source)
  at com.acme.ems.client.utility.BasicDialog.showContainerInsideDialog(BasicDialog.java:103)
  at com.acme.ems.client.app.tools.EMSHaSftpSettings.init(EMSHaSftpSettings.java:322)
  at com.adventnet.nms.util.ConsumeKnownEvents.showTheFrame(ConsumeKnownEvents.java:197)
  at com.adventnet.nms.util.ConsumeKnownEvents.actionPerformed(ConsumeKnownEvents.java:103)
  at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
  at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
  at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
  at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
  at javax.swing.AbstractButton.doClick(Unknown Source)
  at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
  at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(Unknown Source)
  at java.awt.Component.processMouseEvent(Unknown Source)
  at javax.swing.JComponent.processMouseEvent(Unknown Source)
  at java.awt.Component.processEvent(Unknown Source)
  at java.awt.Container.processEvent(Unknown Source)
  at java.awt.Component.dispatchEventImpl(Unknown Source)
  at java.awt.Container.dispatchEventImpl(Unknown Source)
  at java.awt.Component.dispatchEvent(Unknown Source)
  at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
  at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
  at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
  at java.awt.Container.dispatchEventImpl(Unknown Source)
  at java.awt.Window.dispatchEventImpl(Unknown Source)
  at java.awt.Component.dispatchEvent(Unknown Source)
  at java.awt.EventQueue.dispatchEvent(Unknown Source)
  at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
  at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
  at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
  at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
  at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
  at java.awt.EventDispatchThread.run(Unknown Source)
  My understanding is, when invoking remote object's method from the client, a the clientSocketFactory implementation will be called and an SSLSocket will be created for communication between remote server and client. In this case,my guess is somehow the createSocket() method of the clientSocketFactory is returning Null.The question is why?????Any help soon is appreciated.
  Note that , we are doing this in a proxy set-up.

  I've made a similer post.
  I was able to get it working by doing the following
  Make sure to add and equals to your RMISocketFactory's
  something at least this
  public boolean equals(Object obj)
  return obj != null && obj.getClass() == this.getClass();
  I had to enable the follong cypher suite SSL_DH_anon_WITH_RC4_128_MD5
  but this leads to a possible man in the middle attack.
  I posted to try and get that resolved. (see ssl lockup on handshake)

• RMI with SSL server authentification

  Hello,
  It is possible to implement a RMI over SSL client /server with only server authentification ?
  I'have got currently a RMI SSL client/server with mutual authentification. It includes that client must have a keystore but i don't want that.
  If anybody has an idea, its welcome.
  tjm

  Indeed i 'm working to implement a keustorespi for the keystore and i would like
  In fact I'm working to implement myself a keystorespi for the keystore and I would like that only server use it and client have no keystore.
  It is possible

• How write rmi-iiop over ssl with weblogic server 6.1 - No server found

  //New
  Hello,
  I have written an appication like this:
  - An EJB server running on Weblogic server 6.1
  (named: BankServerHome)
  -A java client calling the BankServer.
  Platform: windows 2000 - jdk1.3
  Now I want to secure the communication with SSL protocol.
  I have done this:
  -generate a key peer with weblogic service named certificate.
  -send the CSR to a CA and place the answer into the weblogic
  server certificate directory.
  -update path for ServerCertificateChainFileName,
  ServerCertificateFileName, ServerKeyFileName into config.xml.
  -launch weblogicServer
       -> server certificate is recognized
       -> listening port 7001 and 7002.
  (-stop weblogicServer!)
  At now, all is all right, errors come hereafter:
  Then I follow the guideline "Programming weblogic Security" (version of 30/07/2001).
  "To use RMI over IIOP over SSL with a Java client, do the following:
  2. Extend the java.rmi.server.RMISocketFactory class to handle SSL socket
  connections. Be sure to specify the port on which WebLogic Server listens for
  SSL connections. For an example of a class that extends the
  java.rmi.server.RMISocketFactory class, see Listing 4-22.
  3. Run the ejbc compiler with the -d option.
  4. Add your extension of the java.rmi.server.RMISocketFactory class to the
  CLASSPATH of the Java client.
  5. Use the following command options when starting the Java client:
  -xbootclasspath/a:%CLASSPATH%
  -Dorg.omg.CORBA.ORBSocketFactoryClass=implementation of java.rmi.server.RMISocketFactory
  -Dssl.certs=directory location of digital certificate for Java client
  -Dssl.key=directory location of private key for Java client"
  At step 3. I found into documentation that -d is linked to a directory name.
  When I run ejbc with this option -d I have the message:
  "ERROR: You must specify an output directory or jar with the -d option to weblogic.ejbc."
  % So what option can I use to run ejbc for secure usage?
  At step 5. Whatever I write for -Dorg.omg.CORBA.ORBSocketFactoryClass,
  this pointed class is not instanciated.
  Then I can not create a socket with my client.
  The folowing exception is raised:
  javax.naming.CommunicationException [Root exception is java.net.ConnectException:
  No server found at T3S://localhost:7002]
  So, my questions are:
  % Why -Dorg.omg.CORBA.ORBSocketFactoryClass must be known by the client and not
  the server?
  My java client part, managing connection is:
  -------------------BEGIN OF CONNECTION MANAGER-------------------
  Properties env = new Properties ();
  // Shouldn't have to do this, but for now you must
  if ( factory.equals ("weblogic.jndi.WLInitialContextFactory") ) {
  env.put ("java.naming.provider.url", "t3s://localhost:7002");
  InitialContext context = new InitialContext (env);
  BankSessionServerHome bssh = (BankServerHome) context.lookup("BankServerHome");
  BankServer = bssh.create();
  -------------------END OF CONNECTION MANAGER-------------------
  I have also try
  env.put ("java.naming.provider.url", "corbaloc:iiop://localhost:7002");
  but it throws the following error
  javax.naming.InvalidNameException: url does not conatin !!!
  % What is the code for the java client allowing connection with the ejb?
  % And better, can I have a sample example for rmi-iiop over ssl?
  (...wlserver6.1\samples\examples\iiop\ejb\stateless\rmiclient\client.java do not
  speak ssl!)
  Any help will be appreciate from you...
  Best Regards.
  Oliver

  "oliver" <[email protected]> writes:
  The SSL support is poorly doc'd right now. We have fixed this and
  updated the way you do things in SP2. Please either wait for SP2 or
  contact support.
  andy
  I have written an appication like this:
  - An EJB server running on Weblogic server 6.1
  (named: BankServerHome)
  -A java client calling the BankServer.
  Platform: windows 2000 - jdk1.3
  Now I want to secure the communication with SSL protocol.
  I have done this:
  -generate a key peer with weblogic service named certificate.
  -send the CSR to a CA and place the answer into the weblogic
  server certificate directory.
  -update path for ServerCertificateChainFileName,
  ServerCertificateFileName, ServerKeyFileName into config.xml.
  -launch weblogicServer
       -> server certificate is recognized
       -> listening port 7001 and 7002.
  (-stop weblogicServer!)
  At now, all is all right, errors come hereafter:
  Then I follow the guideline "Programming weblogic Security" (version of 30/07/2001).
  "To use RMI over IIOP over SSL with a Java client, do the following:
  2. Extend the java.rmi.server.RMISocketFactory class to handle SSL socket
  connections. Be sure to specify the port on which WebLogic Server listens for
  SSL connections. For an example of a class that extends the
  java.rmi.server.RMISocketFactory class, see Listing 4-22.
  3. Run the ejbc compiler with the -d option.
  4. Add your extension of the java.rmi.server.RMISocketFactory class to the
  CLASSPATH of the Java client.
  5. Use the following command options when starting the Java client:
  -xbootclasspath/a:%CLASSPATH%
  -Dorg.omg.CORBA.ORBSocketFactoryClass=implementation of java.rmi.server.RMISocketFactory
  -Dssl.certs=directory location of digital certificate for Java client
  -Dssl.key=directory location of private key for Java client"
  At step 3. I found into documentation that -d is linked to a directory name.
  When I run ejbc with this option -d I have the message:
  "ERROR: You must specify an output directory or jar with the -d option to weblogic.ejbc."
  % So what option can I use to run ejbc for secure usage?
  At step 5. Whatever I write for -Dorg.omg.CORBA.ORBSocketFactoryClass,
  this pointed class is not instanciated.
  Then I can not create a socket with my client.
  The folowing exception is raised:
  javax.naming.CommunicationException [Root exception is java.net.ConnectException:
  No server found at T3S://localhost:7002]
  So, my questions are:
  % Why -Dorg.omg.CORBA.ORBSocketFactoryClass must be known by the client and not
  the server?
  My java client part, managing connection is:
  -------------------BEGIN OF CONNECTION MANAGER-------------------
  Properties env = new Properties ();
  // Shouldn't have to do this, but for now you must
  if ( factory.equals ("weblogic.jndi.WLInitialContextFactory") ) {
  env.put ("java.naming.provider.url", "t3s://localhost:7002");
  InitialContext context = new InitialContext (env);
  BankSessionServerHome bssh = (BankServerHome) context.lookup("BankServerHome");
  BankServer = bssh.create();
  -------------------END OF CONNECTION MANAGER-------------------
  I have also try
  env.put ("java.naming.provider.url", "corbaloc:iiop://localhost:7002");
  but it throws the following error
  javax.naming.InvalidNameException: url does not conatin !!!
  % What is the code for the java client allowing connection with the ejb?
  % And better, can I have a sample example for rmi-iiop over ssl?
  (...wlserver6.1\samples\examples\iiop\ejb\stateless\rmiclient\client.java do not
  speak ssl!)
  Any help will be appreciate from you...
  Best Regards.
  Oliver

• How write rmi-iiop over ssl with weblogic server 6.1?

  Hello,
  I have written an appication like this:
  - An EJB server running on Weblogic server 6.1
  (named: BankServerHome)
  -A java client calling the BankServer.
  Platform: windows 2000 - jdk1.4
  Now I want to secure the communication with SSL protocol.
  I have done this:
  -generate a key peer with weblogic service named certificate.
  -send the CSR to a CA and place the answer into the weblogic
  server certificate directory.
  -update path for ServerCertificateChainFileName,
  ServerCertificateFileName, ServerKeyFileName into config.xml.
  -launch weblogicServer
       -> server certificate is recognized
       -> listening port 7001 and 7002.
  (-stop weblogicServer!)
  At now, all is all right, errors come hereafter:
  Then I follow the guideline "Programming weblogic Security" (version of 30/07/2001).
  "To use RMI over IIOP over SSL with a Java client, do the following:
  2. Extend the java.rmi.server.RMISocketFactory class to handle SSL socket
  connections. Be sure to specify the port on which WebLogic Server listens for
  SSL connections. For an example of a class that extends the
  java.rmi.server.RMISocketFactory class, see Listing 4-22.
  3. Run the ejbc compiler with the -d option.
  4. Add your extension of the java.rmi.server.RMISocketFactory class to the
  CLASSPATH of the Java client.
  5. Use the following command options when starting the Java client:
  -xbootclasspath/a:%CLASSPATH%
  -Dorg.omg.CORBA.ORBSocketFactoryClass=implementation of java.rmi.server.RMISocketFactory
  -Dssl.certs=directory location of digital certificate for Java client
  -Dssl.key=directory location of private key for Java client"
  At step 3. I found into documentation that -d is linked to a directory name.
  When I run ejbc with this option -d I have the message:
  "ERROR: You must specify an output directory or jar with the -d option to weblogic.ejbc."
  % So what option can I use to run ejbc for secure usage?
  At step 5. Whatever I write for -Dorg.omg.CORBA.ORBSocketFactoryClass,
  this pointed class is not instanciated.
  Then I can not create a socket with my client.
  The folowing exception is raised:
  javax.naming.CommunicationException [Root exception is java.net.ConnectException:
  No server found at T3S://localhost:7002]
  So, my questions are:
  % Why -Dorg.omg.CORBA.ORBSocketFactoryClass must be known by the client and not
  the server?
  My java client part, managing connection is:
  -------------------BEGIN OF CONNECTION MANAGER-------------------
  Properties env = new Properties ();
  // Shouldn't have to do this, but for now you must
  if ( factory.equals ("weblogic.jndi.WLInitialContextFactory") ) {
  env.put ("java.naming.provider.url", "t3s://localhost:7002");
  } else {
  env.put ("java.naming.provider.url", "rmi://localhost:7002");
  InitialContext context = new InitialContext (env);
  BankSessionServerHome bssh = (BankServerHome) context.lookup("BankServerHome");
  BankServer = bssh.create();
  -------------------END OF CONNECTION MANAGER-------------------
  % What is the code for the java client allowing connection with the ejb?
  % And better, can I have a sample example for rmi-iiop over ssl?
  (...wlserver6.1\samples\examples\iiop\ejb\stateless\rmiclient\client.java do not
  speak ssl!)
  Any help will be appreciate from you...
  Best Regards.
  Oliver

  "oliver" <[email protected]> writes:
  First off 1.4 isn't supported as yet. That is probably part of the problem.
  You also must use a corba URL from the client in order for this to work for instance:
  If you are using WLInitialContextFactory:
  corbaloc:iiop:localhost:7001/NameService
  If you are using CNCtxFactory:
  iiop://localhost:7001
  Using rmi: is the wrong thing to do - that will use jrmp or t3.
  However, I suggest that you raise a call with support since there is
  some other trickiness with getting SSL working. We hope to have this
  much improved in SP2.
  andy
  Hello,
  I have written an appication like this:
  - An EJB server running on Weblogic server 6.1
  (named: BankServerHome)
  -A java client calling the BankServer.
  Platform: windows 2000 - jdk1.4
  Now I want to secure the communication with SSL protocol.
  I have done this:
  -generate a key peer with weblogic service named certificate.
  -send the CSR to a CA and place the answer into the weblogic
  server certificate directory.
  -update path for ServerCertificateChainFileName,
  ServerCertificateFileName, ServerKeyFileName into config.xml.
  -launch weblogicServer
       -> server certificate is recognized
       -> listening port 7001 and 7002.
  (-stop weblogicServer!)
  At now, all is all right, errors come hereafter:
  Then I follow the guideline "Programming weblogic Security" (version of 30/07/2001).
  "To use RMI over IIOP over SSL with a Java client, do the following:
  2. Extend the java.rmi.server.RMISocketFactory class to handle SSL socket
  connections. Be sure to specify the port on which WebLogic Server listens for
  SSL connections. For an example of a class that extends the
  java.rmi.server.RMISocketFactory class, see Listing 4-22.
  3. Run the ejbc compiler with the -d option.
  4. Add your extension of the java.rmi.server.RMISocketFactory class to the
  CLASSPATH of the Java client.
  5. Use the following command options when starting the Java client:
  -xbootclasspath/a:%CLASSPATH%
  -Dorg.omg.CORBA.ORBSocketFactoryClass=implementation of java.rmi.server.RMISocketFactory
  -Dssl.certs=directory location of digital certificate for Java client
  -Dssl.key=directory location of private key for Java client"
  At step 3. I found into documentation that -d is linked to a directory name.
  When I run ejbc with this option -d I have the message:
  "ERROR: You must specify an output directory or jar with the -d option to weblogic.ejbc."
  % So what option can I use to run ejbc for secure usage?
  At step 5. Whatever I write for -Dorg.omg.CORBA.ORBSocketFactoryClass,
  this pointed class is not instanciated.
  Then I can not create a socket with my client.
  The folowing exception is raised:
  javax.naming.CommunicationException [Root exception is java.net.ConnectException:
  No server found at T3S://localhost:7002]
  So, my questions are:
  % Why -Dorg.omg.CORBA.ORBSocketFactoryClass must be known by the client and not
  the server?
  My java client part, managing connection is:
  -------------------BEGIN OF CONNECTION MANAGER-------------------
  Properties env = new Properties ();
  // Shouldn't have to do this, but for now you must
  if ( factory.equals ("weblogic.jndi.WLInitialContextFactory") ) {
  env.put ("java.naming.provider.url", "t3s://localhost:7002");
  } else {
  env.put ("java.naming.provider.url", "rmi://localhost:7002");
  InitialContext context = new InitialContext (env);
  BankSessionServerHome bssh = (BankServerHome) context.lookup("BankServerHome");
  BankServer = bssh.create();
  -------------------END OF CONNECTION MANAGER-------------------
  % What is the code for the java client allowing connection with the ejb?
  % And better, can I have a sample example for rmi-iiop over ssl?
  (...wlserver6.1\samples\examples\iiop\ejb\stateless\rmiclient\client.java do not
  speak ssl!)
  Any help will be appreciate from you...
  Best Regards.
  Oliver

• How to connect Java Application to ORACLE8i over SSL connection

  Hi,
  I would like to know how to make an existent Java application connect to an ORACLE8i database over a secure SSL connection?
  can I user ResultSets?
  Could you please tell me what parameters to set on the database and, especially, what new code must be added for the Java Application so send data over an SSL connection.
  Your advice/hints will be greatly appreciated.
  Vani

  Use usual Oracle' encryption. SSL configuration is a nightmare.
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  Properties props = new Properties();
  try {
  props.put("user", "scott");
  props.put("password","tiger");
  props.put("oracle.net.encryption_client", "REQUIRED");
  props.put("oracle.net.encryption_server", "REQUIRED");
  props.put("oracle.net.encryption_types_client", "( RC4_56 )");
  props.put("oracle.net.encryption_types_server", "( RC4_56 )");
  props.put("oracle.net.crypto_checksum_client", "REQUIRED");
  props.put("oracle.net.crypto_checksum_server", "REQUIRED");
  props.put("oracle.net.crypto_checksum_types_client", "( MD5 )");
  props.put("oracle.net.crypto_checksum_types_server", "( MD5 )");
  props.put("sqlnet.crypto_seed", "769764576979045769576907");
  } catch (Exception e) { e.printStackTrace(); }
  Connection conn=DriverManager.getConnection("jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=orcl)(PORT =1521)))(SDU=32767)(CONNECT_DATA=(SERVICE_NAME=orcl)(SID=orcl))", props);
  Statement stmt = conn.createStatement ();
  ResultSet rset = stmt.executeQuery ("select ENAME from EMP");
  while (rset.next ())
  System.out.println (rset.getString (1));
  rset.close();
  stmt.close();
  conn.close();

• Java.lang.ArrayIndexOutOfBoundsException when using SOAP over SSL

  Looks like a strange thing. I am using MS SOAP Toolkit 2.0 sp2 to make SOAP calls
  to Weblogic (Win2000, 6.1) over SSL. On Weblogic I have an RPC service (EJB).
  I'm getting
  <Mar 26, 2002 9:14:56 PM EST> <Error> <HTTP> <Connection failure
  java.lang.ArrayIndexOutOfBoundsException
  at weblogic.security.SSL.GenericCipher.input(GenericCipher.java:216)
  at weblogic.security.SSL.SSLCiphertext.input(SSLCiphertext.java:65)
  at weblogic.security.SSL.SSLSocket.getRecord(SSLSocket.java:1030)
  at weblogic.security.SSL.RecordInputStream.getData(RecordInputStream.java:109)
  at weblogic.security.SSL.RecordInputStream.read(RecordInputStream.java:51)
  at weblogic.socket.SSLFilter.isMessageComplete(SSLFilter.java:182)
  at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:605)
  at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:24)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  But what's interesting, it's actually working. I am getting data as expected.
  Any idea what it could be?
  Thanks,
  Serge

  Looks like a strange thing. I am using MS SOAP Toolkit 2.0 sp2 to make SOAP calls
  to Weblogic (Win2000, 6.1) over SSL. On Weblogic I have an RPC service (EJB).
  I'm getting
  <Mar 26, 2002 9:14:56 PM EST> <Error> <HTTP> <Connection failure
  java.lang.ArrayIndexOutOfBoundsException
  at weblogic.security.SSL.GenericCipher.input(GenericCipher.java:216)
  at weblogic.security.SSL.SSLCiphertext.input(SSLCiphertext.java:65)
  at weblogic.security.SSL.SSLSocket.getRecord(SSLSocket.java:1030)
  at weblogic.security.SSL.RecordInputStream.getData(RecordInputStream.java:109)
  at weblogic.security.SSL.RecordInputStream.read(RecordInputStream.java:51)
  at weblogic.socket.SSLFilter.isMessageComplete(SSLFilter.java:182)
  at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:605)
  at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:24)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:139)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
  But what's interesting, it's actually working. I am getting data as expected.
  Any idea what it could be?
  Thanks,
  Serge

• WebServices over SSL - 403 Forbidden error

  Hello all,
  I am able to successfully communicate with a SSL enabled .NET webservice using apache-axis in my java code. however, when i
  try the same with weblogic based libs [%bea_home%\server\lib\webserviceclient+ssl.jar] - assume the other jars are ok, i get
  the following exception stack trace:
  Disabling strict checking on adapter weblogic.webservice.client.WLSSLAdapter@55a338
  Set TrustManager to weblogic.webservice.client.BaseWLSSLAdapter$NullTrustManager@fdb00d
  Set HostnameVerifier to weblogic.webservice.client.WLSSLAdapter$NullVerifier@131303f
  Disabling strict checking on adapter weblogic.webservice.client.WLSSLAdapter@6b9c84
  Set TrustManager to weblogic.webservice.client.BaseWLSSLAdapter$NullTrustManager@e1eea8
  Set HostnameVerifier to weblogic.webservice.client.WLSSLAdapter$NullVerifier@131303f
  Got new socketfactory javax.net.ssl.impl.SSLSocketFactoryImpl@18f51f
  Connecting to:www.abc.com port:443
  socket:Socket[addr=www.abc.com/12.345.67.89,port=443,localport=4802]com.certicom.tls.interfaceimpl.TLSConnectionImpl@e35bb7
  Warning: cert chain incomplete
  Warning: cert chain untrusted
  Warning: subject (www.abc.com, OU=Terms of use at www.verisign.com/rpa (c)00, OU=ABC 1, O=ABC inc, L=abc, ST=abc, C=abc) does
  not match server name (null)
  <Jul 27, 2004 10:52:49 AM GMT+05:30> <Info> <WebService> <BEA-220025> <Handler weblogic.webservice.core.handler.ClientHandler
  threw an exception from its handleResponse method. The exception was:
  javax.xml.rpc.JAXRPCException: weblogic.webservice.util.AccessException: The server at
  https://www.abc.com/abcdef/ABCWebService.asmx?WSDL returned a 403 error code (Forbidden). Please ensure that your URL is
  correct and that the correct protocol is in use..>
  A RemoteException has been thrown
  java.rmi.RemoteException: SOAP Fault:javax.xml.rpc.soap.SOAPFaultException: The server at
  https://www.abc.com/abcdef/ABCWebService.asmx?WSDL returned a 403 error code (Forbidden). Please ensure that your URL is
  correct and that the correct protocol is in use.
  Detail:
  <detail>
  <bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webservice/fault/1.0.0">
  </bea_fault:stacktrace>weblogic.webservice.util.AccessException: The server at
  https://www.abc.com/abcdef/ABCWebService.asmx?WSDL returned a 403 error code (Forbidden). Please ensure that your URL is
  correct and that the correct protocol is in use.
       at weblogic.webservice.binding.soap.HttpClientBinding.handleErrorResponse(HttpClientBinding.java:371)
       at weblogic.webservice.binding.soap.HttpClientBinding.receive(HttpClientBinding.java:233)
       at weblogic.webservice.core.handler.ClientHandler.handleResponse(ClientHandler.java:63)
       at weblogic.webservice.core.HandlerChainImpl.handleResponse(HandlerChainImpl.java:230)
       at weblogic.webservice.core.ClientDispatcher.receive(ClientDispatcher.java:229)
       at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:144)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:444)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:430)
       at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:270)
       at com.webservice.abc.client.proxy.ABCWebserviceSoap_Stub.getABC(ABCWebserviceSoap_Stub.java:113)
       at com.webservice.abc.client.ABC_WS_Client.main(ABC_WS_Client.java:158)
  </detail>; nested exception is:
       javax.xml.rpc.soap.SOAPFaultException: The server at https://www.abc.com/abcdef/ABCWebService.asmx?WSDL returned a
  403 error code (Forbidden). Please ensure that your URL is correct and that the correct protocol is in use.
       at com.webservice.abc.client.proxy.ABCWebserviceSoap_Stub.getABC(ABCWebserviceSoap_Stub.java:118)
       at com.webservice.abc.client.ABC_WS_Client.main(ABC_WS_Client.java:158)
  Caused by: javax.xml.rpc.soap.SOAPFaultException: The server at https://www.abc.com/abcdef/ABCWebService.asmx?WSDL returned a
  403 error code (Forbidden). Please ensure that your URL is correct and that the correct protocol is in use.
       at weblogic.webservice.core.ClientDispatcher.receive(ClientDispatcher.java:285)
       at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:144)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:444)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:430)END
       at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:270)
       at com.webservice.abc.client.proxy.ABCWebserviceSoap_Stub.getABC(ABCWebserviceSoap_Stub.java:113)
       ... 1 more

  Hi All,
  I am new to webservice programming. I am trying to consume webservice over https. I am using weblogic 8.1 sp2. I am getting http 403 forbidden error. from the log it seems that ssl handshaking is completing.
  Algorithm: [MD2withRSA]
  Signature:
  0000: BB 4C 12 2B CF 2C 26 00 4F 14 13 DD A6 FB FC 0A .L.+.,&.O.......
  0010: 11 84 8C F3 28 1C 67 92 2F 7C B6 C5 FA DF F0 E8 ....(.g./.......
  0020: 95 BC 1D 8F 6C 2C A8 51 CC 73 D8 A4 C0 53 F0 4E ....l,.Q.s...S.N
  0030: D6 26 C0 76 01 57 81 92 5E 21 F1 D1 B1 FF E7 D0 .&.v.W..^!......
  0040: 21 58 CD 69 17 E3 44 1C 9C 19 44 39 89 5C DC 9C !X.i..D...D9.\..
  0050: 00 0F 56 8D 02 99 ED A2 90 45 4C E4 BB 10 A4 3D ..V......EL....=
  0060: F0 32 03 0E F1 CE F8 E8 C9 51 8C E6 62 9F E6 9F .2.......Q..b...
  0070: C0 7D B7 72 9C C9 36 3A 6B 9F 4E A8 FF 64 0D 64 ...r..6:k.N..d.d
  ]>
  <Jan 30, 2006 11:39:29 AM GMT+05:30> <Debug> <TLS> <000000> <SSLTrustValidator r
  eturns: 0>
  <Jan 30, 2006 11:39:29 AM GMT+05:30> <Debug> <TLS> <000000> <Trust status (0): N
  ONE>
  <Jan 30, 2006 11:39:29 AM GMT+05:30> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: S
  erverHelloDone>
  <Jan 30, 2006 11:39:29 AM GMT+05:30> <Debug> <TLS> <000000> <write HANDSHAKE off
  set = 0 length = 134>
  <Jan 30, 2006 11:39:29 AM GMT+05:30> <Debug> <TLS> <000000> <write CHANGE_CIPHER
  _SPEC offset = 0 length = 1>
  <Jan 30, 2006 11:39:29 AM GMT+05:30> <Debug> <TLS> <000000> <write HANDSHAKE off
  set = 0 length = 16>
  <Jan 30, 2006 11:39:29 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivat
  ed: false>
  <Jan 30, 2006 11:39:29 AM GMT+05:30> <Debug> <TLS> <000000> <isMuxerActivated: f
  alse>
  <Jan 30, 2006 11:39:29 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivat
  ed: false>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 readRecord(
  )>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 SSL3/TLS MA
  C>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 received CH
  ANGE_CIPHER_SPEC>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivat
  ed: false>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <isMuxerActivated: f
  alse>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivat
  ed: false>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 readRecord(
  )>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 SSL3/TLS MA
  C>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 received HA
  NDSHAKE>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE: F
  inished>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <write APPLICATION_D
  ATA offset = 0 length = 304>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <write APPLICATION_D
  ATA offset = 0 length = 558>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 read( offse
  t: 0 length: 2048 )>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivat
  ed: false>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <isMuxerActivated: f
  alse>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <SSLFilter.isActivat
  ed: false>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 readRecord(
  )>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 SSL3/TLS MA
  C>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 received AP
  PLICATION_DATA>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 APPDATA dat
  abufferLen 0>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 APPDATA con
  tentLength 1907>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 read databu
  fferLen 1907>
  <Jan 30, 2006 11:39:30 AM GMT+05:30> <Debug> <TLS> <000000> <5564590 read A retu
  rns 1907>
  javax.xml.soap.SOAPException: Failed to send message: weblogic.webservice.util.A
  ccessException: The server at https://www.3pv.net/3PVWebServices/3PVWebServices.
  asmx?wsdl returned a 403 error code (Forbidden). Please ensure that your URL is
  correct and that the correct protocol is in use.
  at weblogic.webservice.core.soap.SOAPConnectionImpl.call(SOAPConnectionI
  mpl.java:61)
  at com.ceon.pencor.threepv.ThreePVUtils.sendOrderRequest(ThreePVUtils.ja
  va:350)
  at com.ceon.pencor.threepv.ThreePVAdapterImpl.sendThreePVRequest(ThreePV
  AdapterImpl.java:119)
  at com.ceon.pencor.threepv.ThreePVAdapterImpl_ydsnbq_EOImpl.sendThreePVR
  equest(ThreePVAdapterImpl_ydsnbq_EOImpl.java:46)
  at com.ceon.pencor.threepv.ThreePVAdapterImpl_ydsnbq_EOImpl_WLSkel.invok
  e(Unknown Source)
  at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:477)
  at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerR
  ef.java:108)
  at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:420)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
  dSubject.java:353)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
  144)
  at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
  a:415)
  at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
  .java:30)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  Caused by: weblogic.webservice.util.AccessException: The server at https://www.3
  pv.net/3PVWebServices/3PVWebServices.asmx?wsdl returned a 403 error code (Forbid
  den). Please ensure that your URL is correct and that the correct protocol is i
  n use.
  at weblogic.webservice.binding.http11.Http11ClientBinding.handleErrorRes
  ponse(Http11ClientBinding.java:136)
  at weblogic.webservice.binding.http11.Http11ClientBinding.receive(Http11
  ClientBinding.java:220)
  at weblogic.webservice.core.soap.SOAPConnectionImpl.call(SOAPConnectionI
  mpl.java:57)
  ... 13 more
  javax.xml.soap.SOAPException: Failed to send message: weblogic.webservice.util.A
  ccessException: The server at https://www.3pv.net/3PVWebServices/3PVWebServices.
  asmx?wsdl returned a 403 error code (Forbidden). Please ensure that your URL is
  correct and that the correct protocol is in use.
  at weblogic.webservice.core.soap.SOAPConnectionImpl.call(SOAPConnectionI
  mpl.java:61)
  at com.ceon.pencor.threepv.ThreePVUtils.sendOrderRequest(ThreePVUtils.ja
  va:350)
  at com.ceon.pencor.threepv.ThreePVAdapterImpl.sendThreePVRequest(ThreePV
  AdapterImpl.java:119)
  at com.ceon.pencor.threepv.ThreePVAdapterImpl_ydsnbq_EOImpl.sendThreePVR
  equest(ThreePVAdapterImpl_ydsnbq_EOImpl.java:46)
  at com.ceon.pencor.threepv.ThreePVAdapterImpl_ydsnbq_EOImpl_WLSkel.invok
  e(Unknown Source)
  at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:477)
  at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerR
  ef.java:108)
  at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:420)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Authenticate
  dSubject.java:353)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:
  144)
  at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.jav
  a:415)
  at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest
  .java:30)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  Caused by: weblogic.webservice.util.AccessException: The server at https://www.3
  pv.net/3PVWebServices/3PVWebServices.asmx?wsdl returned a 403 error code (Forbid
  den). Please ensure that your URL is correct and that the correct protocol is i
  n use.
  at weblogic.webservice.binding.http11.Http11ClientBinding.handleErrorRes
  ponse(Http11ClientBinding.java:136)
  at weblogic.webservice.binding.http11.Http11ClientBinding.receive(Http11
  ClientBinding.java:220)
  at weblogic.webservice.core.soap.SOAPConnectionImpl.call(SOAPConnectionI
  mpl.java:57)
  ... 13 more
  ERROR : Exception is occurred during connecting url:https://www.3pv.net/3PVWebS
  ervices/3PVWebServices.asmx?wsdl
  Please help...
  Cordially
  Sandip

• BAD_CERTIFICATE error calling a web service over SSL in ALSB 2.6

  We have a business service on an ALSB 2.6 server (running on WL 9.2.1) that connects to a web service over SSL. When we try to run it, we get the following exception:
  <Sep 17, 2009 7:49:17 AM PDT> <Error> <ALSB Kernel> <BEA-380001> <Exception on TransportManagerImpl.sendMessageToService, com.bea.
  wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  com.bea.wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  at com.bea.wli.sb.transports.TransportException.newInstance(TransportException.java:146)
  at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOu
  tboundMessageContext.java:310)
  at com.bea.wli.sb.transports.http.HttpsTransportProvider.sendMessageAsync(HttpsTransportProvider.java:435)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  Truncated. see log file for complete stacktrace
  javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  Truncated. see log file for complete stacktrace
  This exception only occurs when hitting the web service through the bus. I have written a standalone Java application that posts to the web service and it works fine. I ran the application on the server where the ALSB is running using the same jdk (1.5.0_06 - the version that ships with 9.2.1) and the same cacerts file so I know it's not a problem with the certificate not being trusted. I have tried updating the cacerts file to the latest one distributed with JRE 1.6 and it still doesn't work.
  After 8 hours of troubleshooting, I'm out of ideas. Does anyone have any suggestiosn?
  Thanks.
  Matt
  Edited by: user6946981 on Sep 17, 2009 7:58 AM

  Are you sure that your standalone application is using the same keystore (eg. cacert)? Default WebLogic configuration uses different keystore (demo).
  I saw BAD_CERTIFICATE error only once and the cause was in keytool that somehow corrupted certificate during import. Deleting and importing certificate again helped me, but I doubt you have the same problem as your standalone application works.
  Another idea ... Is hostname varification used? I know that the error message would look different if this was the cause, but try to add this parameter to your weblogic startup script: -Dweblogic.security.SSL.ignoreHostnameVerification=true
  Last but not least, there is difference between your standalone application and ALSB runtime as WebLogic uses Certicom SSL provider. If you don't find the reason, contact Oracle support. Maybe they can help you to tweak Certicom provider in some way.

• Web Service over SSL failing in BEA Workshop

  I have deployed a web service on weblogic 9.2
  I have enabled one-way ssl on it. got a trial ssl certificate from verisign. installed them on the keystore/truststore on the server as well as the jre (cacerts and jssecacerts truststores) being used by the client. the client is on different machine than the server.
  i have developed the service through 'bea weblogic workshop 9.2' now when i try to test the service through the 'web services explorer' within bea weblogic workshop i receive the following error:
  IWAB0135E An unexpected error has occurred.
  IOException
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  on server:
  <Jul 13, 2009 6:45:44 PM EDT> <Warning> <Security> <BEA-090485> <CERTIFICATE_UNKNOWN alert was received from yunus.l1id.local - 10.10.2.72. The peer has an unspecified issue with the certificate. SSL debug tracing should be enabled on the peer to determine what the issue is.>
  if i try to access the web service (over ssl) through the browser (ie/firefox), it works fine. i have generated a proxy class to access this web service through the same bea workshop and that works fine too. certificates are identified and all. i also created a small .net (c#) application that calls this secure web service over ssl from another machine and it works fine too!
  of course non-secure url for the web service is working fine in every case.
  what can be the reason for this failing only in 'web services explorer' in bea workshop?
  cross posted at: http://www.coderanch.com/t/453879/Web-Services/java/Web-Service-over-SSL-failing
  thanks.

  Hello,
  I used this example, when I made my experiments with SSL and Glassfish (GF):
  http://java.sun.com/developer/EJTechTips/2006/tt0527.html#1
  If you have problems with GF I suggest to post a message here:
  http://forums.java.net/jive/forum.jspa?forumID=56
  e.g. here is one thread:
  http://forums.java.net/jive/thread.jspa?threadID=59993&tstart=0
  Miro.

• AD Password Sync connector 9.1.1 With OIM 11g R2 - ERROR OVER SSL

  I have set up AD password sync with from AD to OIM 11G R2
  The password syncs from AD to OIM 11G R2 on non ssl port 389.
  But if fails on SSL Port 636.
  Errors in OIMMain.Log:_
  Debug [10/11/2012 10:49:34 AM] Inside ConnectToADSI
  Debug [10/11/2012 10:49:34 AM]
  ldap_connect failed with
  Debug [10/11/2012 10:49:34 AM] Server Down
  Debug [10/11/2012 10:49:34 AM]
  Steps Carried Out thus far:_
  AD is up and running.
  Configured AD Password Sync Connector on 636 and selected ssl.
  Created Certificate on OIM host, configured custom identity key store on weblogic. Restarted Weblogic.
  Imported Certificate to AD. After this, restarted the AD
  I can Telnet port 636 from OIM Box and also connect to AD through LDAP Browser on 636 and view OU and CN, so this seems fine.
  Provisioning from OIM through Connector Server to AD works over SSL and this works fine.
  Help would be appreciated.
  Many Thanks

  This question is now been fixed.
  Instead of explicitly stating 636 for SSL,
  Use the same port 389 for ssl and also configured oim port to be 140001 which is the ssl port for oim in the configuration of OIM Password Sync.
  Export Certificates from AD to java security keystore and to weblogic keystore
  Export .pem certificate created on OIM host machine to AD.
  Restart weblogic, oim and AD
  Everything would work fine.
  For all the other information, refer to doc.
  Thanks

• What are the limitations of using RMI over http with EJB?

  We have a requirement for an intranet application where the majority of the clients
  (Swing clients) will be able to connect directly using either T3 or IIOP. However,
  there are a number of clients that will need to traverse a firewall.
  We could use SOAP, but I dont want to lose the value that RMI gives us (clustering,
  security, statefullness support etc). I am thinking of using RMI over http - which
  Weblogic supports.
  I have been trying to find some documentation on the topic - but havent succeded
  so far. What I would like to understand is: What limitations I would have using
  RMI over http. Do I lose anything (apart from performance) using http?
  Regards,
  Nick

  You will have to enable tunneling on the server side and I have not heard of any
  complaints of using it.
  Shiva.
  Nick Minutello wrote:
  In fact, we are not using applets - and its not an internet application. We are
  using Java Webstart and Swing on our intranet (the problem of the size of the
  weblogic.jar is a pain - but well known)
  The question for me is; Apart from performance, are there any limitations to using
  RMI over http?
  Can we also use JMS over http?
  -Nick
  Shiva Paranandi <[email protected]> wrote:
  "Old wine new bottle".
  The biggest problem with the approach of Applets like
  stuff connecting to weblogic is the size of the classes that need to
  be supplied to the
  users. The applets/swing would need a lot of weblogic classes which you
  need to
  supply as jar file. This file can be in the order of MBs depending on
  the
  weblogic version. we had a similar kind of problem and migrated the applets
  to use
  servlets instead of directly invoking ejbs or jms topics etc. Having
  the applets
  connect
  to servlets you would still benefit from the features of clustering etc.
  and added to
  that
  you would reduce the number of remote calls.
  Shiva.
  Nick Minutello wrote:
  We have a requirement for an intranet application where the majorityof the clients
  (Swing clients) will be able to connect directly using either T3 orIIOP. However,
  there are a number of clients that will need to traverse a firewall.
  We could use SOAP, but I dont want to lose the value that RMI givesus (clustering,
  security, statefullness support etc). I am thinking of using RMI overhttp - which
  Weblogic supports.
  I have been trying to find some documentation on the topic - but haventsucceded
  so far. What I would like to understand is: What limitations I wouldhave using
  RMI over http. Do I lose anything (apart from performance) using http?
  Regards,
  Nick

• WebDAV not working over SSL on CSS11503

  SOME HISTORY
  As you may recall we had an issue with interoperability between our WebCT Vista application and the Cisco CSS11503 Load Balancer. In a nutshell the Load Balancer would inject custom HTTP headers into HTTP packets, but only into the first HTTP packet of a TCP session. With your help we've learned that Cisco will change this in the August release of the CSS software.
  OUR NEW PROBLEM
  We are now having a related problem. In short, we cannot get WebDav to work over SSL. That is, when connect from Client to Load Balancer via SSL, and then Load Balancer to Web Server via plaintext, our application fails. Conversely, when we maintain a clear text connection straight through from Client to Web sever WebDav works.
  After doing some network traces of WebDav connections both with and without SSL I think we've discovered the cause of the problem: the Load Balancer fails to add our custom HTTP header "WL-Proxy-SSL: true" to HTTP "PROPFIND" requests, even though it correctly adds them to the HTTP "OPTIONS" requests.
  HOW WE CONFIGURED THE LOAD BALANCER
  We configured our Load Balancer with the Global configuration of
  http-method parse RFC2518-methods
  and with the command
  ssl-server 20 http-header static "WL-Proxy-SSL: true"
  so that the header "WL-Proxy-SSL: true" will be passed with the HTTP headers used for WebDav was well as with the 'standard' HTTP headers "GET, POST, HEAD", etc.
  Below is the relevant passage from the "CSS Command Reference" at
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_750/cmdrefgd/cmdgloba.htm#wp1432749
  ======================================================================
  "By default, a Layer 5 content rule supports the HTTP CONNECT, GET, HEAD, POST, and PUT methods. Unless configured, the CSS recognizes and forwards the following HTTP methods directly to the destination server in a transparent caching environment, but does not load balance them:
  OPTIONS, TRACE, PROPFIND, PROPPATCH, MKCOL, MOVE, LOCK, UNLOCK, COPY, and DELETE.
  When you enable the CSS to support all RFC-2518 methods, the CSS parses the Request-URI field in an attempt to match a Layer 5 rule. If the contents of the Request-URI field are not in a compliant format of an absolute URI or an absolute path, the CSS tries to match the field to the next best wildcard ("/*") rule. If the match fails, the CSS attempts to match the Layer 4 rule, and then the Layer 3 rule."
  ========================================================================
  I interpret this to mean that when we configure "http-method parse RFC2518-methods" that the load balancer will treat all the HTTP headers in the group "OPTIONS, TRACE, PROPFIND, ...", etc the same as the "standard" HTTP headers "GET, POST, HEAD", etc.
  As I said earlier our network traces show that the "WL-Proxy-SSL: true"
  header present in the HTTP header OPTIONS but *not* in the header "PROPFIND".
  A BUG IN THE CSS COMMAND PROCESSOR?
  By my reckoning, this behaviour must be a bug in the CSS Command processor, because whatever the CSS does for the "OPTIONS" header it should also do for the "PROFIND" header.
  ATTACHMENTS
  I've included three attachments.
  trace.txt
  - text output from Ethereal of the network trace
  on the web server, with comments.
  webdav.ssl.snoop
  - the original network trace in Sun's 'snoop' format.
  css.2.cfg
  - the running configuration on the CSS11503
  Thanks in advance for your help.

  Hi
  I finally discovered what is the issue here. In appears that in case of unsigned applets, the code is unable to access SunJCE provider which contains most of the ciphers used by SSL protocol. This means that a session with SSL server is broken and effectively applet is not initialised.
  This problem is related to configuration of JRE under linux due to export control restrictions. Unfortunately I don't know how to make JRE to use SunJCE by default.
  As a workaround I have set up the following policies using Policy Manager:
  grant {
  permission java.security.SecurityPermission "putProviderProperty.SunJCE";
  grant {
  permission java.lang.RuntimePermission "getProtectionDomain";
  grant {
  permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
  I don't know how insecure my actions are, but this definitely fixed problems with applets under SSL / HTTPS.
  Feel free to send me your ideas how to fix this issue in more elegant way.
  Best,
  Marcin