OSB: Implementing 2 way ssl for a particular proxy

Hi All,
We have a requirement to implement 2 way ssl support for one of our OSB proxy and 1 way ssl support for all other proxies in our project.
we have enabled HTTS on OSB and configured 2-way ssl on weblogic server. It is working fine.
But the 2 way ssl configuration on weblogic server impacts all other proxy services deployed on that node. Because of weblogic configuration "Two Way Client Cert Behavior: Client Certs Requested and Enforced", the server expects all request to present the client certificate..
But our requirement is, Only 1 proxy service should enforce 2-way ssl, all other proxies should only support 1 -way ssl(server authentication).
Is there any way to implement our requirement?.
we want to configure weblogic with "Two Way Client Cert Behavior: Client Certs Requested but not and Enforced OR Client Certs NOT Requested" and then in the proxy service we want to enforce client certificate..
Is it possible to implement? If so can anyone help to explain the steps?
Thanks in advance
Edited by: user13109986 on Oct 24, 2012 9:30 AM

It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

Similar Messages

I am having trouble Trouble implementing one-way SSL on WebLogic 9.2...

I am having trouble Trouble implementing one-way SSL on WebLogic 9.2. I am using Demo Identity and Demo Trust certificates with a SSL Listen Port Enabled on 7002, and a Two Way Client Cert Behavior of Client Certs Not Requested. I assume that by using Client Certs Not Requested that there is no need to install certificates on user's computers.
When weblogic is restarted, I get the following log telling me it works...
<Sep 11, 2012 9:35:16 AM PDT> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoIdentity.jks.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoTrust.jks.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file e:\bea\jdk150_12\jre\lib\security\cacerts.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.9.20.172:7000 for protocols iiop, t3, ldap, http.>
<Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.9.20.172:7002 for protocols iiops, t3s, ldaps, https.>
However, when I open the console in https://server:7002/console, I get the following error in log file...
<Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090481> <NO_CERTIFICATE alert was received from x.y.z.com - 10.37.10.54. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
<Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090508> <Certificate chain received from x.y.z.com - 10.37.10.54 was incomplete.>
I do not understand why I am getting this error when I assume there is no need to install certificates on user's computers. Can't someone please explain what is going on? Thanks in advance.

<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/extension http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd">
<name>nctcis</name>
<domain-version>9.2.3.0</domain-version>
<security-configuration>
<name>nctcis</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<sec:name>DefaultAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:name>DefaultIdentityAsserter</sec:name>
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
<default-realm>myrealm</default-realm>
<anonymous-admin-lookup-enabled>true</anonymous-admin-lookup-enabled>
<credential-encrypted>{3DES}PyUkjWRp8JGpk75BYSbvQ6OWYgA9SZq2nj2IuENa2vxrMy835GMRZ+GGKhJiWapjt0mMC2ohcxxlIMNUZJUH2gCjbB5kQUmA</credential-encrypted>
<node-manager-username>system</node-manager-username>
<node-manager-password-encrypted>{3DES}KmaZDZGQC6spYVY12CbJGA==</node-manager-password-encrypted>
</security-configuration>
<jta>
<timeout-seconds>1800</timeout-seconds>
<abandon-timeout-seconds>3600</abandon-timeout-seconds>
<max-transactions>100000</max-transactions>
<max-resource-unavailable-millis>100000</max-resource-unavailable-millis>
</jta>
<log>
<name>nctcis</name>
<file-name>e:/netcracker/logs/wl-domain.log</file-name>
<file-min-size>5120</file-min-size>
</log>
<server>
<name>nctcisAdmin</name>
<ssl>
<enabled>true</enabled>
<hostname-verifier xsi:nil="true"></hostname-verifier>
<hostname-verification-ignored>false</hostname-verification-ignored>
<client-certificate-enforced>true</client-certificate-enforced>
<two-way-ssl-enabled>false</two-way-ssl-enabled>
<server-private-key-alias>tcisdevbpagov_cert</server-private-key-alias>
<server-private-key-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</server-private-key-pass-phrase-encrypted>
<use-server-certs>false</use-server-certs>
</ssl>
<log>
<name>nctcisAdmin</name>
<file-name>e:/netcracker/logs/weblogic.log</file-name>
<file-min-size>5120</file-min-size>
</log>
<listen-port>7000</listen-port>
<web-server>
<name>nctcisAdmin</name>
<web-server-log>
<name>nctcisAdmin</name>
<file-name>e:/netcracker/logs/access.log</file-name>
<file-min-size>5120</file-min-size>
</web-server-log>
</web-server>
<listen-address>tcis.dev.bpa.gov</listen-address>
<key-stores>DemoIdentityAndDemoTrust</key-stores>
<custom-identity-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_identity.jks</custom-identity-key-store-file-name>
<custom-identity-key-store-type>JKS</custom-identity-key-store-type>
<custom-identity-key-store-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</custom-identity-key-store-pass-phrase-encrypted>
<custom-trust-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_trust.jks</custom-trust-key-store-file-name>
<custom-trust-key-store-type>JKS</custom-trust-key-store-type>
<custom-trust-key-store-pass-phrase-encrypted>{3DES}I++r0/FEMRGFrqF47pYZJA==</custom-trust-key-store-pass-phrase-encrypted>
</server>
<embedded-ldap>
<name>nctcis</name>
<credential-encrypted>{3DES}i51JYfmoGyFTxPjiCjjtXWwza1t13k56Ls7fmdqtKB0=</credential-encrypted>
</embedded-ldap>
<configuration-version>9.2.3.0</configuration-version>
<app-deployment>
<name>NetCracker</name>
<target>nctcisAdmin</target>
<module-type>ear</module-type>
<source-path>applications\NetCracker</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<app-deployment>
<name>pictures</name>
<target>nctcisAdmin</target>
<module-type>war</module-type>
<source-path>e:\pictures</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<jms-server>
<name>NCJMSServer</name>
<target>nctcisAdmin</target>
<temporary-template-resource>NCJMSModule</temporary-template-resource>
<temporary-template-name>NetCrackerTemplate</temporary-template-name>
<message-buffer-size>100000</message-buffer-size>
</jms-server>
<self-tuning>
<max-threads-constraint>
<name>MaxThreadsConstraint</name>
<target>nctcisAdmin</target>
<count>40</count>
</max-threads-constraint>
<work-manager>
<name>default</name>
<target>nctcisAdmin</target>
<max-threads-constraint>MaxThreadsConstraint</max-threads-constraint>
<work-manager-shutdown-trigger>
<stuck-thread-count>1000</stuck-thread-count>
</work-manager-shutdown-trigger>
</work-manager>
</self-tuning>
<jms-system-resource>
<name>NCJMSModule</name>
<target>nctcisAdmin</target>
<sub-deployment>
<name>BEA_JMS_MODULE_SUBDEPLOYMENT_NCJMSServer</name>
<target>NCJMSServer</target>
</sub-deployment>
<descriptor-file-name>jms/ncjmsmodule-jms.xml</descriptor-file-name>
</jms-system-resource>
<admin-server-name>nctcisAdmin</admin-server-name>
<jdbc-system-resource>
<name>NetCrackerDataSource</name>
<target>nctcisAdmin</target>
<descriptor-file-name>jdbc/NetCrackerDataSource-5713-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<jdbc-system-resource>
<name>NetCrackerDataSourceNonTX</name>
<target>nctcisAdmin</target>
<descriptor-file-name>jdbc/NetCrackerDataSourceNonTX-6926-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
</domain>
Edited by: user6904153 on Sep 12, 2012 6:57 AM

Implementing 2-way ssl

Hi i have configured the keystore as "Custom Identity and Custom Trust", given the key store names for both given the Identity alisa name under the 'SSL' tab, in 'Advanced' i am enforcing for client certificate. But when i start to access the application, i see the following error
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@16a86fc>
####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090481> <NO_CERTIFICATE alert was received from ASST218297.uk.pri.o2.com - 172.17.247.10. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, checking with TrustManager>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <validationCallback: validateErr = 0>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Required peer certificates not supplied by peer>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: validateErr = 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecurityCertPath> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <weblogic user specified trustmanager validation status 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Warning> <Security> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-090508> <Certificate chain received from ASST218297.uk.pri.o2.com - 172.17.247.10 was incomplete.>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Validation error = 4>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Certificate chain is incomplete>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <SSLTrustValidator returns: 68>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NO_CERTIFICATE received by peer, not trusted, sending HANDSHAKE_FAILURE to peer>
####<04-Mar-2010 12:18:00 o'clock GMT> <Debug> <SecuritySSL> <ASST218297> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1267705080783> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
java.lang.Exception: New alert stack
     at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
     at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
     at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
     at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
     at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
     at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
any replies please....

Hi,
thanks, actually while searching in the net, i found a blog where there were a few steps for implementing 2-way SSL in weblogic.
http://huyplus.blogspot.com/2010/02/2-way-ssl-with-weblogic-server-103.html?showComment=1267793234806_AIe9_BGsO6q6ENB4YZWtQyX53CzpN8TWcSn08RqNv6z8W3V7NRI3Qlcf4NuEM35O1niTSsYXd4rxjfUT63J2XFXOHjY8W56_sC-E3MGydylLHxDivVEjR0pQnSPv_Tx7CXOqT64AGNhhs06MEM9CBhpOtHcUHwvQMPtPeDAAJcwP1I9TzEIGNzNEQlWn9INrvLzP9_RAYESO3Wcxbl6b9eRgZt_jktfllVbxcvztIV3zoeQ8XlqgpN4S7Z82yCbUS1E7lFl46FZK#c8740869862805814451
fortunately, this is working, i mean the server is working as expected, but in the console, it says that the certificate chain is incomplete....
Anyways thanks for the links and suggestions...
if possible could you please provide me some reference for resolving this issue.
Thanks again
Sharma

Apache 2.2 21 forward Proxy 2 way SSL for weblogic server as a client

Hi All,
Currently, i am trying to implement a forward SSL proxy. The client will hit my apache server which in return will hit a IIS Server.
scenarios 1
client(weblogic)--*2 way SSL*Apache(forward proxy)*2 way SSL*-- IIS
If i were to implement 1 way ssl, i am able to see the content of the website.
client(weblogic) --- Apache(forward proxy) --- IIS
If i were to launch the web browser from the client machine (with the client certificate imported in the browser), i am able to view the content in the IIS. But if i were to simulate the connection from weblogic server, it just give me end of file exception (response contain no data) on the logs.
Below is my configuration
Listen 8080
<VirtualHost default:8080>
ServerName serverA
ErrorLog "logs/ssl_error_log"
CustomLog "logs/ssl_access_log" common
SSLProxyEngine On
SSLProxyMachineCertificateFile /certificate/servercert.cer
SSLProxyCACertificateFile /certificate/rootCA.cer
SSLProxyVerify require
SSLProxyVerifyDepth 10
ProxyRequests On
ProxyVia On
AllowConnect 12345
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
</VirtualHost>
For 2 way SSL, will the client forward their client certificate to my apache proxy server and apache will on the client behalf forward the client certificate to the IIS server for authenication?
Or the SSL authenication still happen between the client (weblogic) and the end server (IIS) bypassing the proxy server.
Please help.

It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

Implement 2-way matching for SRM PO

Hi Gurus,
We are in SRM5.0 Extended Classic and currently running 3-way match scenarios. Client wants to implement 2-way match for certain Vendors. My question is how to accomplish this. Below are my thoughts. Please let me know if I missed any.
for 2 way match:
1. In ECC Maintain Vendor MAster - remove GR/IR indicator
2. In ECC Maintain Info records - remove GR/IR indicator
In SRM
1. use create Limit shop which defaults to 2 way (also gives option to select 3 way)
Please let me know if there are any config changes or new objects to be developed for 2-way match.
Thank you all
Rao

Hi Friends,
any suggestions is appreciated.
Thanks
Rao

2-Way SSL for a single web app

Hi all,
I have got 2-way SSL working on my WLS 8.1.4.
However we have an existing app that uses 1-way SSL already running on the same WLS.
Is it possible to allow 1-way SSL for the existing app and only use 2-way on my new app?
Looking at the console enforcing client certificates seems to be a server wide setting. I was hoping that maybe I would be able to restrict it in the web.xml file.
Any advice would be appreciated.
Thanks
Alan

It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

How to implement 2-way SSL in OSB web services

Hi ,
I need to implement secured SSL communication in my OSB web services . For this I have used the self signed certificates in weblogic console and configured them .
I also enabled the https parameter in my proxy service but now when I am trying to open the proxy wsdl in browser it says unauthorised access.
Even in SOAP UI when I am trying to access it says "Error loading wsdl" .
Please help.

Hi,
Do you have created a Service Key provider and attached the same to proxy service.
Oracle Service Bus verifies that you have associated a service key provider with the proxy service and that the service key provider contains a key-pair binding that can be used as a digital signature.
Service Key Providers
Regards,
Abhinav

Problem with 2 way SSL for JMS

Finally, there is some progress on my JMS over SSL (2 way with JNDI). I am able to send/receive JMS messages but there is an exception in Weblogic server log (see attached). Let me summarise all the steps involved:
(I have referred this doc http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security6.html as I found this more convenient)
1. Generate the server private key/public certificate pair:
C:\softwares\bea\satishb\ssl\3>keytool -genkey -alias serveralias -keyalg RSA -keypass password -storepass password -keystore .\server\svrkeystore.jks
2. Export the generated server certificate in svrkeystore.jks into the file server.cer:
C:\softwares\bea\satishb\ssl\3>keytool -export -alias serveralias -storepass password -file .\server\server.cer -keystore .\server\svrkeystore.jks
3. To create the trust-store file cacerts.jks and add the server certificate to the trust-store:
C:\softwares\bea\satishb\ssl\3>keytool -import -v -trustcacerts -alias serveralias -file .\server\server.cer -keystore .\server\cacerts.jks -keypass password -storepass password
Now Client part:
1. Generate the client key/cert pair:
C:\softwares\bea\satishb\ssl\3>keytool -genkey -alias clientalias -keyalg RSA -keypass password -storepass password -keystore .\client\cltkeystore.jks
2. Export the generated client certificate into file client.cer:
C:\softwares\bea\satishb\ssl\3>keytool -export -alias clientalias -storepass password -file .\client\client.cer -keystore .\client\cltkeystore.jks
3. Add the certificate to the trust-store file cltcacerts.jks (this trust-store will be used by weblogic server for client authentication):
C:\softwares\bea\satishb\ssl\3>keytool -import -v -trustcacerts -alias clientalias -file .\client\client.cer -keystore .\client\cltcacerts.jks -keypass password -storepass password
- I deployed svrkeystore.jks to weblogic server as the custom identity and cltcacerts.jks as the trust store (so that client au takes place).
- I use server\cacerts.jks file at the client side to authenticate the server as the custom trust store.
-Both the JMS client and the weblogic server are using the same Java ie C:\softwares\bea\jdk150_04.
I am now able to send/receive the JMS messages but in the Weblogic server logs, I see these which seems to me that the proper SSL handshake has not taken place:
####<Mar 5, 2007 3:54:12 PM IST> <Info> <Server> <sburnwal-wxp> <AdminServer> <DynamicSSLListenThread[DefaultSecure]> <<WLS Kernel>> <> <> <1173090252459> <BEA-002605> <Adding address: 192.168.4.223 to licensed client list>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252459> <000000> <isMuxerActivated: false>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <5978326 SSL Version 2 with no padding>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <24761471 SSL3/TLS MAC>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <24761471 received SSL_20_RECORD>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <HANDSHAKEMESSAGE: ClientHelloV2>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <........... Eating Exception ..........
java.security.NoSuchAlgorithmException
     at com.certicom.tls.ciphersuite.CipherSuiteSupport.getCipherSuite(Unknown Source)
     at com.certicom.tls.ciphersuite.CipherSuiteSupport.getCipherSuite(Unknown Source)
     at com.certicom.tls.record.handshake.MessageClientHelloVersion2.<init>(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeMessage.createVersion2(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleVersion2HandshakeMessages(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
     at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
     at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
     at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:179)
>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <........... Eating Exception ..........
java.security.NoSuchAlgorithmException
     at com.certicom.tls.ciphersuite.CipherSuiteSupport.getCipherSuite(Unknown Source)
     at com.certicom.tls.ciphersuite.CipherSuiteSupport.getCipherSuite(Unknown Source)
     at com.certicom.tls.record.handshake.MessageClientHelloVersion2.<init>(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeMessage.createVersion2(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleVersion2HandshakeMessages(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
     at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
     at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
     at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:179)
>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <write HANDSHAKE, offset = 0, length = 58>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <write HANDSHAKE, offset = 0, length = 602>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <write HANDSHAKE, offset = 0, length = 4>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252506> <000000> <isMuxerActivated: false>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252521> <000000> <24761471 SSL3/TLS MAC>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252521> <000000> <24761471 received HANDSHAKE>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252521> <000000> <HANDSHAKEMESSAGE: ClientKeyExchange RSA>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252521> <000000> <Using JCE Cipher: SunJCE version 1.5 for algorithm RSA>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <Will use default Mac for algorithm HmacMD5>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacSHA1>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <Will use default Mac for algorithm HmacSHA1>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <........... Eating Exception ..........
java.security.NoSuchAlgorithmException: Algorithm MD5 not available
     at javax.crypto.Mac.getInstance(DashoA12275)
     at com.certicom.tls.provider.Mac.getInstance(Unknown Source)
     at com.certicom.tls.ciphersuite.SecurityParameters.makeKeys(Unknown Source)
     at com.certicom.tls.ciphersuite.SecurityParameters.deriveKeys(Unknown Source)
     at com.certicom.tls.ciphersuite.SecurityParameters.<init>(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.generateSecurityParameters(Unknown Source)
     at com.certicom.tls.record.handshake.ServerStateSentHelloDone.handle(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
     at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
     at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
     at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
     at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
     at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
     at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
     at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:179)
>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <Will use default Mac for algorithm MD5>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <Using JCE Cipher: SunJCE version 1.5 for algorithm RC4>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <Will use default Mac for algorithm HmacMD5>
####<Mar 5, 2007 3:54:12 PM IST> <Debug> <SecuritySSL> <sburnwal-wxp> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1173090252537> <000000> <Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacSHA1>
Pls let me know if there is anything I am missing here. Help is appreciated a lot.
Thanks
Satish

It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.

2 way SSL in web services [using Axis]

Hi,
Can anyone tell me how to implement 2 way SSL handshake before making a web service call , using Axis.
This is what i have to start off with:
1. wsdl, which i use to create the client side files [using eclipse] do meet the business needs.
2. I also have my [client] key and cert and the servers root cert, required for SSL handshake
Thanks for the help,
Sandy

Hi,
Do you have created a Service Key provider and attached the same to proxy service.
Oracle Service Bus verifies that you have associated a service key provider with the proxy service and that the service key provider contains a key-pair binding that can be used as a digital signature.
Service Key Providers
Regards,
Abhinav

Why does Mail 6 keep switching on SSL for SMTP?

After setting up a POP3 account in Mail 6, with SSL for SMTP disabled, it works fine for a short while, but then suddenly Mail decides to enable the SSL option which of course causes problems sending mail from the account. There is no SSL for this particular email account. When I try to disable the setting it turns off and then immediately turn itself on again. How can I turn it off, does anyone know?

Thanks William. I've done that, now will see if the problem pops back up. It did report that no errors were found.
I've also seen in the Keychain first aid that it's possible to sort of shuffle the keychain sideways and start again, would that be a sensible step if this doesn't work? I understand that means re-entering in all my passwords for various services, which is a pain, but far less painful than having to randomly re-generate Gmail passwords

Server to Server 2 way SSL

Has anyone any links or experience with 2 way SSL for Server to Server? Web Server A to Web Server B for web services.
The norm is Server to Client.
Any help is appreciated. Thanks!

The only possibility is server to client. One of your servers has to listen passively, which makes it a TCP or SSL server, and the other one has to initiate the connection, which makes it a TCP or SSL client. But that doesn't stop it being a server from other points of view.

How to Use a Certificate for Two Way SSL and another certificate for WS Security Header at Client Console Application(C# Dotnet)

Hi,
I want to consume a Java Web service from Dotnet based client Application. The service require one Certificate("abc.PFX") for Two Way SSL purpose and another certificate("xyz.pfx") for WS security purpose to be passed from client Application(Dotnet
Console based). I tried configuring the App.config of Client application to pass both the certs but getting Error says:
Could not establish secure channel for SSL/TLS with authority "******aaaa.com"
Please suggest how to pass both the certs from client Application..

Hi,
This problem can be due to an Untrusted certificate. So you need just full permissions to certificates.
And for more information, you could refer to:
http://contractnamespace.blogspot.jp/2014/12/could-not-create-secure-channel-fix.html
Regards

How to implement tooltip for the list items for the particular column in sharepoint 2013

Hi,
I had created a list, How to implement tooltip for the list items for the particular column in SharePoint 2013.
Any help will be appreciated

We can use JavaScript or JQuery to show the tooltips. Refer to the following similar thread.
http://social.technet.microsoft.com/forums/en/sharepointdevelopmentprevious/thread/1dac3ae0-c9ce-419d-b6dd-08dd48284324
http://stackoverflow.com/questions/3366515/small-description-window-on-mouse-hover-on-hyperlink
http://spjsblog.com/2012/02/12/list-view-preview-item-on-hover-sharepoint-2010/

What should be done in certmap.conf for 2-way SSL support from a standalone Java application to an SSL enabled LDAP Server

To support certficate based client authentication using 2-way SSL from a standalone java application which uses JNDI and JSSE1.0.2 to connect to an SSL enabled LDAP Server how do we configure the certmap.conf?Is there any additional setup required at the LDAP Server side apart from enablinf SSL with the option"Required Client Authentication" enabled.The 2 way SSL handshake goes through but the access log file (After configuring the certmap.conf for the issuer DN of the client certficate etc..)shows SSL failed to LDAP DN?But inspite of this access log error the Java client does get an SSL Connection object with which it is able to connect to the LDAP.IS the certmap.conf file being looked up by the LDAP Server at all?

have you out.flush() and out.close() before you call connection.getInputStream()?

2 way SSL: How does Sun implement handling malformed certificate requests?

Hi
I'd like to know how sun implements the following 2 way ssl-scenario:
When an SSL server requests client authentication, it sends a message
to the client that says "here is a list of the names of CAs that I trust
to issue client certs. If you have a client cert from one of these
CAs, then send it to me". That list is NEVER supposed to be empty.
But the hint above suggests that it is. If your server has not been
configured with the names of CAs that it trusts to issue client certs,
it's sending an empty list.
When an SSL client receives such a malformed request, with an empty
list of trusted client CA names, it may either (a) choose to send
back a response that means "I have no cert issued by any of the
issuers you have named", ***or (b) send back any certificate you have***
***and hope the misconfigured server will accept it.***
Please advice? What is the switch to tell the client to send any certificate?
Thanks a lot
Christian

That list is NEVER supposed to be empty.It doesn't actually say that anywhere in the RFC.
When an SSL client receives such a malformed request, with an empty
list of trusted client CA names, it may either (a) choose to send
back a response that means "I have no cert issued by any of the
issuers you have named", ***or (b) send back any certificate you have***
***and hope the misconfigured server will accept it.***That's not how I read the RFC. I would say the client should decide there is no suitable certificate available, and send back an empty ClientCertificate message. That in turn may provoke the server into sending a fatal handshake failure alert.
What is the switch to tell the client to send any certificate?There is no such switch.
More to the point, why is the server's CA list empty? That must mean that it has an empty truststore. That's the problem you should fix.

OSB: Implementing 2 way ssl for a particular proxy

Similar Messages

Maybe you are looking for