OSR 2way SSL client configuration in Weblogic
We've implemented 2way SSL in our Weblogic domains that host endpoints for use by OSB and OSR, using signed ( not self-signed! ) certificates. OSB works great and invokes the endpoints successfully over 2way SSL.
The problem is that OSR doesn't use the same security keystore / truststore as WebLogic. The Weblogic server hosting OSR is configured with the same keystore / truststore that the OSB server uses, and the OSR mgd server also has "Use Server Certs" enabled.
The OSR 10g server and the endpoint domain both use the same versions: Weblogic 10.3, using jrockit_160_05, both running on Linux 2.6.18-92.1.17.0.2.el5xen #1 SMP Tue Nov 18 04:11:19 EST 2008 i686 i686 i386 GNU/Linux on different hosts.
For one-way SSL, I imported ( with PStoreTool.sh ) the server certificate from the endpoints' domain into the registry's conf/pstore.xml & redeployed, and then OSR was able to trust the incoming server cert. That's been working great.
I'd like to have OSR submit the same certificate that OSB does so that OSR can act as a client in 2-way SSL. So I've used this:
# Get the server cert from the OSR WL server
sslTool.sh serverInfo url https://"OSR_HOST" certFile "OSR_HOST_FILE"
# Add it into extracted pstore
PStoreTool.sh new -alias "CN value" -keypassword ****t -config conf/pstore.xml -certFile "OSR_HOST_FILE"
# encrypt keypass
sslTool.sh encrypt --password *****
and added an entry in the registry.war's app/uddi/conf/security.xml of:
sslConnectionAlias>OSR_HOST</sslConnectionAlias>
sslConnectionPassword_coded>"output from sslTool encrypt"</sslConnectionPassword_coded>
But when trying to publish an https:// endpoint into OSR, I get an error in the OSR console of:
Invalid WSDL location! WSDLException: faultCode=INVALID_WSDL: Cannot get WSDL at 'https://...."'. Exception occured: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error.
The OSR server logs shows this
ERROR: com.idoox.wsdl.xml.WSDLReaderImpl - javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
ERROR: com.systinet.uddi.webui.WebUIRawService - Web Framework exception
EXCEPTION: com.systinet.uddi.webui.WebUIException: (18003) UDDI error occurred.
javax.servlet.ServletException: com.systinet.uddi.webui.WebUIException: (18003) UDDI error occurred.
In the weblogic endpoint domain, I get this error at the same time - after the OSR certificate has been presented:
<Sep 17, 2009 4:12:40 PM EDT> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateVerify>
<Sep 17, 2009 4:12:40 PM EDT> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<Sep 17, 2009 4:12:40 PM EDT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 51
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ServerStateReceivedClientKeyExchange.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
For two-way SSL, what steps are needed? The documentation on PStoreTool only lists available commands, but not how they would be used to perform 2way ssl config.
After many, many, many iterations, I finally have an OSR that can import over 2way SSL.
So here are the steps I used ( variables in caps )
* Extract the conf/pstore.xml and app/uddi/conf/security/xml from registry.war
jar -xf conf/pstore.xml
jar -xf app/uddi/conf/security.xml
* Encrypt the password for later use:
PStoreTool.sh encrypt --password=OSR_PASS
( gives you an encrypted string )
* Edit the security.xml, add these lines:
<sslConnectionAlias>OSR_ALIAS</sslConnectionAlias>
<sslConnectionPassword_coded>encrypted_password</sslConnectionPassword_coded>
</security>
<destinationConfig>
<alias>OSR_ALIAS</alias> <!-- same alias -->
<password_coded>encrypted_password</password_coded>
<destination url="https://SERVICE_ENDPOINT/*"/> <!-- server hosting the endpoints that you're importing -->
</destinationConfig>
* put security.xml back
jar -tf registry.war app/uddi/conf/security.xml
* import the OSR server's identity cert ( to use as a client cert in outbound 2way SSL
sslTool.sh serverInfo url https://OSR_HOST certFile ./OSR_HOST.cer
PStoreTool.sh add -config conf/pstore.xml -certFile ./OSR_HOST.cer
* If your OSR cert is signed, also import signer certs with PStoreTool as previous
* create a new user
PStoreTool.sh new -alias OSR_ALIAS -keypassword unencrypted_password -config conf/pstore.xml
* overwrite the user with the cert
sslTool.sh pstoreEI -i keystore /etc/java/OSR_IDENTITY_KEYSTORE.jks storepass *** alias *** keypass *** --pstore [REGISTRY_HOME]/conf/clientconf.xml pstoreAlias OSR_ALIAS pstoreKeypass OSR_PASS
sslTool.sh pstoreEI -i keystore /etc/java/OSR_IDENTITY_KEYSTORE.jks storepass *** alias *** keypass *** pstore conf/pstore.xml pstoreAlias OSR_ALIAS --pstoreKeypass OSR_PASS
* Put the pstore.xml back
jar -uf registry.war conf/pstore.xml
Stop your OSR server, undeploy the registry.war, remove the OSR managed server's tmp directory, redeploy and restart.
If you get "BAD_CERT" - you have a self-signed cert in pstore.xml that needs to be overwritten with your real cert from your OSR's identity jks
If you get "login failed" - you need to run the "PStoreTool new"
Similar Messages
-
SSL Connection Configuration between Apache and Weblogic 8,1
I'm currently using Apache web server as a front end server for Weblogic server 8.1 and now i' facing some configuration problem to setting up the SSL connection between this 2 server. When i open my web application page, it shows
Failure of Server Apache bridge
No backend server available for connection: timed out after 10 seconds or idempotent set to OFF.
and my proxy.log shows:
Thu Nov 03 09:36:41 2011 <182413202842013> INFO: SSL is configured
Thu Nov 03 09:36:41 2011 <182413202842013> INFO: SSL configured successfully
Thu Nov 03 09:36:41 2011 <182413202842013> Using Uri /favicon.ico
Thu Nov 03 09:36:41 2011 <182413202842013> After trimming path: '/favicon.ico'
Thu Nov 03 09:36:41 2011 <182413202842013> The final request string is '/favicon.ico'
Thu Nov 03 09:36:41 2011 <182413202842013> SEARCHING id=[ebwdsk298.ebworx.com:7002] from current ID=[ebwdsk298.ebworx.com:7002]
Thu Nov 03 09:36:41 2011 <182413202842013> The two ids matched
Thu Nov 03 09:36:41 2011 <182413202842013> @@@FOUND...id=[ebwdsk298.ebworx.com:7002], server_name=[10.122.50.218], server_port=[80]
Thu Nov 03 09:36:41 2011 <182413202842013> attempt #0 out of a max of 5
Thu Nov 03 09:36:41 2011 <182413202842013> general list: trying connect to '10.122.50.48'/7002/7002 at line 2696 for '/favicon.ico'
Thu Nov 03 09:36:41 2011 <182413202842013> New SSL URL: match = 0 oid = 22
Thu Nov 03 09:36:41 2011 <182413202842013> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Thu Nov 03 09:36:41 2011 <182413202842013> EINPROGRESS in connect() - selecting
Thu Nov 03 09:36:41 2011 <182413202842013> Setting peerID for new SSL connection
Thu Nov 03 09:36:41 2011 <182413202842013> 0a7a 3230 5a1b 0000 .z20Z...
Thu Nov 03 09:36:41 2011 <182413202842013> Local Port of the socket is 2121
Thu Nov 03 09:36:41 2011 <182413202842013> Remote Host 10.122.50.48 Remote Port 7002
Thu Nov 03 09:36:41 2011 <182413202842013> general list: created a new connection to '10.122.50.48'/7002 for '/favicon.ico', Local port:2121
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Host]=[10.122.50.218]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Connection]=[keep-alive]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept]=[*/*]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Encoding]=[gzip,deflate,sdch]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Language]=[en-US,en;q=0.8]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs from clnt:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3]
Thu Nov 03 09:36:41 2011 <182413202842013> URL::sendHeaders(): meth='GET' file='/favicon.ico' protocol='HTTP/1.1'
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Host]=[10.122.50.218]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept]=[*/*]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Encoding]=[gzip,deflate,sdch]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Language]=[en-US,en;q=0.8]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Connection]=[Keep-Alive]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[WL-Proxy-SSL]=[false]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[WL-Proxy-Client-IP]=[10.122.50.48]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[Proxy-Client-IP]=[10.122.50.48]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[X-Forwarded-For]=[10.122.50.48]
Thu Nov 03 09:36:41 2011 <182413202842013> Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
Thu Nov 03 09:36:41 2011 <182413202841921> INFO: No session match found
Thu Nov 03 09:36:41 2011 <182413202842013> INFO: No CA was trusted, validation failed
Thu Nov 03 09:36:41 2011 <182413202841921> INFO: DeleteSessionCallback
Thu Nov 03 09:36:41 2011 <182413202842013> ERROR: SSLWrite failed
Thu Nov 03 09:36:41 2011 <182413202842013> SEND failed (ret=-1) at 789 of file ../nsapi/URL.cpp
Thu Nov 03 09:36:41 2011 <182413202842013> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 790 of ../nsapi/URL.cpp
Thu Nov 03 09:36:41 2011 <182413202842013> Marking 10.122.50.48:7002 as bad
Thu Nov 03 09:36:41 2011 <182413202842013> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 790 of ../nsapi/URL.cpp]: at line 3078
Thu Nov 03 09:36:41 2011 <182413202842013> INFO: Closing SSL context
Thu Nov 03 09:36:41 2011 <182413202842013> INFO: Error after SSLClose, socket may already have been closed by peer
Thu Nov 03 09:36:41 2011 <182413202842013> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
Can anyone tell me what should i do in order to correct this error? Your help is kindly appreciate!!! Please~1) Is the managed server up?
2) from apache server are you able to bind the managed server port?
3) can you pls send the weblogic ssl configuration? -
Hello,
I have installed 51-2 bit SSL cert on weblogic 7 and found that the secure site doesn't work on Vista web client.
Weblogic gives error in handshaking and says algorithm is not supported.
Vista web client uses some algorithms which were not supported by weblogic 7.
So would like to know if would Vista web client work with Weblogic Server 8.1.6 over SSL?
Any information in this regard would be helpful.
Thanks in Advance.can you use the following debug flags in the weblogic server as java_options and paste the complete ssl handshake exception here.
-Dweblogic.StdoutDebugEnabled=true
-Dssl.debug=true
thanks,
sandeep -
How can you configure an Exchange Account in Mac OS X to use a SSL client certificate?
I'm trying to connect the Mail App of Mac OS X to my company's Exchange server. For security reasons you have provide a SSL client certificate to the server. You can convince Safari to use a client certificate by putting it into your keychain and configuring a suitable "identity preference" for the URL of the related site. But the Mail App seems not to use the keychain for this part of the SSL negotiations.
Since you can configure the client certificate usage for an Exchange Account for the iPhone with the Configuration Utility there should be a way for the desktop App, too. Has someone sorted this issue out already or does the Mail App actually lack of client certificate support?I had a nice chat with the Apple end user support which revealed that this feature falls in the responsibility of the business support group. Since I have no appropriate support contract I could ask for help for about 480€ per issue -- nice try
After more research I found the Configuration Profile Reference, where you get information about Exchange accounts too. Starting with a working iOS-Profile I changed the Exchange account part according to this documentation for OS X. All you have to do is to replace PayloadType com.apple.eas.account by com.apple.ews.account.
After importing this profile I found the expected Exchange account within the Contacts.app. But the SSL client certificate was still not used and therefore my account not usable.
You could enable Mail, Calendar & Reminders and Notes within the System Preferences, but neither of these would work due to the missing client certificate support.
I came to the conclusion that the relevant applications in OS X have no proper SSL Client support build in. Since the underlying libraries and frameworks have everything in place that is really a shame.
Would be nice, if someone would enforce the developers to do their homework there. -
We must use JSSE because of SHA256RSA sign algorithm.
Business Service calls a remote webservice over two way ssl. Client-cert configured, Key Provider is correctly set, PKI Provider Mapping is fine. Everything is tested with SoapUI 2way SSL and worked like a charm.
But not with IIS 6.0. Renegotation is enabled (with parameter sun.security.ssl.allowUnsafeRenegotiation) and Chunked Streaming Mode is also set.
The invocation resulted in an error: [WliSbTransports:381304]Exception in HttpOutboundMessageContext.RetrieveHttpResponseWork.run: java.lang.NullPointerException
java.lang.NullPointerException
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:101)
at weblogic.socket.JSSEFilterImpl.handleResultsCommonly(JSSEFilterImpl.java:659)
at weblogic.socket.JSSEFilterImpl.handleUnwrapResults(JSSEFilterImpl.java:550)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:456)
at weblogic.socket.JSSEFilterImpl.read(JSSEFilterImpl.java:370)
at weblogic.socket.JSSESocket$JSSEInputStream.read(JSSESocket.java:58)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
at java.io.SequenceInputStream.read(SequenceInputStream.java:149)
at java.io.SequenceInputStream.read(SequenceInputStream.java:152)
at weblogic.net.http.MessageHeader.parseHeader(MessageHeader.java:151)
at weblogic.net.http.HttpClient.parseHTTP(HttpClient.java:468)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:401)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:1005)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.getResponse(HttpOutboundMessageContext.java:679)
at com.bea.wli.sb.transports.http.wls.HttpOutboundMessageContextWls.access$100(HttpOutboundMessageContextWls.java:26)
at com.bea.wli.sb.transports.http.wls.HttpOutboundMessageContextWls$RetrieveHttpResponseWork.handleResponse(HttpOutboundMessageContextWls.java:96)
at weblogic.net.http.AsyncResponseHandler$MuxableSocketHTTPAsyncResponse$RunnableCallback.run(AsyncResponseHandler.java:535)
at weblogic.work.ContextWrap.run(ContextWrap.java:41)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)Hi, I have the same problem but with Weblogic 12.1.1 (12c):
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:114)
at weblogic.socket.JSSEFilterImpl.handleResultsCommonly(JSSEFilterImpl.java:739)
at weblogic.socket.JSSEFilterImpl.handleUnwrapResults(JSSEFilterImpl.java:630)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:498)
at weblogic.socket.JSSEFilterImpl.read(JSSEFilterImpl.java:414)
at weblogic.socket.JSSESocket$JSSEInputStream.read(JSSESocket.java:58)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at weblogic.net.http.MessageHeader.isHTTP(MessageHeader.java:224)
at weblogic.net.http.MessageHeader.parseHeader(MessageHeader.java:148)
at weblogic.net.http.HttpClient.parseHTTP(HttpClient.java:469)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:401)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37
Is there a patch for this version?
Thanks in advance -
SSL Client example from dev2dev
Bruce,
I still have some questions unaswered.
1. Is there any "default" list of trusted CA that is used during handshake?
The SSLClient example does not have any references to trusted CA files. The
weblogic.webservice.client.ssl.trustedcerts property returns null. What
trusted CA is used in the SSLClient example? Considering the plural name of
the property, should it contain only one file name, or it can contain
several file names? Order? Delimiter?
2. I copied the SSL setup code from SSLClient to my own web service client,
but it does not work. My web service is made of stateless session bean, and
wsdl is generated dynamically. Is it possible, that certain wsdl settings
could affect handshake process? Maybe I need to copy certain wsdl tags from
the example?
3. What username/password should I use in IE when "Enter network password"
dialog is presented? The combination used to start weblogic server does not
work. The same combination works for non-SSL client. Why?
Thanks,
Michael J.
"Bruce Stephens" <[email protected]> wrote in message
news:[email protected]...
Hi Michael,
Thanks for the good feedback and this will be incorporated into a revised
example.
Concerning your questions toward the end, to set the list of trusted CA
certificates, you need the CA certificate in a file and you need to setthis
System property to the filename:
weblogic.webservice.client.ssl.trustedcerts
To turn off strict hostname checking during certificate validation, youneed to
set this property to "false":
weblogic.webservice.client.ssl.strictcertchecking
Thanks again,
Bruce
Michael Jouravlev wrote:
Bruce,
here are some issues that I wish you could help me with.
1) package.html from the simpleSSL example is outdated. The links posted
here do not work. Considering "Please pay careful attention" phrase I am
a
little bit worried if I missed something in my SSL configuration.
=== cut here ===
You must first setup and verify your WLS SSL configuration.
1. Set up your development shell as described in Quick Start.
2. Startup the WebLogic Server.
3. Monitor the log file for any errors.
4. Use the console and configure the WebLogic Service security asdescribed
by:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
Please pay careful attention to this step, especially concerning theSSL
protocol configuration:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
=== cut here ===
I use the following information:
1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
configure
server-wide SSL setup
2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
configure web service-related SSL setup.
2) In "Setup and verify the toUpper WebService" chapter the linksentitled
http://localhost:7001/toUpper/toUpper and
http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
but
maybe you would like to correct this.
3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
connect to https://localhost:7002/toUpper/toUpper , I receive the
"Security
Alert" dialog (I am using IE5) that there is a problem with security
certificate: name of the certificate does not match the name of thesite. It
is OK, because it is demo certificate. (Should I do "View
Certificate/Install Certificate" to proceed successfully or just to say
"Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
proceed. In the next window is "Do you want to display nonsecure items?"I
say "yes" and I am brought to the the test page. Now, when I try to testthe
service, I click on "toUpper" link and am presented with sample text and
"Invoke" button.
And when I press "Invoke" I am presented with a dialog window "Enternetwork
password" containing: Site: localhost, Realm: default, User name:
<blank>, Password: <blank>. So, the first serious issue is: what username
and password should I use? I tried username and password that I used to
start the server in set WLS_USER=<username> and set WLS_PW=<password> in
startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
either. What should I submit??? I did not change any security setting inmy
WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
>>
After "Enter network password" dialog fails to verify a user, I get apage
with the following text: "Failed to retrieve WSDL from
https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
the
protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
>>
Interesting enough, if I try to go directly to the link
https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
problem
and without any password windows. What is happening here?
4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
order for it to be compiled. I changed super( _port,ToUpperPort.class );
to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
original code does not work on 7.0GA. I successfully did run both Mainand
Main2 without username/password and with it. I also usedusername/password
from startWebLogic.cmd file and they worked. Why they do not work when Itry
to call test page from web browser?
5) Finally I compiled and did run the SSLClient. It worked. But the
questions here are:
BEA_HOME environment variable is not defined, and WebLogic SSL
implementation is used. How licence.bea was found while running theclient?
When I tried to build my own client, I got a message that I license fileis
needed. Or is it needed only if the client library webservices+ssl.jaris
used?
The most important question: What trusted CA is used by client and how
client finds it? No certificates are in the SSLClient directory and no
property settings telling where to find it. It is a puzzle for my why it
works here and why my own client does not work when the CA is supplied.
Thank you,
Michael J.Hi Michael,
I've asked our security folks to help answer your questions. The
weblogic.webservice.client.ssl.trustedcertfile file (located on the client
application computer) contains the certificates of CA (certificate authority).
The CAs are trusted to issue WebLogic Server certificates. The file can also
contain certificates that you trust directly. The file contains a collection of
PEM-encoded certificates. See:
http://e-docs.bea.com/wls/docs70/webserv/security.html#1056434
There shouldn't be any WSDL changes/tags required.
HTHs,
Bruce
Michael Jouravlev wrote:
Bruce,
I still have some questions unaswered.
1. Is there any "default" list of trusted CA that is used during handshake?
The SSLClient example does not have any references to trusted CA files. The
weblogic.webservice.client.ssl.trustedcerts property returns null. What
trusted CA is used in the SSLClient example? Considering the plural name of
the property, should it contain only one file name, or it can contain
several file names? Order? Delimiter?
2. I copied the SSL setup code from SSLClient to my own web service client,
but it does not work. My web service is made of stateless session bean, and
wsdl is generated dynamically. Is it possible, that certain wsdl settings
could affect handshake process? Maybe I need to copy certain wsdl tags from
the example?
3. What username/password should I use in IE when "Enter network password"
dialog is presented? The combination used to start weblogic server does not
work. The same combination works for non-SSL client. Why?
Thanks,
Michael J.
"Bruce Stephens" <[email protected]> wrote in message
news:[email protected]...
Hi Michael,
Thanks for the good feedback and this will be incorporated into a revised
example.
Concerning your questions toward the end, to set the list of trusted CA
certificates, you need the CA certificate in a file and you need to setthis
System property to the filename:
weblogic.webservice.client.ssl.trustedcerts
To turn off strict hostname checking during certificate validation, youneed to
set this property to "false":
weblogic.webservice.client.ssl.strictcertchecking
Thanks again,
Bruce
Michael Jouravlev wrote:
Bruce,
here are some issues that I wish you could help me with.
1) package.html from the simpleSSL example is outdated. The links posted
here do not work. Considering "Please pay careful attention" phrase I am
a
little bit worried if I missed something in my SSL configuration.
=== cut here ===
You must first setup and verify your WLS SSL configuration.
1. Set up your development shell as described in Quick Start.
2. Startup the WebLogic Server.
3. Monitor the log file for any errors.
4. Use the console and configure the WebLogic Service security asdescribed
by:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
Please pay careful attention to this step, especially concerning theSSL
protocol configuration:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
=== cut here ===
I use the following information:
1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
configure
server-wide SSL setup
2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
configure web service-related SSL setup.
2) In "Setup and verify the toUpper WebService" chapter the linksentitled
http://localhost:7001/toUpper/toUpper and
http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
but
maybe you would like to correct this.
3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
connect to https://localhost:7002/toUpper/toUpper , I receive the
"Security
Alert" dialog (I am using IE5) that there is a problem with security
certificate: name of the certificate does not match the name of thesite. It
is OK, because it is demo certificate. (Should I do "View
Certificate/Install Certificate" to proceed successfully or just to say
"Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
proceed. In the next window is "Do you want to display nonsecure items?"I
say "yes" and I am brought to the the test page. Now, when I try to testthe
service, I click on "toUpper" link and am presented with sample text and
"Invoke" button.
And when I press "Invoke" I am presented with a dialog window "Enternetwork
password" containing: Site: localhost, Realm: default, User name:
<blank>, Password: <blank>. So, the first serious issue is: what username
and password should I use? I tried username and password that I used to
start the server in set WLS_USER=<username> and set WLS_PW=<password> in
startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
either. What should I submit??? I did not change any security setting inmy
WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
After "Enter network password" dialog fails to verify a user, I get apage
with the following text: "Failed to retrieve WSDL from
https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
the
protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
Interesting enough, if I try to go directly to the link
https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
problem
and without any password windows. What is happening here?
4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
order for it to be compiled. I changed super( _port,ToUpperPort.class );
to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
original code does not work on 7.0GA. I successfully did run both Mainand
Main2 without username/password and with it. I also usedusername/password
from startWebLogic.cmd file and they worked. Why they do not work when Itry
to call test page from web browser?
5) Finally I compiled and did run the SSLClient. It worked. But the
questions here are:
BEA_HOME environment variable is not defined, and WebLogic SSL
implementation is used. How licence.bea was found while running theclient?
When I tried to build my own client, I got a message that I license fileis
needed. Or is it needed only if the client library webservices+ssl.jaris
used?
The most important question: What trusted CA is used by client and how
client finds it? No certificates are in the SSLClient directory and no
property settings telling where to find it. It is a puzzle for my why it
works here and why my own client does not work when the CA is supplied.
Thank you,
Michael J. -
Need help. I have my pilot lync 2013 pool up (in coexistence with 2010 production environment) and can log into Lync 2013 environment with a lync 2010 client but am not able to with a lync 2013 client. It just prompts for password but will not
take it. I'm sseeing this on my front end server multiple times:
A fatal error occurred while creating an SSL client credential. The internal error state is 10011.
Came across this http://www.logicspot.net/index.php?id=50 and tried disabling TLS 1.2, which I did and verified but yet the issue still exists.
All my certs are good coming from internal CA. My signin logs show below but keep in mind, this works just fine if using a 2010 lync client to my lync 2013 servers. Issue only occurs when trying to connect using a lync 2013 client.
1 Login: FAIL (hr = 0x1)
this request needs authentication, trying webticket from: https://domain.com/WebTicket/WebTicketService.svc
1.1 Get-NewWebTicket: FAIL (hr = 0x1)
CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
1.1.1 ExecuteWithMetadataInternal: FAIL (hr = 0x3d0000)
Executing wws method with windows auth auth, asyncContext=0A4FC348,
context: WebRequest context@ :173931816
MethodType:4
ExecutionComplete? :1
Callback@ :0A5A1864
AsyncHResult:80f10041
TargetUri:https://domain.com/WebTicket/WebTicketService.svc
OperationName:http://tempuri.org/:IWebTicketService
Error:
There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
The requested resource requires user authentication.
1.1.2 ExecuteWithWindowsOrNoAuthInternal: PASS
1.1.3 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
Executing wws method with windows auth auth, asyncContext=0A4FC348,
context: WebRequest context@ :173931816
MethodType:4
ExecutionComplete? :1
Callback@ :0A5A1864
AsyncHResult:80f10041
TargetUri:https://domain.com/WebTicket/WebTicketService.svc
OperationName:http://tempuri.org/:IWebTicketService
Error:
There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
The requested resource requires user authentication.
1.1.4 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
Discovery task(0A4FF830) sent to URL http://domain.com completed with hr=0x80f10045
1.1.5 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
Executing wws method with windows auth auth, asyncContext=0A4FC348,
context: WebRequest context@ :173931816
MethodType:4
ExecutionComplete? :1
Callback@ :0A5A1864
AsyncHResult:80f10041
TargetUri:https://domain.com/WebTicket/WebTicketService.svc
OperationName:http://tempuri.org/:IWebTicketService
Error:
There was an error communicating with the endpoint at 'https://domain.com/WebTicket/WebTicketService.svc'.
The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
The requested resource requires user authentication.
1.1.6 ExecuteWithWindowsOrNoAuthInternal: FAIL (hr = 0x3d0000)
CLogonCredentialManager::QueryForSpecificCreds() Credential user 0x069B64A0 id=15 querying for specific credentials, credSuccess=2, targetName=Microsoft_OC1:[email protected]:specific:LAD:1
RichHi,
Please check the server role and Web Services for Internet Information Services (IIS) are set correctly.
For the detailed IIS configuration, please check:
http://technet.microsoft.com/en-us/library/gg412871.aspx
As Lync client 2013 attempt to query in order to perform autodiscover of the Lync registration server. First
lyncdiscoverinternal.<sipdomain> Host (A) record and then
lyncdiscover.<sipdomain> Host (A) record. If neither of these records are resolvable then the legacy DNS SRV and A record fall-back process is used. So make sure you have add the two A record in DNS server.
More details:
http://blog.schertz.name/2012/12/lync-2013-client-autodiscover/
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
sure that you completely understand the risk before retrieving any suggestions from the above link.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Error 403.7 - Forbidden: SSL client certificate is required
Hi people!
I�m developing a java client to a WebService (developed in .NET). The communication protocol is HTTPS to the URL where the Web Service is located (something like https://10.200.140.117/dirNotes/serviceName.asmx.). I�ve been reading many posts but I could'nt find the solution to the problem wich has the following message: Error 403.7 - Forbidden: SSL client certificate is required".
I�m using JDK 1.5 and developing and testing on Windows Plataform. I'm able to access the URL specified above directly from the browser, I installed the client certificate (the same that �ve put into the ,jks keystore. I�ve also imported the whole certificate chain of the server to the cacerts.
I�ll paste the code and the console trace below. I�d be very grateful if you can help me. Thanks a lot.
_THE CODE_
package principal;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.Security;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import org.apache.axis.client.Call;
import org.apache.axis.client.Service;
import entidade.Certificado;
public class SSLClient {
private static final int PORT_NUMBER = 443;
private static final String HTTPS_ADDRESS = "10.200.140.117";
private static String strCabecalhoMsg = "";
private static String strDadosMsg = "";
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.ssl.keyStore", Certificado.getStrNomeArquivoJKSServidor());
System.setProperty("javax.net.ssl.keyStorePassword", "senha");
System.setProperty("javax.net.ssl.trustStore", "Certificados/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("javax.net.debug","ssl,handshake,record");
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(new FileInputStream(Certificado.getStrNomeArquivoJKSServidor()),
Certificado.getArranjoCharSenhaCertificadoServidor());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, Certificado.getArranjoCharSenhaCertificadoServidor());
KeyStore ksT = KeyStore.getInstance(KeyStore.getDefaultType());
ksT.load(new FileInputStream("C:/Arquivos de programas/Java/jre1.5.0_05/lib/security/cacerts"), "changeit".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ksT);
SSLContext sc = SSLContext.getInstance("SSLv3");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
SSLSocketFactory factory = sc.getSocketFactory();
try{
// method to load the values of the strings strCabecalhoMsg and strDadosMsg
carregarXMLCabecalhoDados();
SSLSocket socket =(SSLSocket)factory.createSocket(HTTPS_ADDRESS, PORT_NUMBER);
socket.startHandshake();
String [] arr = socket.getEnabledProtocols();
URL url = new URL("https://10.200.140.117/dirNotes");
HttpsURLConnection.setDefaultSSLSocketFactory(factory);
HttpsURLConnection urlc = (HttpsURLConnection) url.openConnection();
urlc.setDoInput(true);
urlc.setUseCaches(false);
Object[] params = {strCabecalhoMsg, strDadosMsg};
Service service = new Service();
Call call = (Call) service.createCall();
call.setTargetEndpointAddress(url);
call.setOperationName("serviceName");
String ret = (String) call.invoke(params);
System.out.println("Result: " + ret);
catch (UnknownHostException uhe) {
uhe.printStackTrace();
System.err.println(uhe);
catch (Exception uhe) {
uhe.printStackTrace();
System.err.println(uhe);
private static void carregarXMLCabecalhoDados()
try
BufferedReader input = new BufferedReader( new FileReader("notas/cabecalho.xml"));
String str;
while((str=input.readLine()) != null)
strCabecalhoMsg += str ;
System.out.println("Cabe�a: " + strCabecalhoMsg);
input = new BufferedReader( new FileReader("notas/nota.xml"));
while((str=input.readLine()) != null)
strDadosMsg += str ;
System.out.println("Nota: " + strDadosMsg);
catch (FileNotFoundException e)
// TODO Auto-generated catch block
e.printStackTrace();
catch (IOException e)
// TODO Auto-generated catch block
e.printStackTrace();
_THE TRACE_
adding as trusted cert:
Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
*others trusted certs*
trigger seeding of SecureRandom
done seeding SecureRandom
export control - checking the cipher suites
export control - no cached value available...
export control - storing legal entry into cache...
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1198158630 bytes = { 48, 135, 53, 24, 112, 72, 104, 220, 27, 114, 37, 42, 25, 77, 224, 32, 12, 58, 90, 217, 232, 3, 104, 251, 93, 82, 40, 91 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 3953
*** ServerHello, TLSv1
RandomCookie: GMT: 1198158523 bytes = { 56, 166, 181, 215, 86, 245, 8, 55, 214, 108, 128, 50, 8, 11, 0, 209, 38, 62, 187, 185, 240, 231, 56, 161, 212, 111, 194, 79 }
Session ID: {222, 2, 0, 0, 147, 179, 182, 212, 18, 34, 199, 100, 168, 167, 48, 116, 140, 186, 151, 153, 226, 168, 163, 174, 24, 83, 208, 73, 179, 57, 86, 137}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
Version: V3
*many chains and related data*
Found trusted certificate:
Version: V3
Subject:
*many trusted certificates and related data*
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 117, 112, 233, 166, 240, 9, 226, 67, 53, 111, 194, 84, 124, 103, 197, 28, 17, 36, 32, 48, 145, 166, 161, 61, 30, 63, 153, 214, 137, 113, 222, 204, 138, 77, 212, 75, 65, 192, 159, 215, 69, 156, 47, 188, 179, 219 }
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 75 70 E9 A6 F0 09 E2 43 35 6F C2 54 7C 67 ..up.....C5o.T.g
0010: C5 1C 11 24 20 30 91 A6 A1 3D 1E 3F 99 D6 89 71 ...$ 0...=.?...q
0020: DE CC 8A 4D D4 4B 41 C0 9F D7 45 9C 2F BC B3 DB ...M.KA...E./...
CONNECTION KEYGEN:
Client Nonce:
0000: 47 6A 73 26 30 87 35 18 70 48 68 DC 1B 72 25 2A Gjs&0.5.pHh..r%*
0010: 19 4D E0 20 0C 3A 5A D9 E8 03 68 FB 5D 52 28 5B .M. .:Z...h.]R([
Server Nonce:
0000: 47 6A 73 BB 38 A6 B5 D7 56 F5 08 37 D6 6C 80 32 Gjs.8...V..7.l.2
0010: 08 0B 00 D1 26 3E BB B9 F0 E7 38 A1 D4 6F C2 4F ....&>....8..o.O
Master Secret:
0000: 0B 3A 71 F8 BB 79 5E 07 78 C2 5F 13 4F 92 9D 87 .:q..y^.x._.O...
0010: CF 69 0D 07 78 D2 59 46 1E C3 C1 5B A2 DB 04 B9 .i..x.YF...[....
0020: 42 60 92 48 59 8E FD FD C3 5B BD 00 9C 54 7A 7E B`.HY....[...Tz.
Client MAC write Secret:
0000: 33 7C 19 C4 75 D2 CE 82 39 98 37 E5 7D 20 CB B1 3...u...9.7.. ..
Server MAC write Secret:
0000: 1E 1E 48 C7 D4 77 23 E4 22 26 8B 98 2E 92 5C 95 ..H..w#."&....\.
Client write key:
0000: EE 05 39 76 B2 85 63 6C F7 70 30 CB 6D 08 07 54 ..9v..cl.p0.m..T
Server write key:
0000: 5C 2E 3B 5E DC D9 EC C5 04 C4 D5 B5 12 11 B9 08 \.;^............
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 143, 115, 243, 131, 242, 244, 12, 44, 191, 172, 205, 122 }
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 231, 215, 37, 250, 177, 121, 111, 192, 11, 41, 1, 165 }
%% Cached client session: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : Certificados/certificadoSondaMonitor.jks
keyStore type is : JKS
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: Certificados\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Issuer: [email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
Algorithm: RSA; Serial number: 0x1
Valid from Fri Jun 25 21:19:54 BRT 1999 until Tue Jun 25 21:19:54 BRT 2019
adding as trusted cert:
* many certificates*
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
export control - checking the cipher suites
export control - found legal entry in cache...
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1198158632 bytes = { 93, 1, 41, 236, 165, 146, 251, 117, 129, 195, 129, 72, 245, 181, 43, 48, 80, 251, 244, 198, 223, 85, 82, 101, 20, 159, 17, 26 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 3953
*** ServerHello, TLSv1
RandomCookie: GMT: 1198158525 bytes = { 109, 114, 234, 1, 130, 97, 251, 9, 61, 105, 56, 246, 239, 222, 97, 143, 22, 254, 65, 213, 10, 204, 153, 67, 237, 133, 223, 48 }
Session ID: {23, 30, 0, 0, 26, 129, 168, 21, 252, 107, 124, 183, 171, 228, 138, 227, 94, 17, 195, 213, 216, 233, 205, 2, 117, 16, 21, 65, 123, 119, 171, 109}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
many chains again
*** ServerHelloDone
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 116, 247, 155, 227, 25, 25, 231, 129, 199, 76, 134, 222, 98, 69, 149, 224, 75, 6, 60, 121, 115, 216, 244, 246, 102, 92, 188, 64, 113, 56, 190, 43, 32, 51, 90, 254, 141, 184, 71, 48, 41, 29, 173, 180, 46, 116 }
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 74 F7 9B E3 19 19 E7 81 C7 4C 86 DE 62 45 ..t........L..bE
0010: 95 E0 4B 06 3C 79 73 D8 F4 F6 66 5C BC 40 71 38 ..K.<ys...f\.@q8
0020: BE 2B 20 33 5A FE 8D B8 47 30 29 1D AD B4 2E 74 .+ 3Z...G0)....t
CONNECTION KEYGEN:
Client Nonce:
0000: 47 6A 73 28 5D 01 29 EC A5 92 FB 75 81 C3 81 48 Gjs(].)....u...H
0010: F5 B5 2B 30 50 FB F4 C6 DF 55 52 65 14 9F 11 1A ..+0P....URe....
Server Nonce:
0000: 47 6A 73 BD 6D 72 EA 01 82 61 FB 09 3D 69 38 F6 Gjs.mr...a..=i8.
0010: EF DE 61 8F 16 FE 41 D5 0A CC 99 43 ED 85 DF 30 ..a...A....C...0
Master Secret:
0000: FC C9 75 A4 2B F1 8A D8 AD 16 27 70 B7 E4 64 6C ..u.+.....'p..dl
0010: 05 D7 33 4A 53 91 2F 51 1E 32 D3 3B 2E 18 2E BC ..3JS./Q.2.;....
0020: E4 16 EE 2F 01 A1 08 48 19 09 32 68 CE 69 8F B1 .../...H..2h.i..
Client MAC write Secret:
0000: F1 95 3B CE 06 5B 8A 9B EC DE 1C 8F B4 AB D9 36 ..;..[.........6
Server MAC write Secret:
0000: BF 52 36 48 63 24 FE 74 22 BE 00 99 BE F0 6E E5 .R6Hc$.t".....n.
Client write key:
0000: 9F 08 0A 6E 8F 54 A3 66 1C BC C7 6B AE 88 67 E0 ...n.T.f...k..g.
Server write key:
0000: 06 A1 0B 4F 69 DE 5F AF 0E 6B B5 04 ED E8 EA F5 ...Oi._..k......
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 148, 93, 105, 42, 110, 212, 55, 2, 150, 191, 13, 111 }
main, WRITE: TLSv1 Handshake, length = 32
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 32
*** Finished
verify_data: { 171, 150, 45, 10, 99, 35, 67, 174, 35, 52, 23, 192 }
%% Cached client session: [Session-2, SSL_RSA_WITH_RC4_128_MD5]
main, setSoTimeout(600000) called
main, WRITE: TLSv1 Application Data, length = 282
main, WRITE: TLSv1 Application Data, length = 8208
main, WRITE: TLSv1 Application Data, length = 1102
main, READ: TLSv1 Application Data, length = 1830
main, received EOFException: ignored
main, called closeInternal(false)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 18
main, called close()
main, called closeInternal(true)
AxisFault
faultCode: {http://xml.apache.org/axis/}HTTP
faultSubcode:
faultString: (404)Not Found
faultActor:
faultNode:
faultDetail:
{}:return code: 404
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>
</TD></TR></TABLE></BODY></HTML>
{http://xml.apache.org/axis/}HttpErrorCode:404
(404)Not Found
at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:2443)
at org.apache.axis.client.Call.invoke(Call.java:2366)
at org.apache.axis.client.Call.invoke(Call.java:1812)
at principal.SSLClient.main(SSLClient.java:86)
(404)Not Found
-----I'm having the same problem with the same URL. I try many configuration and nothing works. My code is:
public class NFeClient {
static{
Security.addProvider(new BouncyCastleProvider());
public static void main(final String[] args) throws Exception {
final String path = "https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx";
final String keyStoreProvider = "BC";
final String keyStoreType = "PKCS12";
final String keyStore = "/home/mendes/certificados/cert.p12";
final String keyStorePassword = "xxxx";
System.setProperty("javax.net.ssl.keyStoreProvider",keyStoreProvider);
System.setProperty("javax.net.ssl.keyStoreType",keyStoreType);
System.setProperty("javax.net.ssl.keyStore",keyStore);
System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
System.setProperty("javax.net.ssl.trustStore","/home/mendes/workspace/NFE/jssecacerts");
final SSLContext context = SSLContext.getInstance("TLS");
final KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
final KeyStore ks = KeyStore.getInstance(keyStoreType);
ks.load(new FileInputStream(keyStore), keyStorePassword.toCharArray());
kmf.init(ks, keyStorePassword.toCharArray());
context.init(kmf.getKeyManagers(), null, null);
final URL url = new URL(path);
final HttpsURLConnection httpsConnection = (HttpsURLConnection) url.openConnection();
httpsConnection.setDoInput(true);
httpsConnection.setRequestMethod("GET");
httpsConnection.setRequestProperty("Host", "iis-server");
httpsConnection.setRequestProperty("UserAgent", "Mozilla/4.0");
httpsConnection.setSSLSocketFactory(context.getSocketFactory());
try{
final InputStream is = httpsConnection.getInputStream();
final byte[] buff = new byte[1024];
int readed;
while((readed = is.read(buff)) > 0)
System.out.write(buff,0,readed);
}catch(final IOException ioe){
ioe.printStackTrace();
}and the response of the server is always the same:
java.io.IOException: Server returned HTTP response code: 403 for URL: https://homologacao.nfe.sefaz.rs.gov.br/ws/nfeconsulta/nfeconsulta.asmx
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at br.com.esales.nfe.signer.client.NFeClient.main(NFeClient.java:60)Edited by: mendes on Apr 25, 2008 9:56 AM -
How to specify alias name in system property while making 2way SSL con ?
Hi All,
I am tring to run a java client with 2way SSL which uses CAC card as keystore for the client. I have addded the following system property in my client program to make it work and change the java.security file to add pcks11 provider.
System.setProperty("javax.net.ssl.keyStoreType", "pkcs11");
System.setProperty("javax.net.debug", "ssl");
The program works fine and handshake is successfully done . But the problem is when i have more than one trusted certificate in the CAC card, it take a default certificate. I want to specify the certificate that should be used to do the client auth maybe specify the alias name . I didnt find any system property to do so.
Please let me know how to specify alias name as system property so that the 2way SSL used the specified alias for the client auth or is there any other way to specify the alias name. As in case i acccess the server URL from any browser i get a certificate selection prompt and the connection is established with the selected certificate.
Thanks in advanced,
RuhulI didn't find any system property to do so.There isn't one.
Please let me know how to specify alias name as system propertyYou can't.
You would have to write a custom KeyManager. See the JSSE Reference Guide. -
Policy Based Routing with VPN Client configuration
Hi to all,
We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
This is our sanitized config
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group dc
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
interface Loopback0
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Virtual-Template3
no ip address
interface Virtual-Template4
no ip address
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4Can you try to use PBR Match track object,
Device(config)# route-map abc
Device(config-route-map)# match track 2
Device(config-route-map)# end
Device# show route-map abc
route-map abc, permit, sequence 10
Match clauses:
track-object 2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Additional References for PBR Match Track Object
This feature is a part of IOS-XE release 3.13 and later.
PBR Match Track Object
Cisco IOS XE Release 3.13S
The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
The following commands were introduced or modified: match track tracked-obj-number
Cheers,
Sumit -
SSL client default does not exist
Hi,
I had newly installed XI system on one of our server.
when i am creating RFC destination INTEGRATION_DIRECTORY_HMI, i am getting the following error on logon /security tab.
"<b>SSL client default does not exist"</b>
and it is not even permitting to go furthur!
any suggestions will be appreciated highly.
Thanks,
RaviHi Ravi
Check if your SSL provider is running.
Go to visual admin--instanceservernodeservices----SSL provider.Start the SSL service and check for the configuration.
Follow the same steps for the dispatcher node.
Go to visual admin--instancedispatchernodeservices----SSL provider -
ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client
Hi
Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
Example:
Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
The "client" Server does not support SSL.
Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
RegardsHello Byron,
Yes, the ACE can do it
Here you have some of the flavors of SSL with the ACE.
Here you have a sample about it:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
class-map match-all CLEAR_TEXT_VIP
2 match virtual-address 172.20.120.19 tcp eq www
policy-map multi-match JORGE-MULTIMATCH
class CLEAR_TEXT_VIP
loadbalance vip inservice
loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
class class-default
serverfarm ENCRYPTED-SERVERFARM
ssl-proxy client SSL-PROXY-JORGE
ssl-proxy service SSL-PROXY-JORGE
key TAC-key
cert TAC-cert
serverfarm host ENCRYPTED-SERVERFARM
rserver JORGE-SERVER 443
inservice
Here you have some additional details under the configuration guide:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
Here you have some additional samples:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
Hope this helps for you and fix your issue
Jorge -
Hello all,
has anyone been able to successfully configure the ACE board to initiate and terminate ssl connections as ssl client. We tried a lot, but no luck... Is there a working configuration example out there, because the documentation does not tell anything useful? Would be great to get some hints on this issue.
And what IP is the ACE using, when initiating the ssl connection to the outside? As we can not configure NAT through a VIP address, how can the ACE board recognize the right IP association?
Thanks in advance and regards,
ReneHi,
thank you, i red this doc already. I tried several different ways of configuring all this. But no luck in any way. Is the vserver address the one of the external server? And do i need to configure the external server as serverfarm? All this is not very clear from my point of view. Do you have a working example?
regards,
rene -
hi
Error to run Configuration Wizard weblogic 12.1.2
my system is windows xp by 2 gig ram
and jvm version
C:\Program Files\Java\jdk1.7.0_25\bin>java -version
java version "1.7.0_25"
Java(TM) SE Runtime Environment (build 1.7.0_25-b17)
Java HotSpot(TM) Client VM (build 23.25-b01, mixed mode, sharing)
how resolve this problem and how find log file weblogic to this error?In user environments where the path to java is not already established as an system-level environment variable, the service is unable to determine where to find java and this error will occur.
This could occur, for example, in environments where there is more than one JDK installed, or where the default JDK is different from the JDK which needs to be used by WLS.
Try to set the environment variable in windows i.e JAVA_HOME=C:\Sun\Java\jdk1.7.xx.x. to point to jdk 1.7 and run the configuration wizard.
Hope it helps!!
Thanks,
Vijaya -
Can't get WebVpn full SSL client to work
Hello,
I just get a new 1812 router and i wanna try the full SSL client. I upgrade IOS to 12.4.9T1, get last SDM and last vpn ssl package.
I follow the wizard on SDM to configure a simple webvpn on my outside network.
I can connect to the portal with my creditentials, and the ssl client install itself. It write warnings about certificates. But at last, i always got a message window "http return code error, contact your network admin". And on event viewer i have some errors with STCAgent (one is HTTP response code from the gateway is 401 , unautorized....).
I try on 2 different PC's with XP PRO SP2.
What else to try ??
ThanksHi,
I am getting the exact same error. Below is my webvpn configuration:
webvpn gateway guest
ip address 10.100.1.254 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-927014488
inservice
webvpn install svc flash:/webvpn/svc.pkg
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context guest
title-color #669999
secondary-color white
text-color black
ssl authenticate verify all
policy group fullclient
functions svc-required
hide-url-bar
svc address-pool "vpn-pool"
svc rekey method new-tunnel
svc dns-server primary 10.100.2.8
default-group-policy fullclient
aaa authentication list default
gateway guest
inservice
Have you solved your problem?
//F
Maybe you are looking for
-
Itunes wont read my iphone but will read my ipod nano?
Neither me or my wife can get our iphones to show up on Itunes, but my ipod nano shows up just fine. I went through all of the troubleshooting process and still nothing. Can someone help, i have a 3gs and my wife a 3g.
-
What kind of external battery pack do I need for a Macbook Pro?
I am searching for a good external battery pack to use with a Macbook Pro.
-
Attachment list - Unable to open document
Hi all, I archive TIF image of Account Payable documents via the BAPI Archiv_Create_Synchron_Meta which create attachments to the SAP documents. When I go to the transaction code FB03, I open one of my documents and, in "Attachment list", I find my a
-
Any good Dreamweaver tutorial videos (not free online ones)?
I'm tired of trying to find decent online tutorial videos of Dreamweaver. I'd be willing to pay for something that really covered DW in-depth, and not like a weekend crash-learning course. Thanks.
-
How to Generate DDL Statement for PSAPROLL Tablespace on Oracle9i-HP_UX
Hi, I am having SAP R3 46C installed with Oracle 9i on HP_UX 11i system. I want to generate required DDL statements for PSAPROLL Tablespace/Rollback Segments as Backup/recovery purpose, before converting it into PSAPUNDO. Its easy to find & store req