RMI with SSL server authentification
Hello,
It is possible to implement a RMI over SSL client /server with only server authentification ?
I'have got currently a RMI SSL client/server with mutual authentification. It includes that client must have a keystore but i don't want that.
If anybody has an idea, its welcome.
tjm
Indeed i 'm working to implement a keustorespi for the keystore and i would like
In fact I'm working to implement myself a keystorespi for the keystore and I would like that only server use it and client have no keystore.
It is possible
Similar Messages
-
RMI with SSL problem (cross post under RMI too)
Hi,
I'm having problems using RMI with SSL. I posted in the RMI forum originally but now realise the problems are with the SSL really.
Perhaps someone who follows this forum could help.
See post:
http://forum.java.sun.com/thread.jsp?forum=58&thread=409347
Thanks.There's more dukes in the other thread too.
-
SSL Server startup using RSAPrivateKey
Hi,
The CSR for SSL generated the PrivateKey ( xyz-key.der ), no locking password
was provided. I used Entrust Toolkit and converted it to an RSAPrivateKey. When
I use this file as Server Keyfile and tried starting the server, it gives an EOF
Exception. Can anybody please tell, whether WLS support RSA style PrivateKey,
or does it support only SSLeay PrivateKeys. You may also mail me at the address
provided. Thanks in advanceHi,
I tried this on WLS 5.1 instead and this is what I got. When I converted the (.der)
SSLeay into (.pem) SSLeay, it is functioning good. Problem starts with RSAPvtKey
**** SEE BELOW *****
Tue Jan 22 16:59:02 GMT+05:30 2002:<I> <WebLogicServer> Server loading from weblogic.class.path.
EJB
redeployment enabled.
java.io.EOFException
at weblogic.security.Utils.inputByte(Utils.java:126)
at weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:110)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:104)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:116)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:85)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java, Compiled
Code)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:869)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:140)
at weblogic.Server.main(Server.java, Compiled Code)
at weblogic.Server.main(Server.java:58)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
Tue Jan 22 16:59:05 GMT+05:30 2002:<E> <SSLListenThread> Security Configuration
Problem with SSL ser
ver encryption Key (d:\nilanjan files\Weblogic51\myserver\9at271-rsa.pem), java.io.EOFException
Tue Jan 22 16:59:05 GMT+05:30 2002:<I> <Security> Not listening for SSL: java.io.IOException:
Securi
ty Configuration Problem with SSL server encryption Key (d:\nilanjan files\Weblogic51\myserver\9at27
1-rsa.pem), java.io.EOFException
Regards
Nilanjan
"Nilanjan" <[email protected]> wrote:
>
Hi Raola,
Thanks for replying. Let me tell you what I did.
1. Generated CSR.
2. Applied for certificate to my own Netscape CMS.
3. Got the signed certificate in Base64 Encoded form, and Certificate
Chain as
Base64 encoded PKCS#7 form.
4. Saved the above as 2 separate file with extension (.pem )
5. Set the filenames against the SSL initialization page using WLS console.
The
PrivateKey was the one generated by WLS (SSLeay).
6. WLC Started giving error for the ServerCertChainFile. Exception was
like "BadPadding
or something similar".
7. Changed the ServerCertChainFile to empty string, and started the Server.
This seems like a bug in WLS, though )
8. Server started properly.
Used entrust Toolkit and converted the SSLeayPrivateKey to RSAPrivateKey
in PEM
format extension (.pem).
9. Changed ServerCert to this new file, ServerCertChain still is blank.
10. Starting the server gave EOFException.
Please let me know whether a ServerCertChainFile is necessitated while
starting
WLS. If so, what are the supported formats and algorithms for both PrivateKey
as well as Certificate Chain files.
I would really appreciate your help.
Regards
Nil.
Roula Korkmaz <[email protected]> wrote:
Nilanjan Karfa wrote:
Hi,
The CSR for SSL generated the PrivateKey ( xyz-key.der ), no lockingpassword
was provided. I used Entrust Toolkit and converted it to an RSAPrivateKey.When
I use this file as Server Keyfile and tried starting the server, itgives an EOF
Exception. Can anybody please tell, whether WLS support RSA style
PrivateKey,
or does it support only SSLeay PrivateKeys. You may also mail me atthe address
provided. Thanks in advanceHi,
Verify if you have the correct ServerCertificateChainFileName.
Could you post the complete stack trace you are getting? and how you
start WLS?
Roula Korkmaz
Developer Relations Engineer
BEA Support -
How write rmi-iiop over ssl with weblogic server 6.1 - No server found
//New
Hello,
I have written an appication like this:
- An EJB server running on Weblogic server 6.1
(named: BankServerHome)
-A java client calling the BankServer.
Platform: windows 2000 - jdk1.3
Now I want to secure the communication with SSL protocol.
I have done this:
-generate a key peer with weblogic service named certificate.
-send the CSR to a CA and place the answer into the weblogic
server certificate directory.
-update path for ServerCertificateChainFileName,
ServerCertificateFileName, ServerKeyFileName into config.xml.
-launch weblogicServer
-> server certificate is recognized
-> listening port 7001 and 7002.
(-stop weblogicServer!)
At now, all is all right, errors come hereafter:
Then I follow the guideline "Programming weblogic Security" (version of 30/07/2001).
"To use RMI over IIOP over SSL with a Java client, do the following:
2. Extend the java.rmi.server.RMISocketFactory class to handle SSL socket
connections. Be sure to specify the port on which WebLogic Server listens for
SSL connections. For an example of a class that extends the
java.rmi.server.RMISocketFactory class, see Listing 4-22.
3. Run the ejbc compiler with the -d option.
4. Add your extension of the java.rmi.server.RMISocketFactory class to the
CLASSPATH of the Java client.
5. Use the following command options when starting the Java client:
-xbootclasspath/a:%CLASSPATH%
-Dorg.omg.CORBA.ORBSocketFactoryClass=implementation of java.rmi.server.RMISocketFactory
-Dssl.certs=directory location of digital certificate for Java client
-Dssl.key=directory location of private key for Java client"
At step 3. I found into documentation that -d is linked to a directory name.
When I run ejbc with this option -d I have the message:
"ERROR: You must specify an output directory or jar with the -d option to weblogic.ejbc."
% So what option can I use to run ejbc for secure usage?
At step 5. Whatever I write for -Dorg.omg.CORBA.ORBSocketFactoryClass,
this pointed class is not instanciated.
Then I can not create a socket with my client.
The folowing exception is raised:
javax.naming.CommunicationException [Root exception is java.net.ConnectException:
No server found at T3S://localhost:7002]
So, my questions are:
% Why -Dorg.omg.CORBA.ORBSocketFactoryClass must be known by the client and not
the server?
My java client part, managing connection is:
-------------------BEGIN OF CONNECTION MANAGER-------------------
Properties env = new Properties ();
// Shouldn't have to do this, but for now you must
if ( factory.equals ("weblogic.jndi.WLInitialContextFactory") ) {
env.put ("java.naming.provider.url", "t3s://localhost:7002");
InitialContext context = new InitialContext (env);
BankSessionServerHome bssh = (BankServerHome) context.lookup("BankServerHome");
BankServer = bssh.create();
-------------------END OF CONNECTION MANAGER-------------------
I have also try
env.put ("java.naming.provider.url", "corbaloc:iiop://localhost:7002");
but it throws the following error
javax.naming.InvalidNameException: url does not conatin !!!
% What is the code for the java client allowing connection with the ejb?
% And better, can I have a sample example for rmi-iiop over ssl?
(...wlserver6.1\samples\examples\iiop\ejb\stateless\rmiclient\client.java do not
speak ssl!)
Any help will be appreciate from you...
Best Regards.
Oliver"oliver" <[email protected]> writes:
The SSL support is poorly doc'd right now. We have fixed this and
updated the way you do things in SP2. Please either wait for SP2 or
contact support.
andy
I have written an appication like this:
- An EJB server running on Weblogic server 6.1
(named: BankServerHome)
-A java client calling the BankServer.
Platform: windows 2000 - jdk1.3
Now I want to secure the communication with SSL protocol.
I have done this:
-generate a key peer with weblogic service named certificate.
-send the CSR to a CA and place the answer into the weblogic
server certificate directory.
-update path for ServerCertificateChainFileName,
ServerCertificateFileName, ServerKeyFileName into config.xml.
-launch weblogicServer
-> server certificate is recognized
-> listening port 7001 and 7002.
(-stop weblogicServer!)
At now, all is all right, errors come hereafter:
Then I follow the guideline "Programming weblogic Security" (version of 30/07/2001).
"To use RMI over IIOP over SSL with a Java client, do the following:
2. Extend the java.rmi.server.RMISocketFactory class to handle SSL socket
connections. Be sure to specify the port on which WebLogic Server listens for
SSL connections. For an example of a class that extends the
java.rmi.server.RMISocketFactory class, see Listing 4-22.
3. Run the ejbc compiler with the -d option.
4. Add your extension of the java.rmi.server.RMISocketFactory class to the
CLASSPATH of the Java client.
5. Use the following command options when starting the Java client:
-xbootclasspath/a:%CLASSPATH%
-Dorg.omg.CORBA.ORBSocketFactoryClass=implementation of java.rmi.server.RMISocketFactory
-Dssl.certs=directory location of digital certificate for Java client
-Dssl.key=directory location of private key for Java client"
At step 3. I found into documentation that -d is linked to a directory name.
When I run ejbc with this option -d I have the message:
"ERROR: You must specify an output directory or jar with the -d option to weblogic.ejbc."
% So what option can I use to run ejbc for secure usage?
At step 5. Whatever I write for -Dorg.omg.CORBA.ORBSocketFactoryClass,
this pointed class is not instanciated.
Then I can not create a socket with my client.
The folowing exception is raised:
javax.naming.CommunicationException [Root exception is java.net.ConnectException:
No server found at T3S://localhost:7002]
So, my questions are:
% Why -Dorg.omg.CORBA.ORBSocketFactoryClass must be known by the client and not
the server?
My java client part, managing connection is:
-------------------BEGIN OF CONNECTION MANAGER-------------------
Properties env = new Properties ();
// Shouldn't have to do this, but for now you must
if ( factory.equals ("weblogic.jndi.WLInitialContextFactory") ) {
env.put ("java.naming.provider.url", "t3s://localhost:7002");
InitialContext context = new InitialContext (env);
BankSessionServerHome bssh = (BankServerHome) context.lookup("BankServerHome");
BankServer = bssh.create();
-------------------END OF CONNECTION MANAGER-------------------
I have also try
env.put ("java.naming.provider.url", "corbaloc:iiop://localhost:7002");
but it throws the following error
javax.naming.InvalidNameException: url does not conatin !!!
% What is the code for the java client allowing connection with the ejb?
% And better, can I have a sample example for rmi-iiop over ssl?
(...wlserver6.1\samples\examples\iiop\ejb\stateless\rmiclient\client.java do not
speak ssl!)
Any help will be appreciate from you...
Best Regards.
Oliver -
How write rmi-iiop over ssl with weblogic server 6.1?
Hello,
I have written an appication like this:
- An EJB server running on Weblogic server 6.1
(named: BankServerHome)
-A java client calling the BankServer.
Platform: windows 2000 - jdk1.4
Now I want to secure the communication with SSL protocol.
I have done this:
-generate a key peer with weblogic service named certificate.
-send the CSR to a CA and place the answer into the weblogic
server certificate directory.
-update path for ServerCertificateChainFileName,
ServerCertificateFileName, ServerKeyFileName into config.xml.
-launch weblogicServer
-> server certificate is recognized
-> listening port 7001 and 7002.
(-stop weblogicServer!)
At now, all is all right, errors come hereafter:
Then I follow the guideline "Programming weblogic Security" (version of 30/07/2001).
"To use RMI over IIOP over SSL with a Java client, do the following:
2. Extend the java.rmi.server.RMISocketFactory class to handle SSL socket
connections. Be sure to specify the port on which WebLogic Server listens for
SSL connections. For an example of a class that extends the
java.rmi.server.RMISocketFactory class, see Listing 4-22.
3. Run the ejbc compiler with the -d option.
4. Add your extension of the java.rmi.server.RMISocketFactory class to the
CLASSPATH of the Java client.
5. Use the following command options when starting the Java client:
-xbootclasspath/a:%CLASSPATH%
-Dorg.omg.CORBA.ORBSocketFactoryClass=implementation of java.rmi.server.RMISocketFactory
-Dssl.certs=directory location of digital certificate for Java client
-Dssl.key=directory location of private key for Java client"
At step 3. I found into documentation that -d is linked to a directory name.
When I run ejbc with this option -d I have the message:
"ERROR: You must specify an output directory or jar with the -d option to weblogic.ejbc."
% So what option can I use to run ejbc for secure usage?
At step 5. Whatever I write for -Dorg.omg.CORBA.ORBSocketFactoryClass,
this pointed class is not instanciated.
Then I can not create a socket with my client.
The folowing exception is raised:
javax.naming.CommunicationException [Root exception is java.net.ConnectException:
No server found at T3S://localhost:7002]
So, my questions are:
% Why -Dorg.omg.CORBA.ORBSocketFactoryClass must be known by the client and not
the server?
My java client part, managing connection is:
-------------------BEGIN OF CONNECTION MANAGER-------------------
Properties env = new Properties ();
// Shouldn't have to do this, but for now you must
if ( factory.equals ("weblogic.jndi.WLInitialContextFactory") ) {
env.put ("java.naming.provider.url", "t3s://localhost:7002");
} else {
env.put ("java.naming.provider.url", "rmi://localhost:7002");
InitialContext context = new InitialContext (env);
BankSessionServerHome bssh = (BankServerHome) context.lookup("BankServerHome");
BankServer = bssh.create();
-------------------END OF CONNECTION MANAGER-------------------
% What is the code for the java client allowing connection with the ejb?
% And better, can I have a sample example for rmi-iiop over ssl?
(...wlserver6.1\samples\examples\iiop\ejb\stateless\rmiclient\client.java do not
speak ssl!)
Any help will be appreciate from you...
Best Regards.
Oliver"oliver" <[email protected]> writes:
First off 1.4 isn't supported as yet. That is probably part of the problem.
You also must use a corba URL from the client in order for this to work for instance:
If you are using WLInitialContextFactory:
corbaloc:iiop:localhost:7001/NameService
If you are using CNCtxFactory:
iiop://localhost:7001
Using rmi: is the wrong thing to do - that will use jrmp or t3.
However, I suggest that you raise a call with support since there is
some other trickiness with getting SSL working. We hope to have this
much improved in SP2.
andy
Hello,
I have written an appication like this:
- An EJB server running on Weblogic server 6.1
(named: BankServerHome)
-A java client calling the BankServer.
Platform: windows 2000 - jdk1.4
Now I want to secure the communication with SSL protocol.
I have done this:
-generate a key peer with weblogic service named certificate.
-send the CSR to a CA and place the answer into the weblogic
server certificate directory.
-update path for ServerCertificateChainFileName,
ServerCertificateFileName, ServerKeyFileName into config.xml.
-launch weblogicServer
-> server certificate is recognized
-> listening port 7001 and 7002.
(-stop weblogicServer!)
At now, all is all right, errors come hereafter:
Then I follow the guideline "Programming weblogic Security" (version of 30/07/2001).
"To use RMI over IIOP over SSL with a Java client, do the following:
2. Extend the java.rmi.server.RMISocketFactory class to handle SSL socket
connections. Be sure to specify the port on which WebLogic Server listens for
SSL connections. For an example of a class that extends the
java.rmi.server.RMISocketFactory class, see Listing 4-22.
3. Run the ejbc compiler with the -d option.
4. Add your extension of the java.rmi.server.RMISocketFactory class to the
CLASSPATH of the Java client.
5. Use the following command options when starting the Java client:
-xbootclasspath/a:%CLASSPATH%
-Dorg.omg.CORBA.ORBSocketFactoryClass=implementation of java.rmi.server.RMISocketFactory
-Dssl.certs=directory location of digital certificate for Java client
-Dssl.key=directory location of private key for Java client"
At step 3. I found into documentation that -d is linked to a directory name.
When I run ejbc with this option -d I have the message:
"ERROR: You must specify an output directory or jar with the -d option to weblogic.ejbc."
% So what option can I use to run ejbc for secure usage?
At step 5. Whatever I write for -Dorg.omg.CORBA.ORBSocketFactoryClass,
this pointed class is not instanciated.
Then I can not create a socket with my client.
The folowing exception is raised:
javax.naming.CommunicationException [Root exception is java.net.ConnectException:
No server found at T3S://localhost:7002]
So, my questions are:
% Why -Dorg.omg.CORBA.ORBSocketFactoryClass must be known by the client and not
the server?
My java client part, managing connection is:
-------------------BEGIN OF CONNECTION MANAGER-------------------
Properties env = new Properties ();
// Shouldn't have to do this, but for now you must
if ( factory.equals ("weblogic.jndi.WLInitialContextFactory") ) {
env.put ("java.naming.provider.url", "t3s://localhost:7002");
} else {
env.put ("java.naming.provider.url", "rmi://localhost:7002");
InitialContext context = new InitialContext (env);
BankSessionServerHome bssh = (BankServerHome) context.lookup("BankServerHome");
BankServer = bssh.create();
-------------------END OF CONNECTION MANAGER-------------------
% What is the code for the java client allowing connection with the ejb?
% And better, can I have a sample example for rmi-iiop over ssl?
(...wlserver6.1\samples\examples\iiop\ejb\stateless\rmiclient\client.java do not
speak ssl!)
Any help will be appreciate from you...
Best Regards.
Oliver -
How to configure OC4J using RMI/IIOP with SSL
Any help?
I just mange configure the OC4J using RMI/IIOP but base on
But when I follow further to use RMI/IIOP with SSL I face the problem with: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
p/s: I use self generate keystore which should be ok as I can use it for https connection.
Any one can help?
Below is the OC4J log:
D:\oc4j\j2ee\home>java -Djavax.net.debug=all -DGenerateIIOP=true -Diiop.runtime.debug=true -jar oc4j.jar
05/02/23 16:43:16 ================ IIOPServerExtensionProvider.preInitApplicationServer
05/02/23 16:43:38 ================= IIOPServerExtensionProvider.postInitApplicationServer
05/02/23 16:43:38 ================== config = {SEPS={IIOP={ssl-port=5556, port=5555, ssl=true, trusted-clients=*, ssl-client-server-auth-port=5557, keystore=D:\\oc4j\\j2ee\\home\\server.keystore, keystore-password=123456, truststore=D:\\oc4j\\j2ee\\home\\server.keystore, truststore-password=123456, ClassName=com.oracle.iiop.server.IIOPServerExtensionProvider, host=localhost}}}
05/02/23 16:43:38 ================== server.getAttributes() = {threadPool=com.evermind.server.ApplicationServerThreadPool@968fda}
05/02/23 16:43:38 ================== pool: null
05/02/23 16:43:38 ====================== In startServer ...
05/02/23 16:43:38 ==================== Creating an IIOPServer ...
05/02/23 16:43:38 ========= IIOP server being initialized
05/02/23 16:43:38 SSL port: 5556
05/02/23 16:43:38 SSL port 2: 5557
05/02/23 16:43:43 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): getEndpoint(IIOP_CLEAR_TEXT, 5555, null)
05/02/23 16:43:43 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): createListener( socketType = IIOP_CLEAR_TEXT port = 5555 )
05/02/23 16:43:44 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): getEndpoint(SSL, 5556, null)
05/02/23 16:43:44 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): createListener( socketType = SSL port = 5556 )
05/02/23 16:43:45 ***
05/02/23 16:43:45 found key for : mykey
05/02/23 16:43:45 chain [0] = [
Version: V1
Subject: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
b1239fff 2ae5d31d b01a0cfb 1186bae0 bbc7ac41 94f24464 e92a7e33 6a5b0844
109e30fb d24ad770 99b3ff86 bd96c705 56bf2e7a b3bb9d03 40fdcc0a c9bea9a1
c21395a4 37d8b2ce ff00eb64 e22a6dd6 97578f92 29627229 462ebfee 061c99a4
1c69b3a0 aea6a95b 7ed3fd89 f829f17e a9362efe ccf8034a 0910989a a8573305
Validity: [From: Wed Feb 23 15:57:28 SGT 2005,
To: Tue May 24 15:57:28 SGT 2005]
Issuer: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
SerialNumber: [ 421c3768]
Algorithm: [MD5withRSA]
Signature:
0000: 34 F4 FA D4 6F 23 7B 84 30 42 F3 5C 4B 5E 18 17 4...o#..0B.\K^..
0010: 73 69 73 A6 BF 9A 5D C0 67 8D C3 56 DF A9 4A AC sis...].g..V..J.
0020: 88 AF 24 28 C9 39 16 22 29 81 01 93 86 AA 1A 5D ..$(.9.")......]
0030: 07 89 26 22 91 F0 8F DE E1 4A CF 17 9A 02 51 7D ..&".....J....Q.
0040: 92 D3 6D 9B EF 5E C1 C6 66 F9 11 D4 EB 13 8F 17 ..m..^..f.......
0050: E7 66 58 9F 6C B0 60 7C 39 B4 E0 B7 04 A7 7F A6 .fX.l.`.9.......
0060: 4D A5 89 E7 F4 8A DC 59 B4 E7 A5 D4 0A 35 9A F1 M......Y.....5..
0070: A2 CD 3A 04 D6 8F 16 B1 9E 6F 34 40 E8 C0 47 03 ..:[email protected].
05/02/23 16:43:45 ***
05/02/23 16:43:45 adding as trusted cert:
05/02/23 16:43:45 Subject: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
05/02/23 16:43:45 Issuer: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
05/02/23 16:43:45 Algorithm: RSA; Serial number: 0x421c3779
05/02/23 16:43:45 Valid from Wed Feb 23 15:57:45 SGT 2005 until Tue May 24 15:57:45 SGT 2005
05/02/23 16:43:45 adding as trusted cert:
05/02/23 16:43:45 Subject: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
05/02/23 16:43:45 Issuer: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN
05/02/23 16:43:45 Algorithm: RSA; Serial number: 0x421c3768
05/02/23 16:43:45 Valid from Wed Feb 23 15:57:28 SGT 2005 until Tue May 24 15:57:28 SGT 2005
05/02/23 16:43:45 trigger seeding of SecureRandom
05/02/23 16:43:45 done seeding SecureRandom
05/02/23 16:43:45 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): getEndpoint(SSL_MUTUALAUTH, 5557, null)
05/02/23 16:43:45 com.sun.corba.ee.internal.iiop.GIOPImpl(Thread[Orion Launcher,5,main]): createListener( socketType = SSL_MUTUALAUTH port = 5557 )
05/02/23 16:43:45 matching alias: mykey
matching alias: mykey
05/02/23 16:43:46 ORB created ..com.oracle.iiop.server.OC4JORB@65b738
05/02/23 16:43:47 com.sun.corba.ee.internal.corba.ClientDelegate(Thread[Orion Launcher,5,main]): invoke(ClientRequest) called
05/02/23 16:43:47 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): process: dispatching to scid 2
05/02/23 16:43:47 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): dispatching to sc [email protected]7
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ClientDelegate(Thread[Orion Launcher,5,main]): invoke(ClientRequest) called
05/02/23 16:43:48 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): process: dispatching to scid 2
05/02/23 16:43:48 com.oracle.iiop.server.OC4JORB(Thread[Orion Launcher,5,main]): dispatching to sc com.sun.corba.ee.internal.corba.ServerDelegate@9300cc
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Entering dispatch method
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Consuming service contexts, GIOP version: 1.2
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Has code set context? false
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Dispatching to servant
05/02/23 16:43:48 com.sun.corba.ee.internal.corba.ServerDelegate(Thread[Orion Launcher,5,main]): Handling invoke handler type servant
05/02/23 16:43:48 NS service created and started ..org.omg.CosNaming._NamingContextExtStub:IOR:000000000000002b49444c3a6f6d672e6f72672f436f734e616d696e672f4e616d696e67436f6e746578744578743a312e30000000000001000000000000007c000102000000000c31302e312e3231342e31310015b3000000000031afabcb0000000020d309e06a0000000100000000000000010000000c4e616d65536572766963650000000004000000000a0000000000000100000001000000200000000000010001000000020501000100010020000101090000000100010100
05/02/23 16:43:48 NS ior = ..IOR:000000000000002b49444c3a6f6d672e6f72672f436f734e616d696e672f4e616d696e67436f6e746578744578743a312e30000000000001000000000000007c000102000000000c31302e312e3231342e31310015b3000000000031afabcb0000000020d309e06a0000000100000000000000010000000c4e616d65536572766963650000000004000000000a0000000000000100000001000000200000000000010001000000020501000100010020000101090000000100010100
05/02/23 16:43:48 Oracle Application Server Containers for J2EE 10g (9.0.4.0.0) initialized
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Listener,5,main]): Server getConnection(119e583[Unknown 0x0:0x0: Socket[addr=/127.0.0.1,port=1281,localport=5556]], SSL)
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Listener,5,main]): host = 127.0.0.1 port = 1281
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Listener,5,main]): Created connection Connection[type=SSL remote_host=127.0.0.1 remote_port=1281 state=ESTABLISHED]
com.sun.corba.ee.internal.iiop.MessageMediator(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): Creating message from stream
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, SEND TLSv1 ALERT: fatal, description = unexpected_message
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, WRITE: TLSv1 Alert, length = 2
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeSocket()
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ReaderThread(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): IOException in createInputStream: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
05/02/23 16:45:14 javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA12275)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.messages.MessageBase.readFully(MessageBase.java:520)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.messages.MessageBase.createFromStream(MessageBase.java:58)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.MessageMediator.processRequest(MessageMediator.java:110)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.IIOPConnection.processInput(IIOPConnection.java:339)
05/02/23 16:45:14 at com.sun.corba.ee.internal.iiop.ReaderThread.run(ReaderThread.java:63)
05/02/23 16:45:14 Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA12275)
05/02/23 16:45:14 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA12275)
05/02/23 16:45:14 ... 6 more
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.IIOPConnection(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): purge_calls: starting: code = 1398079696 die = true
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called close()
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeInternal(true)
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called close()
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeInternal(true)
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called close()
05/02/23 16:45:14 JavaIDL Reader for 127.0.0.1:1281, called closeInternal(true)
05/02/23 16:45:14 com.sun.corba.ee.internal.iiop.ConnectionTable(Thread[JavaIDL Reader for 127.0.0.1:1281,5,main]): DeleteConn called: host = 127.0.0.1 port = 1281Good point, I do belive what you are referring to is this:
Any client, whether running inside a server or not, has EJB security properties. Table 15-2 lists the EJB client security properties controlled by the ejb_sec.properties file. By default, OC4J searches for this file in the current directory when running as a client, or in ORACLE_HOME/j2ee/home/config when running in the server. You can specify the location of this file explicitly with the system property setting -Dejb_sec_properties_location=pathname.
Table 15-2 EJB Client Security Properties
Property Meaning
# oc4j.iiop.keyStoreLoc
The path and name of the keystore. An absolute path is recommended.
# oc4j.iiop.keyStorePass
The password for the keystore.
# oc4j.iiop.trustStoreLoc
The path name and name of the truststore. An absolute path is recommended.
# oc4j.iiop.trustStorePass
The password for the truststore.
# oc4j.iiop.enable.clientauth
Whether the client supports client-side authentication. If this property is set to true, you must specify a keystore location and password.
# oc4j.iiop.ciphersuites
Which cipher suites are to be enabled. The valid cipher suites are:
TLS_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC4_40_MD5
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
nameservice.useSSL
Whether to use SSL when making the initial connection to the server.
client.sendpassword
Whether to send user name and password in clear form (unencrypted) in the service context when not using SSL. If this property is set to true, the user name and password are sent only to servers listed in the trustedServer list.
oc4j.iiop.trustedServers
A list of servers that can be trusted to receive passwords sent in clear form. This has no effect if client.sendpassword is set to false. The list is comma-delimited. Each entry in the list can be an IP address, a host name, a host name pattern (for example, *.example.com), or * (where "*" alone means that all servers are trusted. -
How do I bind to directory server with SSL and authentication?
I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
Here are the problems:
1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
2) I was never prompted to authenticate for the directory binding.
So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
Thank you.You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
Cheers,
Vikas -
Weblogic app server wsdl web service call with SSL Validation error = 16
Weblogic app server wsdl web service call with SSL Validation error = 16
I need to make wsdl web service call in my weblogic app server. The web service is provided by a 3rd party vendor. I keep getting error
Cannot complete the certificate chain: No trusted cert found
Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure
Validation error = 16
From the SSL debug log, I can see 3 verisign hierarchy certs are correctly loaded (see 3 lines in the log message starting with “adding as trusted cert”). But somehow after first handshake, I got error “Cannot complete the certificate chain: No trusted cert found”.
Here is how I load trustStore and keyStore in my java program:
System.setProperty("javax.net.ssl.trustStore",”cacerts”);
System.setProperty("javax.net.ssl.trustStorePassword", trustKeyPasswd);
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.keyStoreType","JKS");
System.setProperty("javax.net.ssl.keyStore", keyStoreName);
System.setProperty("javax.net.ssl.keyStorePassword",clientCertPwd); System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true");
Here is how I create cacerts using verisign hierarchy certs (in this order)
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignClass3G5PCA3Root.txt -alias "Verisign Class3 G5P CA3 Root"
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediatePrimary.txt -alias "Verisign C3 G5 Intermediate Primary"
1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediateSecondary.txt -alias "Verisign C3 G5 Intermediate Secondary"
Because my program is a weblogic app server, when I start the program, I have java command line options set as:
-Dweblogic.security.SSL.trustedCAKeyStore=SSLTrust.jks
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.SSL.enforceConstraints=strong
That SSLTrust.jks is the trust certificate from our web server which sits on a different box. In our config.xml file, we also refer to the SSLTrust.jks file when we bring up the weblogic app server.
In addition, we have working logic to use some other wsdl web services from the same vendor on the same SOAP server. In the working web service call flows, we use clientgen to create client stub, and use SSLContext and WLSSLAdapter to load trustStore and keyStore, and then bind the SSLContext and WLSSLAdapter objects to the webSerive client object and make the webservie call. For the new wsdl file, I am told to use wsimport to create client stub. In the client code created, I don’t see any way that I can bind SSLContext and WLSSLAdapter objects to the client object, so I have to load certs by settting system pramaters. Here I attached the the wsdl file.
I have read many articles. It seems as long as I can install the verisign certs correctly to web logic server, I should have fixed the problem. Now the questions are:
1. Do I create “cacerts” the correct order with right keeltool options?
2. Since command line option “-Dweblogic.security.SSL.trustedCAKeyStore” is used for web server jks certificate, will that cause any problem for me?
3. Is it possible to use wsimport to generate client stub that I can bind SSLContext and WLSSLAdapter objects to it?
4. Do I need to put the “cacerts” to some specific weblogic directory?
---------------------------------wsdl file
<wsdl:definitions name="TokenServices" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
<wsp:Policy wsu:Id="TokenServices_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="true"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:types>
<xsd:schema targetNamespace="http://tempuri.org/Imports">
<xsd:import schemaLocation="xsd0.xsd" namespace="http://tempuri.org/"/>
<xsd:import schemaLocation="xsd1.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
</xsd:schema>
</wsdl:types>
<wsdl:message name="ITokenServices_GetUserToken_InputMessage">
<wsdl:part name="parameters" element="tns:GetUserToken"/>
</wsdl:message>
<wsdl:message name="ITokenServices_GetUserToken_OutputMessage">
<wsdl:part name="parameters" element="tns:GetUserTokenResponse"/>
</wsdl:message>
<wsdl:message name="ITokenServices_GetSSOUserToken_InputMessage">
<wsdl:part name="parameters" element="tns:GetSSOUserToken"/>
</wsdl:message>
<wsdl:message name="ITokenServices_GetSSOUserToken_OutputMessage">
<wsdl:part name="parameters" element="tns:GetSSOUserTokenResponse"/>
</wsdl:message>
<wsdl:portType name="ITokenServices">
<wsdl:operation name="GetUserToken">
<wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetUserToken" message="tns:ITokenServices_GetUserToken_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetUserTokenResponse" message="tns:ITokenServices_GetUserToken_OutputMessage"/>
</wsdl:operation>
<wsdl:operation name="GetSSOUserToken">
<wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserToken" message="tns:ITokenServices_GetSSOUserToken_InputMessage"/>
<wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserTokenResponse" message="tns:ITokenServices_GetSSOUserToken_OutputMessage"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="TokenServices" type="tns:ITokenServices">
<wsp:PolicyReference URI="#TokenServices_policy"/>
<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="GetUserToken">
<soap12:operation soapAction="http://tempuri.org/ITokenServices/GetUserToken" style="document"/>
<wsdl:input>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="GetSSOUserToken">
<soap12:operation soapAction="http://tempuri.org/ITokenServices/GetSSOUserToken" style="document"/>
<wsdl:input>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="TokenServices">
<wsdl:port name="TokenServices" binding="tns:TokenServices">
<soap12:address location="https://ws-eq.demo.i-deal.com/PhxEquity/TokenServices.svc"/>
<wsa10:EndpointReference>
<wsa10:Address>https://ws-eq.demo.xxx.com/PhxEquity/TokenServices.svc</wsa10:Address>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
----------------------------------application log
adding as trusted cert:
Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x641be820ce020813f32d4d2d95d67e67
Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020
adding as trusted cert:
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028
adding as trusted cert:
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x250ce8e030612e9f2b89f7054d7cf8fd
Valid from Tue Nov 07 19:00:00 EST 2006 until Sun Nov 07 18:59:59 EST 2021
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
<Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 28395435>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 SSL3/TLS MAC>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 received HANDSHAKE>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
<Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure.>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
at javax.xml.ws.Service.<init>(Service.java:56)
at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 22803607>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 14640403>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 SSL3/TLS MAC>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 received HANDSHAKE>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
Not Valid Before:Tue Dec 18 19:00:00 EST 2012
Not Valid After:Wed Jan 07 18:59:59 EST 2015
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
Not Valid Before:Sun Feb 07 19:00:00 EST 2010
Not Valid After:Fri Feb 07 18:59:59 EST 2020
Signature Algorithm:SHA1withRSA
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
<Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - 12.29.210.156 was not trusted causing SSL handshake failure.>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
at javax.xml.ws.Service.<init>(Service.java:56)
at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 16189141>I received a workaround by an internal message.
The how to guide is :
-Download the wsdl file (with bindings, not the one from ESR)
-Correct it in order that the schema corresponds to the answer (remove minOccurs or other things like this)
-Deploy the wsdl file on you a server (java web project for exemple). you can deploy on your local
-Create a new logicial destination that point to the wsdl file modified
-Change the metadata destination in your web dynpro project for the corresponding model and keep the execution desitnation as before.
Then the received data is check by the metadata logical destination but the data is retrieved from the correct server. -
Configure Sun Directory Server 6.3 with SSL in OIM 9.1.0.2
Hi,
I am using OIM 9.1.0.2. i want to Provision User to Directory Server 6.3 with SSL confiuration
Can anyone tell me the steps for configuring the Certificate import, etc..
followed SJSDS_904120 doc but there is no info for DSEE 6.3 in it.
Regards,
Praveen
Edited by: Praveen on Feb 16, 2012 9:08 PMWell not sure about the exact clicks you need to do but the basic steps are that you export certificates from DS and then import it into the jdk which has OIM running. Look at the doc for SJDS6.3 about setting and exporting certs.
-Bikash -
URL problems with SQL Server Reporting Services 2012 with wildcard SSL certificate
Hi,
I have single server, domain member, with SQL Server 2012 SP1 Reporting Services.
I am trying to get work with url: https://reports.mydomain.com
I have valid wildcard certificate (*.mydomain.com) implemented and configured URLs in Configuration Manager.
https://reports.mydomain.com/ReportServer - works fine
https://reports.3pro.hr/Reports/ - I got error:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
In rsreportserver.config I have:
<Add Key="SecureConnectionLevel" Value="2"/>
When looking my ReportServerService_date.log file I have something like:
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server internal url https://localhost:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server external url https://serverhostname:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using url root https://reports.mydomain.com/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server internal url https://localhost:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using report server external url https://serverhostname:443/ReportServer.
configmanager!DefaultDomain!3f4c!03/10/2013-20:24:34:: i INFO: Using url root https://reports.mydomain.com/ReportServer.
Also, error shown in log file:
appdomainmanager!ReportManager_0-2!4c50!03/10/2013-20:24:53:: e ERROR: Remote certificate error RemoteCertificateNameMismatch encountered for url https://localhost/ReportServer/ReportService2010.asmx.
ui!ReportManager_0-2!4c50!03/10/2013-20:24:54:: e ERROR: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
The remote certificate is invalid according to the validation procedure.
Btw, is there a way to delete/disable access using https://localhost and/or servername (not FQDN) since SSL will not work in this way for me, and I want access only by full url - https://reports.mydomain.com , not localhost ..
-- Hrvoje KusuljaI spent one of my 4 free support incidents with Microsoft (part of MSDN subscription) this year to get this investigated. The tech support person helped me through several issues but had to leave to attend some training, and I got past the last hurdle
before she called me back. Here are the steps that resolved this issue for me. I know for sure that step 5 was necessary. Step 1 may not apply to you, and steps 2-4 may or may not have been necessary (they didn't immediately fix the issue,
but I didn't roll them back either so they may have been necessary.)
Step 1:
Ensure you are editing the correct rsreportserver.config file. I had been making changes to a file that was installed in C:\Program Files\Common Files\microsoft shared\Web Server Extensions\14\WebServices\Reporting, but that was a rsreportserver.config
file for some sharepoint integration that I'm not using. The correct path on my system was E:\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\rsreportserver.config, but yours may vary. If you can't figure it out, look in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
SQL Server\MSRS11.MSSQLSERVER\Setup in the key named SQLPath, and then go to the ReportServer subdirectory of that path.
Step 2:
In rsreportserver.config, ensure that SecureConnectionLevel is set to the value 3. Was set to 0 in my configuration. Corrected line in your rsreportserver.confiog file should look like:
<Add Key="SecureConnectionLevel" Value="3"/>
Step 3:
In rsreportserver.config, add the correct value to the <URLRoot> element (which already exists in the file.) In my configuration, this value was blank. The value should be the fully qualified path to your report server, with a hostname that
is valid for your certificate. For example, if my cert matches *.mydomain.local:
<UrlRoot>
https://myserver.mydomain.local/ReportServer
</UrlRoot>
Step 4:
Ensure that your certificate exists in Trusted Root Certification Authorities in certmgr for the local machine. I had the certificate installed as a Personal certificate for the local machine, which I still think was correct (the certificate wasn't actually
the problem and worked correctly for Report Server, and the failure was caused by SSRS incorrectly making a https request to a localhost URL), but she had me remove the certificate from Personal and add it to Trusted Root Certificate Authorities. That
broke things and the cert was no longer listed as a cert I could bind to, so we then copied it so it existed in both Personal and Trusted Root Certificate Authorities. This is how I left it, not sure if that was necessary.
Step 5:
This was the fix that finally got things to work. In rsreportserver.config, add the same value to the <ReportServerUrl> element (which also already exists in the file) that you added in step 3. In my configuration, this value was also blank.
The corrected value should be the same as in step 3, for example:
<ReportServerUrl>
https://myserver.mydomain.local/ReportServer
</ReportServerUrl>
Then restart your report server (stop & then start in Report Server Configuration Manager), and the problem should go away. At least it did for me.
Good luck! -
JAX-WS client - WebLogic - SSL with proxy server
Good night!
I'm having trouble communicating with webservices using certificate authentication (weblogic.wsee.jaxws.sslclient.PersistentSSLInfo) through and going through a proxy server (weblogic.wsee.jaxws.proxy.ClientProxyFeature) .
If communication with the webservice is done directly (no proxy server) everything happens perfectly, but to set the proxy server I get the exception "BAD_CERTIFICATE." it is as if the certificate was not attached in the request.
The webservice client was generated by JDeveloper.
Has anyone experienced this problem?
Sorry for my bad english
Exception
javax.xml.ws.WebServiceException: javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at com.sun.xml.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(HttpClientTransport.java:218)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:204)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)
at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
at com.sun.xml.ws.client.Stub.process(Stub.java:272)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
at $Proxy30.cleCadastroLote(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
at $Proxy31.cleCadastroLote(Unknown Source)
at br.com.tbl.ws.CleCadastroPortClient.main(CleCadastroPortClient.java:51)
Webservice client with proxy server (error)
import weblogic.wsee.jaxws.sslclient.PersistentSSLInfo;
import javax.xml.ws.BindingProvider;
import weblogic.wsee.jaxws.JAXWSProperties;
import weblogic.wsee.jaxws.proxy.ClientProxyFeature;
import weblogic.wsee.jaxws.sslclient.SSLClientUtil;
public class CleCadastroPortClient
public static void main(String [] args)
try{
CleCadastro_Service cleCadastro_Service = new CleCadastro_Service();
CleCadastro cleCadastro = cleCadastro_Service.getCleCadastroPort();
String clientKeyStore = "C:\\certificados.jks";
String clientKeyStorePasswd = "xxxxx";
String clientKeyAlias = "xxxxx";
String clientKeyPass = "xxxxx";
String trustKeystore = "C:\\keystore_completo.jks";
String trustKeystorePasswd = "xxxxx";
PersistentSSLInfo sslInfo = new PersistentSSLInfo();
sslInfo.setKeystore(clientKeyStore);
sslInfo.setKeystorePassword(clientKeyStorePasswd);
sslInfo.setKeyAlias(clientKeyAlias);
sslInfo.setKeyPassword(clientKeyPass);
sslInfo.setTrustKeystore(trustKeystore);
sslInfo.setTrustKeystorePassword(trustKeystorePasswd);
ClientProxyFeature clientProxy = new ClientProxyFeature();
clientProxy.setProxyHost("proxy.com");
clientProxy.setProxyPort(Integer.parseInt("3128") );
clientProxy.setProxyUserName("user");
clientProxy.setProxyPassword("pass");
clientProxy.attachsPort(cleCadastro);
((BindingProvider) cleCadastro).getRequestContext().put(JAXWSProperties.CLIENT_PERSISTENT_SSL_INFO, sslInfo);
((BindingProvider) cleCadastro).getRequestContext().put(JAXWSProperties.SSL_SOCKET_FACTORY, SSLClientUtil.getSSLSocketFactory(sslInfo));
((BindingProvider) cleCadastro).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "https:/xxxx/ws");
String retorno = cleCadastro.cleCadastroLote("xml", "xml");
}catch(Exception ex){
ex.printStackTrace();
Webservice client without proxy server (OK)
import weblogic.wsee.jaxws.sslclient.PersistentSSLInfo;
import javax.xml.ws.BindingProvider;
import weblogic.wsee.jaxws.JAXWSProperties;
import weblogic.wsee.jaxws.proxy.ClientProxyFeature;
import weblogic.wsee.jaxws.sslclient.SSLClientUtil;
public class CleCadastroPortClient
public static void main(String [] args)
try{
CleCadastro_Service cleCadastro_Service = new CleCadastro_Service();
CleCadastro cleCadastro = cleCadastro_Service.getCleCadastroPort();
String clientKeyStore = "C:\\certificados.jks";
String clientKeyStorePasswd = "xxxxx";
String clientKeyAlias = "xxxxx";
String clientKeyPass = "xxxxx";
String trustKeystore = "C:\\keystore_completo.jks";
String trustKeystorePasswd = "xxxxx";
PersistentSSLInfo sslInfo = new PersistentSSLInfo();
sslInfo.setKeystore(clientKeyStore);
sslInfo.setKeystorePassword(clientKeyStorePasswd);
sslInfo.setKeyAlias(clientKeyAlias);
sslInfo.setKeyPassword(clientKeyPass);
sslInfo.setTrustKeystore(trustKeystore);
sslInfo.setTrustKeystorePassword(trustKeystorePasswd);
((BindingProvider) cleCadastro).getRequestContext().put(JAXWSProperties.CLIENT_PERSISTENT_SSL_INFO, sslInfo);
((BindingProvider) cleCadastro).getRequestContext().put(JAXWSProperties.SSL_SOCKET_FACTORY, SSLClientUtil.getSSLSocketFactory(sslInfo));
((BindingProvider) cleCadastro).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "https:/xxxx/ws");
String retorno = cleCadastro.cleCadastroLote("xml", "xml");
}catch(Exception ex){
ex.printStackTrace();
}Hi,
I tried to use the option "-DUseSunHttpHandler=true" and enabled "JSSE SSL", but it did not work, now showing the exception "General SSLEngine problem".
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <javax.xml.ws.WebServiceException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(HttpClientTransport.java:218)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:204)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at $Proxy308.cleCadastroLote(Unknown Source)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)>
<05/09/2012 15h36min55s GMT-03:00> <Notice> <StdErr> <BEA-000000> <at com.sun.xml.ws.client.Stub.process(Stub.java:272)> -
HOWTO: Setting up Server-Side Authentication with SSL
This howto covers the configuration of server-side SSL authentication for both Net8 and IIOP (JServer) connections. It documents the steps required to set up an SSL encrypted connection; it does not cover certificate authentication.
It is worthwhile noting that although the setup of SSL requires the installation of certificates, these certificates do not have to be current, only valid. For some reason, in order to enable SSL connections, it is necessary to set up valid certificate file on the server whether you intend to use certificate authentication or not.
NOTE: I have been unable to determine whether or not the above statement is entirely correct. If anyone can confirm or disprove it, please let me know.
The steps described below must all be carried out from the same logon account. They have been tested on both 816 and 817 databases, but will probably work for all versions, including 9i (unless there have been some drastic changes in 9i that I'm not aware of).
1. Log on to the database server with an administrative login.
Configure the database and listener to run under the current login account (Control Panel -> Services). It is not necessary to restart these services at this time.
2. Create an Oracle wallet and set up the required certificates
(i) Open the Oracle Wallet Manager:
Start -> Programs -> [Oracle Home] -> Network Administration -> Wallet Manager
(ii) Create a new wallet (Wallet -> New).
(iii) When prompted, elect to generate a certificate request.
(iv) On the request form, the only field that matters is the Common Name. Enter the fully qualified domain name (FQDN) of the database server (i.e. the name with which the database server will be referenced by clients).
(v) Export the certificate request to file (Operations -> Export Certificate Request).
(vi) Obtain a valid server certificate from an authorised signing authority. It will also be necessary to download the signing authoritys publicly available trusted root certificate. Certificates can be obtained from Verisign (http://www.verisign.com/)
(vii) Install the trusted root certificate obtained in (vi) into the wallet (Operations -> Import Trusted Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
(viii) Install the server certificate obtained in (vi) into the wallet (Operations -> Import User Certificate). Either paste the contents of the certificate file, or browse to the file on the file system.
(ix) Save the wallet (Wallet -> Save). The wallet will be saved to the [user home]\Oracle\Wallets directory.
3. Configure the listener for SSL.
(i) Open the Oracle Net8 Assistant:
Start -> Programs -> [Oracle Home] -> Network Administration -> Net8 Assistant
(ii) Select Net8 Configuration -> Local -> Profile.
(iii) From the drop-down list at right, select Oracle Advanced Security. Select the SSL tab.
(iv) Select the Server radio button.
(v) In the wallet directory field, enter the location of the wallet created in step 2, e.g. C:\WINNT\Profiles\oracleuser\ORACLE\WALLET
(vi) Uncheck the Require Client Authentication checkbox.
(vii) Select Net8 Configuration -> Listeners -> [listener name].
(viii) Add a new address:
Protocol: TCP/IP with SSL
Host: [database server FQDN] (e.g. oraserver)
Port: 2484
(ix) Add a second new address:
Protocol: TCP/IP with SSL
Host: [database server FQDN] (e.g. oraserver)
Port: 2482
Check the Dedicate this endpoint to IIOP connections checkbox.
(x) Save the Net8 configuration (File p Save Network Configuration).
(xi) Restart the listener service.
4. Configure the database to accept SSL connections.
(i) Open the database inti.ora file (\admin\[SID]\pfile\init.ora or equivalent).
(ii) At the bottom of the file, uncomment the line that reads
mts_dispatchers = "(PROTOCOL=TCPS)(PRE=oracle.aurora.server.SGiopServer)"
(iii) Save the file and restart the database service.
5. Test the SSL confi guration using the Net8 Assistant.
(i) Open the Oracle Net8 Assistant.
(ii) Select Net8 Configuration -> Local -> Service Naming.
(iii) Add a new net service (Edit p Create).
Net service name: [SID].auth (e.g. iasdb.auth)
Protocol: TCP/IP with SSL
Host: [database server] (e.g. oraserver)
Port: 2484
Service Name/SID: [SID] (e.g. iasdb.orion.internal)
Note: at the end of the net service configuration, click Finish, not Test. The test can hang if run from the wizard.
(iv) Test the connection (Command -> Test Service). If the only error to appear is username/password denied, the test has succeeded.
nullDear Alex,
Thank you for reaching the Small Business Support Community.
I would first suggest you to uncheck the "Perfect Forward Secrecy" setting on the RVS4000 and if see if there is some similar setting enabled, then disable it, on the other side. If still the same thing happens, then go to RVS4000, VPN Advanced settings, and disable the "Aggressive Mode" so it becomes "Main mode" and use the same on the other end of the tunnel.
Just in case and as a VPN configuration guide, below is a document called "IPSec VPN setup" if it helps somehow;
http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=587
Besides my suggestions I would advise you to contact your ISP to make sure there is no IPSec traffic restrictions and/or if there is something in particular they require to make this happen and please do not hesitate to reach me back if there is any further assistance I may help you with.
Kind regards,
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
Starting Server with SSL Enabled
I want to start iplanet directory server 5.1 with SSL Enabled, but It always ask me PIN Token.
I write slapd-test-pin.txt file as following :
slapd-test-pin.txt
-------begin-----------
Token:test123456
-------end ------------
I put the slapd-test-pin.txt into /usr/iplanet/server/alias
then, I restart directory server from command line.
/usr/iplanet/servers/slapd-test/stop-slapd
/usr/iplanet/servers/slapd-test/start-slapd
What's wrong ?
Thank you !!!!I have a similar problem. I actually do set the correct format of certidcate db password file but the server stll does not start but reports the following:
[26/Sep/2003:17:21:11 -0400] - Sun-ONE-Directory/5.2 B2003.143.0014 (32-bit) starting up
[26/Sep/2003:17:21:11 -0400] - ERROR<12362> - Connection - conn=-1 op=-1 msgId=-1 - PR_Bind() on address <all interfaces> port <636> failed : error -5966 (Access Denied.).
I installed the certificate correctly. It was obtained from VeriSign with a ds 5.2 generated request.
Any ideas?
Thanks in advance! -
Probelm client auth from jsse client with open ssl server
I tried to connect jsse client with a openssl server.. with clientAuth
This is what i did ..
Using openssl req comand i created a X509 certificate for server and imported the same to java keystore..
The communication works fine without client authentication.
To enable client auth i create client private/public key pair using keytool and exported the public key to a file client.public. and used it in open ssl server .
This is how i invoke the client ..
java
-Djavax.net.debug=all
-Djavax.net.ssl.trustStore=cacerts
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.private -Djavax.net.ssl.keyStorePassword=password EchoClient
After which i get following error in server
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client certificate B
SSL_accept:error in SSLv3 read client certificate B
ERROR
17246:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:1666:
shutting down SSL
CONNECTION CLOSED
The client debug says it is recieving a certificate request.. what could be the problem.. can anybody help...i also have that problem. I was trying to configure SSL in apache in Win XP machine, but this error occurs. Is there anyone, who can help on it?
-
WLS :: Will Vista web client work with Weblogic Server 8.1.6 over SSL?
Hello,
I have installed 51-2 bit SSL cert on weblogic 7 and found that the secure site doesn't work on Vista web client.
Weblogic gives error in handshaking and says algorithm is not supported.
Vista web client uses some algorithms which were not supported by weblogic 7.
So would like to know if would Vista web client work with Weblogic Server 8.1.6 over SSL?
Any information in this regard would be helpful.
Thanks in Advance.can you use the following debug flags in the weblogic server as java_options and paste the complete ssl handshake exception here.
-Dweblogic.StdoutDebugEnabled=true
-Dssl.debug=true
thanks,
sandeep
Maybe you are looking for
-
Help needed in writing a function.
I am using Oracle 11g and SQL plus. I am a complete newbie, so I need some help here in writing a function. I guess my question is more about writing the trigonometric functions within the function. latA, longA latB, longB // these are the four input
-
Adding Cell in a row in Smart Form
Hi All, Can anybody please tell how to add a cell in the row of a table in smart forms. Thanks
-
High concurrency optimistic locking
Hi there, We have an EJB method that roughly does the following; we have a number of buckets that may or may not be full. If one or more are not full we want it to find the one with the most space available and add the item there. Our main problem he
-
Firefox takes a far longer time than IE to access the internet.
When I attempt to access the internet using Firefox, it sometimes takes several minutes to load. Sometimes I have to make two or three attempts before I actually gain access. After that all three accesses will appear. Internet Explorer loads right aw
-
I need Help????Please????? error in rendering a progect
Hi I have designed something in after effects and what happened when i wanted to render the project I got the following note please help me in finding a olution for it and it continues to appear everytime \i render a project