Sun.security.validator.ValidatorException: No trusted certificate found
Hello,
I am using Java 1.6.0_04 (JBoss-4.2.2.GA application). My application implements a WS client which needs to integrate with an external Web Service. This communication needs to be handled through https.
I have created a jks keystore with the server certificate, and passed its details to JBoss through the System Properties:
-Djavax.net.ssl.trustStore=/Path-to-file -Djavax.net.ssl.trustStorePassword=password On my development environment I can call the Web Service correctly.
Although, on the production environment, I am getting the following exception:
javax.xml.ws.WebServiceException: java.io.IOException: Could not transmit message
at org.jboss.ws.core.jaxws.client.ClientImpl.handleRemoteException(ClientImpl.java:317)
at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:255)
at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:164)
at org.jboss.ws.core.jaxws.client.ClientProxy.invoke(ClientProxy.java:150)
at $Proxy171.send(Unknown Source)
at com.xpto.integration.SmsHelper.send(SmsHelper.java:57)
at com.xpto.services.sms.SMSSenderServiceMBean.run(SMSSenderServiceMBean.java:106)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.io.IOException: Could not transmit message
at org.jboss.ws.core.client.RemotingConnectionImpl.invoke(RemotingConnectionImpl.java:204)
at org.jboss.ws.core.client.SOAPRemotingConnection.invoke(SOAPRemotingConnection.java:77)
at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:337)
at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:243)
... 6 more
Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker.
at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:
333)
at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:135)
at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:122)
at org.jboss.remoting.Client.invoke(Client.java:1634)
at org.jboss.remoting.Client.invoke(Client.java:548)
at org.jboss.ws.core.client.RemotingConnectionImpl.invoke(RemotingConnectionImpl.java:183)
... 9 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No truste
d certificate found
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLCo
nnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:832)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:23
0)
at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:
275)
... 14 more
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:2
09)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:2
49)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
... 26 more Both systems are configured with the same JBoss, JVM, ...
The certificate details are:
Owner=
CN=*...., OU=..., O=..., L=..., ST=..., C=PT
Issuer=
CN=..., O=..., C=PT
Version=3
Serial Number=BC81A81843E26C2597CD10354588F61E
Valid From=Monday, 3 March 2008 18:50
Valid Until=Tuesday, 3 March 2009 18:50
Signature Algorithm=SHA1withRSA
Fingerprints=
MD5: 0A:A6:89:92:A4:CF:17:74:7C:4E:20:63:6B:81:AE:85
SHA1: 35:01:74:8C:35:AB:9F:02:7B:23:3F:15:5E:73:C6:4D:DD:BB:C0:7A
Key Usage= critical
List:
. digitalSignature
. keyEncipherment
. dataEncipherment
. keyAgreement
Extended Key Usage= none
On production I have also tried adding the following properties:
-Djavax.net.ssl.keyStore=/Path-to-file -Djavax.net.ssl.keyStorePassword=password But I still get the error.
Any one has any hint for this problem? Is there any property which I can define to ignore untrusted certificates?
Any help would really be welcome.
Thanks in advance.
Best regards,
Victor Batista
Hi,
Thanks for your prompt reply.
I have also tried to add all the chain of certificates on my truststore, although I get the exception:
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Mar 07 12:54:22 WET 2008
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:570)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:123)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:954)
... 26 moreAnd all the certificates are valid.
I really don't understand what is going on.
Can I Ignore expired certificates? Any property?
When I use -Djavax.net.ssl.trustStore pointing to my keystore, will cacerts be also used?
Do I need to import all the certificates in the chain of the server, or the top most is sufficient?
The server where I am having the problem has limited connectivity. It should have connectivity to the issuers of the certificates, in order to validate them, or not?
Thanks in advance,
Victor
Similar Messages
-
Hi,
I am getting the following exception when clientAuthentication is enabled for ssl connection.
I am using tomcat and a java client in my application.
Please let me know how do i get through this.
Thanks in advance
-Sanjeev
Below trace is from catalina.out
===========================
http-8443-Processor24, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-8443-Processor24, WRITE: TLSv1 Alert, length = 2
http-8443-Processor24, called closeSocket()
http-8443-Processor24, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL client
http-8443-Processor24, called close()
http-8443-Processor24, called closeInternal(true)
===================================
I get the below exception in my java client application.
==========================================
: 68 42 6F FD E9 35 AB E5 C7 48 31 2C 78 31 BA F0 hBo..5...H1,x1..
0020: EB 97 10 1F F9 B2 03 B7 7D CE 8A 04 73 37 07 A1 ............s7..
0030: 9D 46 5A A2 B7 99 EE 86 1D EE A1 E4 D6 64 73 9B .FZ..........ds.
0040: 6B FA D1 19 44 54 C0 47 DC F8 E1 4B 33 F6 0D 2D k...DT.G...K3..-
0050: C9 04 B7 E8 8F 67 00 99 78 67 CC BE 26 C4 73 B5 .....g..xg..&.s.
0060: 88 26 F6 08 B7 A3 89 A0 28 29 79 DD 16 B0 86 8F .&......()y.....
0070: DE AA EA D3 1F 9F 8B 5B E7 B4 51 3B C8 90 67 0D .......[..Q;..g.
0080: 68 46 F1 CC 10 D9 hF....
main, WRITE: TLSv1 Handshake, length = 134
main, WRITE: TLSv1 Change Cipher Spec, length = 1
main, handling exception: java.net.SocketException: Software caused connection abort: socket write error
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
Exception
=================================================Netscape cert type does not permit use for SSL clientTry using another certificate. Your certificate can't be used as a web browser client certificate.
-
No trusted certificate found error while running a webservice
Hi,
I created a stub to a webservice and then tried to invoke the webservice using a simple java class
in JDeveloper. While running the java client to invoke the webservice i get this below mentioned error
SOAPException: faultCode=SOAP-ENV:IOException; msg=sun.security.validator.ValidatorException: No trusted certificate found; targetException=javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
at org.apache.soap.SOAPException.<init>(SOAPException.java:78)
Kindly have a solution for what to be done on this.
Thanks,
Ramesh.R
Edited by: Ramesh_R on Jan 20, 2010 10:28 AMhave to import the certificate in the cacerts of the Jdev jre/lib/security/cacerts file
Edited by: Ramesh_R on 16-Jan-2011 02:40 -
Seeburger AS2 error: No Trusted Certificate found
Dear SAP experts,
Good day!
Need your expert advice regarding the error that I am getting in Seeburger AS2.
Here's the scenario:
SAP XI is sending messages to Trading Partner via AS2 adapter which resides in Seeburger.
I've trigerred already messages but they are getting this kind of error:
Delivery of the message to the application using connection AS2_http://seeburger.com/xi failed, due to: com.sap.aii.af.ra.ms.api.RecoverableException: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found # , SEEBURGER AS2: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found # : javax.resource.ResourceException: Fatal exception: com.sap.aii.af.ra.cci.XIRecoverableException: SEEBURGER AS2: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found # , SEEBURGER.
Kindly advice if there are missing or invalid certificates on both sides?
What would be the cause of the issue?
Many Thanks!
GodoGodo,
I think you are using secure communication for your seeburger CC. Can you pls. check if you have installed(keystore) certifcate on J2EE engine and configured certificate provided by ftp client in your CC.
Also one more important thing,
Make sure that you have entry with ftp server name and correspoding ip address in hosts.inc on a system where your adapter engine resides.
Check detail error messsage at:
http://XI server : port / nwa --> Message Monitoring --> Logs and Trances and select DefaultTrace in second drop down list. You will find all events details with description. ( If you run your interface and check you will find recent activities on XI server. Hope this will give you much better picture)
Hope this will help.
Nilesh -
No trusted certificate found (91);Cannot connect to the LDAP server
HI All,
I am trying to connect to LDAP server with the following code.
JSSESocketFactory fact = null;
private LDAPConnection conn = null;
String keystore = "C:\\j2sdk1.4.2_15\\jre\\lib\\security\\cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
fact = new JSSESocketFactory(null);
conn = new LDAPConnection(fact);
int ldapVersion = 3;//LDAPConnection.LDAP_V3; //defualt values of LDAP settings
private int ldapPort = 636;
LDAPAttributeSet ldapAtrbSet;
String ldapHost;
String loginDN;
String loginDN_Password;
And it is gicving me error :
Error: netscape.ldap.LDAPException: SSL connection to 192.168.10.8:636, sun.security.validator.ValidatorException: No trusted certificate found (91); Cannot connect to the LDAP server
netscape.ldap.LDAPException: SSL connection to 192.168.10.8:636, sun.security.validator.ValidatorException: No trusted certificate found (91); Cannot connect to the LDAP server
at netscape.ldap.factory.JSSESocketFactory.makeSocket(JSSESocketFactory.java:105)
at netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:418)
at netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:350)
at netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:244)
at netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnSetupMgr.java:170)
at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1042)
at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:924)
at netscape.ldap.LDAPConnection.connect(LDAPConnection.java:768)
at com.reflexis.LDAP.LdapTestSSL.createConnection(LdapTestSSL.java:522)
at com.reflexis.LDAP.LdapTestSSL.checkLdap(LdapTestSSL.java:118)
at com.reflexis.LDAP.LdapTestSSL.main(LdapTestSSL.java:52)
Unable to connect to LDAP server
I have imported atr certificate also by using command:
"keytool -import -alias jag -file c:\x225.cer -keystore c:\j
2sdk1.4.2_15\jre\lib\security\cacerts"
I am running my java code from eclipse. And do i have to set any thing in eclipse for certificate. I Have imported certificate from command prompt.
Can any one please help me.It is very important for me.
Please its very urgent.
THanks,
Ankush PatniAs previously said network is a possible cause.Other things could be time on filer is too far off time on DC.AD object for filer has been deleted or change by a Windows admin.If all users are experiencing a problem, you may need to rebind it to AD - run CIFS setup at command prompt
-
How to import Root CA "No trusted certificate found" exception.
I have an application that connects https to a server and POSTs some data. That application works fine with one server but not with another. I get javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found.
Both servers have certificates signed by 2 different CAs. 1 is I think Thawte or Verisign (need confirmation with my admin) and the other I know for sure is Equifax. Of course Equifax is the least popular of the 2 and is not found in the cacerts keystore...
Now I downloaded the Equifax root certificate and installed in the default keystore by typing keytool -import -alias blabla -file c:\bla.cer and it imported correctly. I reran my app and I still got the same exception...
So I figure that the root cert for Equifax must be imported within the cacerts file in jre/lib/cacerts am I correct? Whats the default password for that keystore?
ThanksHave you tried to import the certificate in the cacerts keystore file?
This file can be found in the <jdkDirectory>/jre/lib/security/ directory. It is the default trustStore used by Java.
I remember that trusted certificate keystore location can be set using the javax.net.ssl.trustStore property. Have you set it to point to your keystore file?
You can found explanations there:
http://www.onjava.com/pub/a/onjava/2001/05/03/java_security.html#certificates
Hope this helps. -
Avca secure_agent fails with 'No trusted certificate found'
1) AV server keystore content
===================
[oracle@veelaoav001 ~]$ $ORACLE_HOME/jdk/bin/keytool -list -v -keystore /home/oracle/SSL/avkey/avkeystore
Enter keystore password: welcome1
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: avkey
Creation date: May 7, 2012
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=avserver, O=oracle, C=UK
Issuer: CN=avserver, O=oracle, C=UK
Serial number: 4fa828c2
Valid from: Mon May 07 15:55:46 EDT 2012 until: Tue May 07 15:55:46 EDT 2013
Certificate fingerprints:
MD5: D7:49:34:93:35:7F:55:FC:70:08:F3:9F:03:AA:41:A9
SHA1: 23:88:9C:F6:12:48:C1:55:79:2D:2D:71:B5:E4:66:07:A7:1E:AA:A1
Alias name: cacert
Creation date: May 7, 2012
Entry type: trustedCertEntry
Owner: CN=rootAV, O=oracle, C=UK
Issuer: CN=rootAV, O=oracle, C=UK
Serial number: 0
Valid from: Mon May 07 15:54:58 EDT 2012 until: Thu May 05 15:54:58 EDT 2022
Certificate fingerprints:
MD5: 8A:30:0B:09:27:1E:F9:0C:54:29:01:5E:5C:0F:56:F2
SHA1: 83:1C:09:24:BF:F6:FC:B4:62:AC:04:B5:9C:CC:28:E3:4C:B4:25:BF
Alias name: mykey
Creation date: May 7, 2012
Entry type: trustedCertEntry
Owner: CN=avserver, O=oracle, C=UK
Issuer: CN=rootAV, O=oracle, C=UK
Serial number: 0
Valid from: Mon May 07 15:56:18 EDT 2012 until: Tue May 07 15:56:18 EDT 2013
Certificate fingerprints:
MD5: 43:B4:B3:97:E0:88:34:7C:E9:D1:68:CC:48:32:8B:CC
SHA1: 50:7A:1C:1E:19:AB:E4:34:3A:64:82:A6:B2:B2:32:9C:F2:F9:94:45
2) AV agent keystore content
=================
[oracle@veelaora001 ~]$ $ORACLE_HOME/jdk/bin/keytool -list -v -keystore /home/oracle/SSL/agkey/agkeystore
Enter keystore password: welcome1
Keystore type: jks
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: agkey
Creation date: May 7, 2012
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=avagent, O=oracle, C=UK
Issuer: CN=avagent, O=oracle, C=UK
Serial number: 4fa82925
Valid from: Mon May 07 15:57:25 EDT 2012 until: Tue May 07 15:57:25 EDT 2013
Certificate fingerprints:
MD5: C4:9C:FE:D1:D0:04:19:65:F9:C0:CE:A9:6A:5E:7F:B6
SHA1: 9A:D4:9B:15:D0:B1:10:45:FD:D1:F1:F2:75:46:A9:78:E3:2A:5C:DE
Alias name: cacert
Creation date: May 7, 2012
Entry type: trustedCertEntry
Owner: CN=rootAV, O=oracle, C=UK
Issuer: CN=rootAV, O=oracle, C=UK
Serial number: 0
Valid from: Mon May 07 15:54:58 EDT 2012 until: Thu May 05 15:54:58 EDT 2022
Certificate fingerprints:
MD5: 8A:30:0B:09:27:1E:F9:0C:54:29:01:5E:5C:0F:56:F2
SHA1: 83:1C:09:24:BF:F6:FC:B4:62:AC:04:B5:9C:CC:28:E3:4C:B4:25:BF
Alias name: mykey
Creation date: May 7, 2012
Entry type: trustedCertEntry
Owner: CN=avagent, O=oracle, C=UK
Issuer: CN=rootAV, O=oracle, C=UK
Serial number: 0
Valid from: Mon May 07 15:59:46 EDT 2012 until: Tue May 07 15:59:46 EDT 2013
Certificate fingerprints:
MD5: 10:D2:D2:44:A9:AB:89:22:C6:FC:E8:61:A1:5D:B3:A0
SHA1: 62:BF:B9:52:29:F7:89:AF:F1:70:D8:75:AB:15:D4:55:BC:AB:9F:48
3) Credentials added for XDB:
$ avca generate_csr -certdn "cn=seclin2,O=Oracle,C=UK" -out /home/oracle/SSL/XDB/certXDB.csr
Generating Certificate request...
Certificate request generated successfully.
$ orapki cert create -wallet /home/oracle/SSL/rootCA -request /home/oracle/SSL/XDB/certXDB.csr -cert /home/oracle/SSL/XDB/certXDB.pem -validity 365 -pwd "welcome1"
$ avca import_cert -cert /home/oracle/SSL/rootCA/trustedROOTcertificate.txt -trusted
Importing Certificate...
Certificate imported successfully.
$ avca import_cert -cert /home/oracle/SSL/XDB/certXDB.pem
Importing Certificate...
Certificate imported successfully.
4) avca secure_av -avkeystore $ORACLE_HOME/network/admin/avkey/avkeystore -avtruststore $ORACLE_HOME/network/admin/avkey/avkeystore
Checking for SSL Certificate...
done.
Enter Audit Vault Server keystore password:
Stopping OC4J...
OC4J stopped successfully.
Securing XDB services...
Identified XDB http(s) Port...
Stopping Listeners...
done.
Starting Listeners...
done.
done.
Starting OC4J...
OC4J started successfully.
5) avca secure_agent -agentkeystore $ORACLE_HOME/network/admin/agkey/agkeystore -avdn "CN=avserver, O=oracle, C=UK" -agentdn "CN=avagent, O=oracle, C=UK"
Enter Audit Vault Agent keystore password:
Stopping agent...
Agent stopped successfully.
Starting agent...
Agent started successfully.
avca.log on agent shows:
Executing command secure_agent, -agentkeystore, /u01/app/oracle/oracle/product/10.2.3/av_agent/network/admin/agkey/agkeystore, -avdn, CN=avserver, O=oracle, C=UK, -agentdn, CN=avagent, O=oracle, C=UK
SECURE_AGENT - get agent info
xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/rmi.xml
xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/rmi.xml
Stopping agent...
Agent stopped successfully.
SERCURE_AGENT - update /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
SECURE_AGENT - modify /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
SECURE_AGENT - use /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/applications/AVAgent/AVAgent/WEB-INF/web.xml.secure
Starting agent...
xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/server.xml
xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/av-agent-web-site.xml
xml - /u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/http-web-site.xml
xml URL - file:/u01/app/oracle/oracle/product/10.2.3/av_agent/oc4j/j2ee/home/config/http-web-site.xml
Error while checking agent status - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate foundThis the code I used for setting up the engine:
File trustStore = new File(control.home, "d4trustore");
String trustStorePath = trustStore.getAbsolutePath();
File keyStoreFile = new File(control.home, "d4keystore.ks");
String keyStorePath = keyStoreFile.getAbsolutePath();
char[] passphrase = "password".toCharArray();
try{
KeyStore ksKeys = KeyStore.getInstance("JKS");
ksKeys.load(new FileInputStream(keyStorePath), passphrase);
KeyStore ksTrust = KeyStore.getInstance("JKS");
ksTrust.load(new FileInputStream(trustStorePath), passphrase);
javax.net.ssl.KeyManagerFactory kmf =
javax.net.ssl.KeyManagerFactory.getInstance("SunX509");
kmf.init(ksKeys, passphrase);
javax.net.ssl.TrustManagerFactory tmf =
javax.net.ssl.TrustManagerFactory.getInstance("SunX509");
tmf.init(ksTrust);
javax.net.ssl.SSLContext sslContext = javax.net.ssl.SSLContext.getInstance("TLS");
sslContext.init(
kmf.getKeyManagers(), tmf.getTrustManagers(), null);
engine = sslContext.createSSLEngine(serverAddress, port);
engine.setUseClientMode(true);
p butler -
Can write, can't read from SSLSocket. No trusted certificate found
Hello!
We have to use an ssl connection to talk to another application. The exception is generated when trying to read from the socket. Creation and writing don't generate any errors and I can't verify if the other server actually gets what I'm writing.
I used these commands to create the private key and the certificate
openssl genrsa -des3 -out priv.pem -passout pass:myPassword 1024
openssl req -x509 -new -key priv.pem -passin pass:myPassword -days 3650 -out cert.cerI have imported the cert.cer into the java/jre/lib/security/cacerts keystore. The CN value in the cert.cer is the one I got from the hostname command.
I still get the error:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate foundJust before reading from the socket I print in the log file the sockets properties:
is input shut down? false
is output shut down? false
is bound? true
is closed? false
is connected? trueAm I suppose to do somethin with the priv.pem? Where does that one go? Isn't the cert.cer enough?
I don't know what else to do and how to check anything else. Any ideas would be greatly appreciated.
Thank you very much,
Iulia S.Hi again,
I am at wits' end in here and I hate it when I move in the unstable grounds of not knowing stuff. I am still getting the error.
I managed to get the certificate from the other application, it's not self-signed it's issued by Thawte. Apparently you can also get it with FF3 from the cute little lock next to the address bar. Am I talking about the same certificate? Then I did this to import it:
./keytool -import -alias bristow -file /location/to/THEcertificate -keystore /location/to/java/jre/lib/security/cacertsAnd I did restart the server. Several times. Several several times.
Some details about the application: it's a servlet running on a websphere 6.1 server. I noticed that this error is from sun.security.validator.ValidatorException while mine is from:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate foundI can understand they are different packages but shouldn't they implement the same standard protocol? btw there are no com.sun.* classes imported.
Am I not creating the SSLSocket right?
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket s = (SSLSocket) sslsocketfactory.createSocket("secureSite.com", portNo);The string that defines the hostname, it's just the name, no protocol or anything else, right? I just need someone to confirm it. I've already tried all the other posibilities and they don't work.
It all crashes at the readLine:
BufferedReader in = new BufferedReader(new InputStreamReader(s.getInputStream()));
String input = "";
while((input = in.readLine()) != null)I ran the php script they gave us as an example, on a different server, and it worked just fine. No certificates needed.
I've tried reading characters instead of line, just in case this error would be absurdly linked with the no-end-of-line. Same error.
I'm trying to poke the server with a stick see if I can get a response. I run this from my local machine:
import java.io.InputStreamReader;
import java.io.BufferedReader;
import java.io.PrintWriter;
import java.net.URLEncoder;
import java.util.Date;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
public class EchoClient
public static void main(String[] arstring)
try
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("hostname", 99999);
sslsocket.setEnabledCipherSuites(sslsocket.getSupportedCipherSuites());
StringBuffer data = new StringBuffer();
dataDeTrimis.append("DATA1=").append(URLEncoder.encode("DATA1","UTF-8"))
.append("&DATA2=").append(URLEncoder.encode("DATA2", "UTF-8"));
String includeHeader = "POST /script/location/script.php HTTP/1.1\r\n" + "Content-Length: " + data.length() + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "\r\n" + data;
BufferedReader in = new BufferedReader(new InputStreamReader(sslsocket.getInputStream()));
PrintWriter outs = new PrintWriter(sslsocket.getOutputStream(), true);
outs.print(includeHeader);
String input = "";
System.out.println("is input shut down: "+sslsocket.isInputShutdown()+" is output shut down? "+sslsocket.isOutputShutdown()+" is bound? "+sslsocket.isBound()+" is closed? "+sslsocket.isClosed()+" is connected? "+sslsocket.isConnected());
System.out.println("server: "+in.read());
while((input=in.readLine())!=null)
System.out.println("SERVER REPLIED : " + input + "\n");
sslsocket.close();
catch(Exception exception)
exception.printStackTrace();
}The answer is:
is input shut down: false is output shut down? false is bound? true is closed? false is connected? true
server: -1Shouldn't I get something even a little bit more significant then just NO answer? sigh
If I were to explicitly load the keystore will that get me anywhere? I am out of ideas. Anything to point somewhere would be great.
Thank you very much,
Iulia S. -
Getting "No trusted certificate found" when attempting to connect to 10g DB
Greetings,
I have an Oracle 10g DB configured to listen via TCPS. I am able to tnsping and sql+ into the DB just fine. However, when attempting to connect via SQL Developer, I get the following error:
*"Status: Failure -lo exception: sun.security.validator. ValidatorException: No trusted certificate found"*
Here is my tnsnames.ora entry:
EMCECCH01.CORPORATE.MY.COM =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = emcecch01.corporate.my.com)(PORT = 1575))
(CONNECT_DATA =
(SERVICE_NAME = rambdb)
(SECURITY = (MY_WALLET_DIRECTORY = C:\DBSafes\Cincinnati\dbSafe))
Obviously when I create my connection, I am using 'TNS'. I've also attempted to connect via the JDBC thin driver, but when testing the connection, it just sits and spins without ever returning a result. Here is the URL I'm using:
jdbc:oracle:thin:@emcecch01.corporate.my.com:1575:rambdb
I've verified that the appropriate JAR files are in place in the jlib directory.
Any advice in this matter would be greatly appreciated.
RegardsHi,
If your connection entry is unusual you could try these simple things that may cause variation/different code paths:
1/ORACLE_HOME being set /unset by for example a bat script before launching sqldeveloper [see in sqldeveloper help/about/properties/ oracle.home and jdbc.library to see what oracle is using]
(you could be using sqldeveloper or other oracle install jdbc)
2/Tools/preferences/database/Advanced Parameters/Use oci thick driver set/unset
(you could be using 'pure' jdbc thin or 'mixture of c & java' ie. thick oci driver using another Oracle Home or instant client)
3/use Connection type=advanced then you can enter a fancy description (these descriptions are simple but you could have load balancing for example):
thin is pure java
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MACHINE_NAME_OR_IP)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=dev11gr1)))
oci8 is thick/c/oci-java
jdbc:oracle:oci8:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=MACHINE_NAME_OR_IP)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=dev11gr1)))
(or get SQLDev to look up tnsnames.ora, connection type = tns might work)
Please post your findings and put in an enhancement request for particular connection feature support, documented with a test case.
-Turloch -
[help] I get error:No trusted certificates have been loaded. Server will no
client: tuxedo salt
server: weblogic
Now when I start weblogic, I got error info:
<Nov 11, 2010 3:33:13 AM EST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias dev from the JKS keystore file /nfs/tux/huchchen/lclnx24/user_projects/SSL/server_keystore.jks.>
<Nov 11, 2010 3:34:16 AM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the JKS keystore file /nfs/tux/huchchen/lclnx24/user_projects/SSL/server_trustore.jks.>
<Nov 11, 2010 3:34:16 AM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLContextManager: loaded 0 trusted CAs from /nfs/tux/huchchen/lclnx24/user_projects/SSL/server_trustore.jks>
<Nov 11, 2010 3:34:16 AM EST> <Warning> <Security> <BEA-090172> <No trusted certificates have been loaded. Server will not trust to any certificate it receives.>
Why It can't load any trusted CAS? Anyone help!
Here is my configuration:
$ keytool -list -keystore server_trustore.jks -v
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: dev
Creation date: Nov 11, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=user, OU=R&D, O=BEA, L=Beijing, ST=Beijing, C=CN
Issuer: CN=root, OU=R&D, O=BEA, L=Beijing, ST=Beijing, C=CN
Serial number: cd6e80b22322f919
Valid from: Wed Nov 10 22:18:51 EST 2010 until: Sat Nov 09 22:18:51 EST 2013
Certificate fingerprints:
MD5: 40:6B:5F:93:B4:54:53:5E:FE:AB:37:9F:06:6D:66:38
SHA1: 1B:05:33:1F:83:7B:E8:E7:38:C9:AA:E7:AF:C1:D5:51:4B:EF:B8:D5
Signature algorithm name: SHA1withRSA
Version: 1
Certificate[2]:
Owner: CN=root, OU=R&D, O=BEA, L=Beijing, ST=Beijing, C=CN
Issuer: CN=root, OU=R&D, O=BEA, L=Beijing, ST=Beijing, C=CN
Serial number: d69db8f0be4975af
Valid from: Wed Nov 10 21:59:47 EST 2010 until: Sat Nov 09 21:59:47 EST 2013
Certificate fingerprints:
MD5: D4:F2:D3:1A:5D:3A:A8:F8:B8:85:A3:EA:BA:DB:58:91
SHA1: 2B:BB:B9:30:BA:53:4F:4C:BF:1A:C4:44:6D:E9:22:E3:A4:5B:0C:D9
Signature algorithm name: SHA1withRSA
Version: 1
$ keytool -list -keystore server_keystore.jks -v
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: dev
Creation date: Nov 10, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=admin, OU=R&D, O=BEA, L=Beijing, ST=Beijing, C=CN
Issuer: CN=root, OU=R&D, O=BEA, L=Beijing, ST=Beijing, C=CN
Serial number: cd6e80b22322f918
Valid from: Wed Nov 10 22:16:54 EST 2010 until: Sat Nov 09 22:16:54 EST 2013
Certificate fingerprints:
MD5: A3:A1:C2:C6:C9:44:B7:0E:27:DD:29:B1:CE:70:A5:C9
SHA1: 53:17:76:6A:B9:7E:32:F0:D4:23:62:54:3B:09:F6:79:75:21:94:36
Signature algorithm name: SHA1withRSA
Version: 1
*******************************************That because there is not trusted certificate entry, looks like ur trust store and identity keystore is the same.
Use these steps to generate identity and trust stores.
keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname "CN=Tariq.beasys.com, OU=Customer Support, O=BEA Systems Inc, L=Denver, ST=Colorado, C=US" -keypass mykeypass -keystore identity.jks -storepass mystorepass
keytool -selfcert -v -alias mykey -keypass mykeypass -keystore identity.jks -storepass mystorepass -storetype jks
keytool -export -v -alias mykey -file rootCA.der -keystore identity.jks -storepass mystorepass
keytool -import -v -trustcacerts -alias mykey -file rootCA.der -keystore trust.jks -storepass mystorepass
Or you can follow this post
http://secure-zone.blogspot.com/2010/11/configuring-ssl-on-weblogic-server.html
-Faisal -
Weblogic Start script fails while Loading trusted certificates from jks
Hi,
I have a Weblogic Portal 10.3.2 installation on a Solaris Unix box. There is one Admin server and two Managed servers. I am trying to deploy an EJB based application on one of the Managed servers. Note that this application has been working fine in the Weblogic 9.2 environment.
When the Managed Server is started, I get the below messages in the Weblogic console log. We have an internal SSO authentication system, which is integrated with this application. When this integration is removed, we are able to login to the application without any issues. When it is turned on, the redirection from SSO to the application fails - most likely because of the below SSL related errors.
I have accessed the below link and accordingly set the property -Dweblogic.ssl.JSSEEnabled=true. But it didn't help.
http://justasg.blogspot.com/2012/04/tlsssl-certificate-errors-and-warnings.html
Please let me know if you have any suggestions.
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /data/applications/norkom/BEA103/wlserver_10.3/server/lib/DemoTrust.jks.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/jdk1.6.0_32/jre/lib/security/cacerts.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Jun 4, 2012 4:51:59 PM MEST> <Error> <Server> <BEA-002606> <Unable to create a server socket for listening on channel "DefaultSecure[1]". The address 127.0.0.1 might be incorrect or another process is using port 7022: java.net.BindException: Address already in use.>
<Jun 4, 2012 4:51:59 PM MEST> <Error> <Server> <BEA-002606> <Unable to create a server socket for listening on channel "DefaultSecure". The address 10.228.12.24 might be incorrect or another process is using port 7022: java.net.BindException: Address already in use.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.228.12.24:7020 for protocols iiop, t3, ldap, snmp, http.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Server> <BEA-002613> <Channel "Default[1]" is now listening on 127.0.0.1:7020 for protocols iiop, t3, ldap, snmp, http.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <WebLogicServer> <BEA-000332> <Started WebLogic Managed Server "NCA_Server" for domain "norkom" running in Development Mode>
<Jun 4, 2012 4:52:01 PM MEST> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING>
<Jun 4, 2012 4:52:01 PM MEST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
<WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
<WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
<WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
<WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
<WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
<WSEE:27>Warning: JMS queue 'weblogic.wsee.DefaultQueue' is not found, as a result, Web Service async responses via jms transport is not supported. If the target service uses JMS transport, the responses will not be able to come back.<JmsQueueListener.connect:287>
Note: We have another Solaris Unix box, with the same installation of Weblogic with the same SSO redirection, but another EJB application is deployed. Also, there is no Managed and the application is deployed on the Admin server itself. But when the server is started, I don't see any attempts to load any certificates and also there are no issues.
So either please suggest how this certificate loading can be rectified or suggest a way to disable the certificate loading (if at all its an option).
Please let me know if you need any further details.Firstly,
938767 wrote:
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/jdk1.6.0_32/jre/lib/security/cacerts.>
<Jun 4, 2012 4:51:59 PM MEST> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>I don't think that this will be your problem... Unless you are actually using some of those certificates you can ignore those messages.
But the following looks suspicious, I guess 7022 is your SSL port...
<Jun 4, 2012 4:51:59 PM MEST> <Error> <Server> <BEA-002606> <Unable to create a server socket for listening on channel "DefaultSecure[1]". The address 127.0.0.1 might be incorrect or another process is using port 7022: java.net.BindException: Address already in use.>
<Jun 4, 2012 4:51:59 PM MEST> <Error> <Server> <BEA-002606> <Unable to create a server socket for listening on channel "DefaultSecure". The address 10.228.12.24 might be incorrect or another process is using port 7022: java.net.BindException: Address already in use.>Hope that helps.
Cheers,
Vlad
Give points - it is good etiquette to reward an answerer points (5 - helpful; 10 - correct) for their post if they answer your question. If you think this answer is helpful, please consider giving points. -
No Trusted Certificate???/
Hi
I tried to implement SSL by generating keystores. When the server is started i see the info. below...
<No trusted certificates have been loaded. Server will not trust to any certificate it receives.>
Is this any concern??? Ifso what should i do to overcome this.
<Aug 4, 2004 12:04:29 AM EDT> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias serverkey from the JKS keystore file /bea_home/OBSOON/OBSOON_WLS_DM/ObsoonDomain/serverkeystore.>
<Aug 4, 2004 12:04:29 AM EDT> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias serverkey from the JKS keystore file /bea_home/OBSOON/OBSOON_WLS_DM/ObsoonDomain/serverkeystore.>
<Aug 4, 2004 12:04:35 AM EDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the JKS keystore file /bea_home/OBSOON/OBSOON_WLS_DM/ObsoonDomain/serverkeystore.>
<Aug 4, 2004 12:04:35 AM EDT> <Warning> <Security> <BEA-090172> <No trusted certificates have been loaded. Server will not trust to any certificate it receives.>
<Aug 4, 2004 12:04:36 AM EDT> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "ObsoonServer" for domain "ObsoonDomain" running in Development Mode>
<Aug 4, 2004 12:04:36 AM EDT> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
<Aug 4, 2004 12:04:36 AM EDT> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*>
<Aug 4, 2004 12:04:36 AM EDT> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
thanks
JayThis should be a concern only in the following scenarios
1)If you are making a outgoing ssl call from within weblogic server (say from jsp/servlet/webapp)
OR
2)if you are using 2 way ssl
If youw ant to get rid of this mesaage just configure a keystore with trusted certificates (example: something like jdks cacerts ) It seems to me that the keytsore file
serverkeystore may not have any trusted root certificates in it -
Trusted Certificates do not load in WL 10.3.2
In Weblogic 10.3.1, when I started WL, it will load the trusted certificates automatically as below
<Loading trusted certificates from the jks keystore file C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoTrust.jks.>
<Loading trusted certificates from the jks keystore file C:\Oracle\MIDDLE~1\JDK160~1\jre\lib\security\cacerts.>
But in WL 10.3.2, it does not. I looked at the setDomainEnv.cmd and they are totally different for 10.3.1 and 10.3.2. I try to find where I can make it so it will load these trusted certificates automatically in 10.3.2 but no success so far.
I checked the Admin server also and all the settings are identity for both versions. All the files are there too.
Do you have any ideas?
ThanksIn my example server for 10.3.2 it prints out as the server loads:
<Feb 17, 2010 1:00:29 PM CST> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file D:\Oracle\wls11g\WLSERV~1.3\server\lib\DemoIdentity.jks.>
<Feb 17, 2010 1:00:29 PM CST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file D:\Oracle\wls11g\WLSERV~1.3\server\lib\DemoTrust.jks.>
<Feb 17, 2010 1:00:29 PM CST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file D:\Oracle\wls11g\JROCKI~1.5-3\jre\lib\security\cacerts.>
In your console look at the Server -> Configuration -> Keystores tab. In my case, the drop-down for keystore is "Demo Identity and Demo Trust" -
Cannot complete the certificate chain: No trusted cert found
Hi:
I am currently working on a application that makes a web service call to a third party service provider. I am using weblogic 10 application server and session bean makes a call to the gateway class which in turn initiates a web service call using SSL layer. I get the following error when gateway class is trying to make a SSL connection with the third party server. I have set the keystore to be custom and java standard and both Identity key store and turst key store points to C:\bea10\jdk160_05\jre\lib\security\cacerts key store. The interesting thing is when I tried with different other URLs www.bankofamerica.com and www.freshdirect.com
I get the same error. I am not sure why certificate validation fails even if it is a trusted CA and I would believe java keystore should contain all valid Certificate authorities such as verisign, Secure Trust etc. The third party certificate is issued by secure trust CA which in turn issued by Entrust.net
Can someone shed me somelight whats going on here? I also took a look at thread Re: SSL issues tried to import the server certificates into java keystore. but nothing worked out. Appreciate your help.
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: Cannot complete the certificate chain: No trusted cert found
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: Validating certificate 0 in the chain: Serial number: 805312903
Issuer:C=US, O=SecureTrust Corporation, CN=SecureTrust CA
Subject:C=CA, ST=Ontario, L=Toronto, O=Givex Corp., CN=*.givex.com
Not Valid Before:Wed Nov 21 09:56:03 EST 2007
Not Valid After:Sat Nov 20 09:56:03 EST 2010
Signature Algorithm:SHA1withRSA
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: Validating certificate 1 in the chain: Serial number: 1116160170
Issuer:C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
Subject:C=US, O=SecureTrust Corporation, CN=SecureTrust CA
Not Valid Before:Sun Oct 01 01:00:00 EDT 2006
Not Valid After:Tue Nov 26 13:25:48 EST 2013
Signature Algorithm:SHA1withRSA
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:436)
at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:224)
at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:38)
at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:144)
at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:235)
at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:146)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:473)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:459)
at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:306)
at com.freshdirect.client.TransPortType_Stub.getBalance(TransPortType_Stub.java:254)
at com.freshdirect.payment.ejb.GivexPaymentServiceImpl.getBalance(GivexPaymentServiceImpl.java:59)
at com.freshdirect.payment.ejb.GivexServerGateway.getBalance(GivexServerGateway.java:211)
at com.freshdirect.payment.ejb.GivexServerGateway.main(GivexServerGateway.java:388)
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: write ALERT, offset = 0, length = 2
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: close(): 16720915
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: close(): 16720915
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: SSLIOContextTable.removeContext(ctx): 29310343
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: close(): 16720915
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: close(): 16720915
Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
FINE: SSLIOContextTable.removeContext(ctx): 29310343
<Sep 16, 2009 6:18:17 PM EDT> <Info> <WebService> <BEA-220048> <A exception was thrown from the client handler sending a JAXM message.>
<Sep 16, 2009 6:18:17 PM EDT> <Info> <WebService> <BEA-220034> <A stack trace associated with message 220048 follows:
javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:436)
at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:224)
at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:38)
at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:144)
at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:235)
at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:146)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:473)
at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:459)
at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:306)
at com.freshdirect.client.TransPortType_Stub.getBalance(TransPortType_Stub.java:254)
at com.freshdirect.payment.ejb.GivexPaymentServiceImpl.getBalance(GivexPaymentServiceImpl.java:59)
at com.freshdirect.payment.ejb.GivexServerGateway.getBalance(GivexServerGateway.java:211)
at com.freshdirect.payment.ejb.GivexServerGateway.main(GivexServerGateway.java:388)
>I would believe java keystore should contain all valid Certificate authorities such as verisign, Secure Trust etc. The third party certificate is issued by secure trust CA which in turn issued by Entrust.net<You can list the contents of your cacerts file to see if exact matching version of the SecureTrust signer cert is present.
You can also use a simple java program to test whether you can connect to the 2 servers that your're having issues with:
import java.net.*;
import java.io.*;
public class SSL_Test {
public static void main(String[] args) throws Exception {
URL sslURL = new URL("https://someserver.com/someservice.wsdl");
BufferedReader in = new BufferedReader( new InputStreamReader( sslURL.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
compile and run with something like:
javac SSL_Test.java
# all on one line
java -D -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=***** -Djavax.net.debug=ssl,handshake SSL_Test
This just tests whether your truststore can trust the server cert. -
Trusted certificates from your previous version of Adobe Reader were found.
After upgrading Adobe Reader from 10 to 11, some users are getting "Adobe Reader Security - Trusted certificates from your previous version of Adobe Reader were found. Would you like to import them." I need to know what registry settings we can modify to either set this automatically to "Import" or "Use Default" I need to add one of these options into our Adobe Reader Settings GPO that is using group policy preferences. This only appears for users who have data in C:\Users\%username%\AppData\Roaming\Adobe\Acrobat\10.0\Security and only the very first time the user opens Adobe Reader after the upgrade per user profile on a given server.
I'm not sure this is true: "If they don't exist then there is no dialog. " Could be, but I've never heard of it.
However, acrodata files perform a number of functions for several features, so removing them is unwise. Also, they will just come back when a user exercizes certain features.
Better to just turn off the feature with the supported preference.
Ben
Maybe you are looking for
-
When saving documents in PDF format a .txt document is also created and saved
When saving documents in PDF format to the my documents folder on a PC a .txt document is also created and saved, does anybody know the where the setting is that allows this functionality (duplicate document in txt format) to be switched off thanks.
-
Waves Platinum Native Bundle and 8.0.2?
Anybody using waves platinum native in 8.0.2? I'm curious on how its running. Any problems?
-
How to define a trigger to start a switch scanning task
I am writing a program in LabWindows/CVI using DAQmx library which handles PXI-2567 card. I have created a new switch scanning task, by the function DAQmxSwitchCreateScanList, that uses the specified scan list. I would like to start this task synchro
-
Flash image expands out of container only on Safari browser
I have this test page where flash image expands out of the container only on Safari browser, everything else works fine (I.E,Chrome,Mozilla,Opera) http://itmjobs.ro/lidl/eu.html . I have tried to insert flash image into a table, the same thing happen
-
Waste Disposal Service in SAP SD
All, We have a waste disposal scenario where the waste is collected from the customer and an invoice is raised for performing the disposal. This would have been a standard service scenario if not for the waste. The waste should be received into the w