WebLogic 10.3.3 - 2-Way SSL setup between WLS JMS Foregin Server & IBM MQ 6

Similar Messages

• Debug Weblogic 10.0 with 2-Way SSL: Error 401--Unauthorized

  Hi,
  I am working on Weblogic 10.0 with 2-Way SSL configuration. User uses X.509 certificate to login into the system. I have a default UserNameMapper which maps the CN to the a user name in the LDAP user store. User can login without problem. But after user login, when he tries to hit a new page before the original page fully loaded, he will get a "Error 401--Unauthorized".
  I turned on the Weblogic security debug and got the following warning with stack trace. Can anybody help me to figure out what's wrong? How do I troubleshoot this issue? Any help is really appreciated.
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned PERMIT>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: true>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 167>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 6, length = 1518>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 0
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
       at weblogic.socket.SocketMuxer.closeSocket(SocketMuxer.java:449)
       at weblogic.socket.SocketMuxer.cleanupSocket(SocketMuxer.java:795)
       at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:759)
       at weblogic.socket.SocketMuxer.deliverEndOfStream(SocketMuxer.java:700)
       at weblogic.servlet.internal.VirtualConnection.close(VirtualConnection.java:327)
       at weblogic.servlet.internal.ServletResponseImpl.send(ServletResponseImpl.java:1431)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1375)
       at weblogic.work.ExecuteRequestAdapter.execute(ExecuteRequestAdapter.java:21)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
  >
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 14324285>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 7034906>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 19096081>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <18691735 SSL3/TLS MAC>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <18691735 received HANDSHAKE>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ClientHello>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.5 for algorithm RC4>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5>
  Thanks,
  Wayne

  I decided to use pki with jaas/custom authentication provider to solve this problem. It works. If you want more details, please let me know.

• Weblogic 6.1's 2-way SSL

  I'm using wsl proxy plug-in between iPlanet Webserver 4.1SP9 and
  wsl 6.1.
  The obj.conf of iPlanet web server was configured to use path proxy:
  -------- httpd.conf --------
  Init fn="load-modules" funcs="wl_proxy,wl_init" shlib="/usr/netscape/web/plugin\
  s/lib/libproxy.so"
  Init fn="wl_init"
  <Object name="weblogic" ppath="*/weblogic/*">
  Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7001" Pat
  hTrim="/weblogic"
  </Object>
  The "Seccurity" parameter "magnus.conf" is set to on and an certificate
  was installed on this iPlnet web server.
  I was able to open:
  https://iplanet.test.com:443/weblogic/console
  to set 'Client Certificate Enforced' option in
  Petstore's SSL section with port 7002.
  I can also access:
  https://iplanet.test.com:443/weblogic/estore
  to bring up the top page and some pages of the petstore sample
  program. But the browser got no data fromt the web server
  when I clicked on "Enter the "Store". I then tried to "Enter the Store"
  directly through port 7002 (without proxying through iPlanet web server)
  and it also returned on data.
  I suppose that I have to modify petstore sample codes SSL protocol -
  even in 1-way SSL verification. Is this true?
  I also tried to change WebLogicPort="7001" to "7002" in obj.conf.
  which is tied to the SSL port of wsl61 with some sample certificates.
  When I open:
  https://iplanet.test.com:443/weblogic/console
  The server couldn't locate that object. I checked the adminGuide of
  of wsl6.1 on page 13-10. It mentioned 'SecurieProxy' parameter in
  the 'Service' directive in the obj.conf has to be set to ON.
  So I appended SecureProxy="on" as the following:
  <Object name="weblogic" ppath="*/weblogic/*">
  Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7002" Pat
  hTrim="/weblogic" SecureProxy="on"
  </Object>
  But it still failed to connect to port 7002 of wsl61.
  In the FAQs of wsl61 has the section:
  Does the 6.1 plug-in support two-way SSL?
  No. But the plug-in can be set-up to require the client certificate and
  pass it on to WebLogic Server. For example:
  apache ssl
  SSLVerifyClient require
  SSLVerifyDepth 10
  SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
  +StrictRequire
  I am confused with adminGuide's page 14-49. It talked about how to
  confiure 'Mutual Authentification' breifly - it only mentioned
  the opton of 'Client Certificate Enforced' besides copying root
  certificates into 'config' directory.
  Can someone explain to me whether the 2-way authentication can be done
  via plug-in proxy? If not, what is the right way/best way for 2-way
  authentication? Is anyone have some sample programs like petstore
  that work with iPlnet Web server and wsl61 with 2-way authentication?
  Thanks in advance.
  -kl

  I got some progress after digging into appendix
  of adminGuide.
  I added two more paramaters into obj.conf
  service directive:
  <Object name="weblogics" ppath="*/weblogics/*">
  Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7002" Pat\
  hTrim="/weblogics" SecureProxy="ON" TrustedCAFile="/usr/netscape/server4/alias/\
  ca.pem"
  </Object>
  When I tried:
  https://iplanet.test.com:443/weblogics/
  It didn't hang. The browser showed:
  No backend server available for connection: timed out after 10 seconds.
  But I tested backend server. It was alive.
  Anyone got this working?
  Thanks.
  -kl

• Two-Way SSL does not work until "Use Server Certs" is selected on client

  We have a web service application and a client application. Both applications are deployed in WebLogic 10.3. The web service application is secured by Two-Way SSL. When the client attempts to access the service, we got the following error logs on the server side:
  <Dec 8, 2009 3:25:42 PM EST> <Warning> <Security> <BEA-090508> <Certificate chain received from ... was incomplete.>
  CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0
  CertPathTrustManagerUtils.certificateCallback: validateErr = 4
  CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors
  We got the same error even if the WebLogic 10.3 domain on the client side uses the same identity and trust keystores as the server side.
  The problem was solved when we selected Environment -> Servers -> <server> -> SSL, expanded "Advanced" and selected "Use Server Certs". Could anyone tell me what "Use Server Certs" does to make the difference?
  Another question is how we can invoke this web service in a Java application since "Use Server Certs" solution only works for web application deployed in weblogic.

  "Use Server Certs" means that a client application running within Weblogic will use the WL managed server's identity certificate as its client certificate. Otherwise, the client application is responsible for selecting the keystore, and presenting the certificate as part of the handshake.
  This is a great feature in 9 & 10; client SSL was much more difficult in WL 8.
  If you are using a standalone client application to invoke anything over 2-way SSL, you are responsible for presenting the certificate. For instance, if you invoke the page from your browser, your browser can maintain client certificates and you'll get a popup to select which cert to use.

• 2 way ssl config in WLS 8.1

  Problem: Server(any web app runing on WLS 8.1 SP2 on win2000) need to authenticate
  clients(browser) without prompting for userid & passwords just through digital
  certificate. With out writing any programming in deployed Java app . Only through
  server side config can be done.
  Soluton : We are trying to use the 2-way ssl in WLS 8.1 SP2 running on win2000.
  To begin with development, we are just using the Demo cert. This is being tested
  on same machine both client and server. This works perfectly fine for 1-way ssl
  no need to do any config. To extend this config for 2-way.
  I need a one more digital cert for client.
  I create the client digital cert/private key using Cert Gen utility.
  Now the confusing part how to add this to Server Trust key store.
  There are no proper doc on how to continue further.
  Different places say different things to do.
  If any one can provide some example steps how to do it will be great.
  Thanks in advance.
  --Prav

  Did you use the Demo CA to issue the new certificate (CertGen uses it by default)?
  Then you do not need to do anything. The CA certificate already exists in the
  DemoTrust.jks.
  Otherwise you can use keytool to import trusted certificate into a keystore. See
  this page for more info: http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1178523
  Pavel.
  "prav" <[email protected]> wrote:
  >
  Problem: Server(any web app runing on WLS 8.1 SP2 on win2000) need to
  authenticate
  clients(browser) without prompting for userid & passwords just through
  digital
  certificate. With out writing any programming in deployed Java app .
  Only through
  server side config can be done.
  Soluton : We are trying to use the 2-way ssl in WLS 8.1 SP2 running on
  win2000.
  To begin with development, we are just using the Demo cert. This is being
  tested
  on same machine both client and server. This works perfectly fine for
  1-way ssl
  no need to do any config. To extend this config for 2-way.
  I need a one more digital cert for client.
  I create the client digital cert/private key using Cert Gen utility.
  Now the confusing part how to add this to Server Trust key store.
  There are no proper doc on how to continue further.
  Different places say different things to do.
  If any one can provide some example steps how to do it will be great.
  Thanks in advance.
  --Prav

• JMS Foregin server configuration with two Weblogic 8.1 AS

  Hi,
  I have two Weblogic8.1 AS. Box 1 is configured with JMS connection factory and Topic. MDB is deployed on Box 2, which is configured to listen to Box1 JMS Topic. I am running session bean which is publishing JMS message to the Topic on Box1. Also, I have configured JMS foreign Server on Box2 pointing to Box1 connection factory and Topic.
  MDB throws error "Destination not found", while deploying. I read somewhere in the net, that We need Weblogic with Clustering licence for configuring Foreign JMS Server.
  Pls. help me.
  Regards
  Anand Bobade

  hi... can you please send me the java code for messaging part ...... i want to know how you are sending
  message from server and it is listened at different server?
  I am also in same condition....I have configured JMS foreign server on box 1 .....on box2 my MDB is listening....
  My problem is how do i send a message to a foreign queue which is inside JMS Foreign Server..... I am not able to give any JNDI name to this server... so please send me the code from which you are sending the Message.
  Thanks in advance

• Correct way to setup Exchange Activesync for Exchanger Server 2003

  Does anyone have a set by step guide to setting up Excahnge Server 2003 to allow for Versamail to work?
  I got it working for Blackberries, and iPhones, but Palms are starting to kick my butt. I need to see if there is something else that needs to be enabled for Palms to work that the other 2 didn't need.
  Post relates to: Centro (Sprint)
  Message Edited by Sorian on 03-02-2009 05:07 AM

  Check this link its for 2007 but much is the same
  http://forums.palm.com/palm/board/message?board.id=activesync&thread.id=4650
  Post relates to: Treo 800w (Sprint)

• One way trust relationship between different domain windows server 2012 in different forest

  I'd like to build trust correctly between the domains A.local and B.int. A.local is on a Windows 2012 . B.int is on a Windows 2012 . Both machines are
  connected to the same LAN. The forest level in A.local
  machine is Windows Server 2008 and The forest level in B.int
  is Windows server 2012.
  I want a one-way trust relationship, i.e. users from A.local gain access to B.local.
  my problem it i create the trust put when i go to validate the trust between A.Local and B.int give me this error :
   The secure channel (SC) reset on Active Directory Domain Controller \\dc2.B.int of domain B.int to domain A.Local failed with error: There are currently no logon servers available to service the logon request.
  NOTE : Recently I
  UPGRADE THE Active Directory FROM 2008 R2 TO 2012 and i ping on A.local to B.int
  it is ping by name and IP but from b.int ping by IP JUST >>>
  ihab

  Hi,
  yes i already do it the setup conditional forwarding between the 2 domains and
  the firewall it is off 
  ihab

• SSL connection between Dist Auth UI Server and Access Manager

  Hi,
  I have a Dist Auth UI Server installed in Web Server 7 and working properly, but now i want to configure it to talk with Access Manager with a secure port.
  I have configured Access Manager (also deployed in Web Server 7) in a secure port (443). I have requested and installed the server certificate in the Access Manager Web Server instance and also the root entity certificate.
  My question is: how must i configure the UI Server to communicate with the Access Manager Server in a secure way and trust the certificate that the WS of the AM presents ?
  Regards,

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.

• 2-Way SSL and Webservices

  Greetings,
  After spending some time searching the docs and several dev2dev newsgroups I haven't been able to find a clear cut answer to an urgent question:
  I have a two webservices, the client (.jpd) and the server (.jws) which are installed on a separate weblogic 8.1 instances on different machines. The requirement is that the webservices must communicate with one another only over a 2-Way SSL connection.
  My question is how to setup this 2-way SSL configuration between the client and sever webservices. Do I need to write code or can I configure it using the web.xml files of the two webservies? I don't think it would make sense to configure the two weblogic instances to always use 2-WaySSL (via the startup script or config.xml), in which case the webservies might not inherit the truststore and other SSL connfiguration of the respective instances.
  If someone has already solved this problem, I would appreaciate to hear from you. This is an urgent problem and I am stumped. Any help would be appreciated!
  Regards

  Hi,
  I am trying to use 2 way ssl using webservices client , here is my code :
  AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
  SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
  // clientCredentialFile stores in PEM format the public key and
  // all the CAs associated with it + then the private key. All this in // a concatenated manner
  FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
  // private key password
  String pwd = "password";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
  adapter.setStrictCheckingDefault(false);
  factory.setDefaultAdapter(adapter);
  factory.setUseDefaultAdapter(true);
  boolean idAvailability = false;
  UNSLocator locator = new UNSLocator();
  URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
  UNSPort unsprt = locator.getUNSPort(portAddress);
  idAvailability = unsprt.isIDAvailable("Yulin125", "C");
  System.out.println("Got from method :"+idAvailability);
  After runing this code i am getting the following exception :
  AxisFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
  faultSubcode:
  faultString: java.net.SocketException: Software caused connection abort: socket write error
  faultActor:
  faultNode:
  faultDetail:
  I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
  I am stuck with for quite sometime.
  Some insight needed from the guru's

• 2-way SSL using t3s protocol

  Goodmorning,
  I'm trying to get a 2-way SSL connection between two WLS 10.3 in production mode.
  WLS #1 contains the client application and WLS #2 contains the server application.
  I've got a standalone Microsoft CA.
  I've configured WLSs with custom identity and trust JKS Stores.
  In trust store I stored the CA certificate.
  In identity store I created a selfsigned cert with RSA alg and this cert was signed from my CA.
  In identity store I also stored the CA's Certificate.
  I've enabled SSL with custom identity and trust store,
  None host verification,
  Export Key Lifespan 500,
  Two Way Client Cert Behavior: Client cert requested and enforced,
  SSL Rejection Logging Enabled checked,
  Inbound and Outbound Certificate Validation: Builtin SSL Validation Only
  I configured both WLS as explained (except identity certs that are custom for each server).
  I can invoke WLS #2 Webservices from WLS #1 via https.
  So I tried to invoke an EJB deployed on WLS #2 via t3s, but it didn't work.
  During handshake process, the first step is ok; in fact WLS #1 trusts WLS #2 certs.
  The second step goes wrong; here follows some logs.
  WLS #1
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateRequest>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 SSL3/TLS MAC>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 received HANDSHAKE>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> *<No suitable identity certificate chain has been found.>*
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 7>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 134>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 SSL3/TLS MAC>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <8374786 received ALERT>
  <2-mar-2011 11.14.13 CET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  WLS #2
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> *<Required peer certificates not supplied by peer>*
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 4>
  <2-mar-2011 11.14.12 CET> <Warning> <Security> <BEA-090508> <Certificate chain received from xpr-selex-fel01 - 192.168.60.48 was incomplete.>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 4>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is incomplete>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <User defined JSSE trustmanagers not allowed to override>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 68>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <Trust failure (68): CERT_CHAIN_INCOMPLETE>
  <2-mar-2011 11.14.12 CET> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
  One useful info: if I deploy both EJB application and client application all on the same WLS and alient application invokes the EJB via t3s, all works fine.
  Is there anything missing/wrong in the configuration?
  Thanks.

  Is this a typo?
  In identity store I created a selfsigned cert with RSA alg and this cert was signed from my CA.It can't be both self-signed and signed by a CA.
  In identity store I also stored the CA's Certificate.The identity store should not have a CA certificate in it. Either put the CA in your trust store, or chain your CA and your identity into a single cert within your identity store.
  During the handshake, the server (#2) will send a list of of its trusted CA certs to the client. The client has to look in its identity store for certs which are signed by one of the CAs sent by the server.
  If your client has multiple identity certs ( with the clientAuth key usage ) in its identity store, then there has to be some way to choose which cert to select. Does t3s use the SSL configuration's alias in the client as http does? You can test this by only using a client identity store with a single identity cert which is signed by one of the CA certificates presented by your server.

• Cannot get web service using 2-way SSL to work

  WebLogic 8.1 sp4, using jdk 1.4.2_05 within BEA install dir (not JRockit). Also using WLWorkshop.
  I'm trying to call a web service provided by a third-party requiring 2-way SSL; The third-party provided a server cert to trust and a key/cert to use from our client. After updating my key and trust stores, I'm able to run this with no problem from another web service test product (CapeClear).
  How does one do this from WLS? I did the following (nothing has worked):
  - Started my WLS server; using the console, updated the Configuration|Keystores & SSL section and restarted - the console output indicates that all loaded correctly. I also changed the option on Two Way Client Cert Behavior to 'Client Certs Requested and Enforced'.
  - Updated my setDomainEnv.cmd to include the following options -Dweblogic.security.SSL.ignoreHostnameVerify=true -Dweblogic.security.SSL.enforceConstraints=off; I also added the -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true options.
  - Within Workshop, created my web service control from the provided WSDL and generated a test JPF; when I run the test, I get an exception related to an invalid content type (text\html). This occurs because the client-side SSL piece did not take place and the client was presented with a login-page rather than a web-service XML result.
  - I updated the JDK security jars with domestic strength algorithms; no change in behavior.
  - No SSL errors in the debug trace (I can provide log upon request).
  What other parameter and/or setting do I need to update to get this to work?
  Any help would be tremendously appreciated.
  Thanks,
  Rick

  I too am struggling with SSL but I was given some help by BEA. This does not help me since It seems like the proxy jar I download from the WS Home Page wants to go directly to the JPD not the jws. This example of two way SSL should work for you. I am including the Main class but not the generated files it refers to. I don't know how to attach files to the news groups. The key thing it to make use of the adapters. The Impl and Port are part of the downloaded proxy.
  public static void main(String[] args) throws Exception {
  // set weblogic ServiceFactory
  System.setProperty("javax.xml.rpc.ServiceFactory", "weblogic.webservice.core.rpc.ServiceFactoryImpl");
  // set weblogic client protocol handler
  System.setProperty("java.protocol.handler.pkgs", "weblogic.webservice.client");
  // set the SSL adapter
  SSLAdapterFactory adapterFactory = SSLAdapterFactory.getDefaultFactory();
  WLSSLAdapter adapter = (WLSSLAdapter) adapterFactory.getSSLAdapter();
  // two-way SSL you must loadLocalIdentity to provide certs back to the server
  FileInputStream clientCredentialFile = new FileInputStream ("./client/clientcred.pem");
  String pwd = "canpass";
  adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
  adapter.setVerbose(true);
  adapter.setTrustedCertificatesFile("./config/ca1024.pem");
  adapter.setStrictChecking(false);
  adapterFactory.setDefaultAdapter(adapter);
  adapterFactory.setUseDefaultAdapter(true);
  String a = null;
  if (args.length < 1) {
  a = "Sample String";
  } else {
  a = args[0];
  ToUpper_Impl lookup = new ToUpper_Impl();
  ToUpperPort value = lookup.gettoUpperPort();
  String result = value.toUpper(a);
  System.out.println(result);
  }

• Difference Between One-way SSL and Two Way SSL

  Hi ,
  Can any tell difference between one way and two ssl. apache to weblogic server which type of ssl we can configure. Please provide information on this.
  thanks

  In short below is the difference:
  One Way SSL - Only the client authenticates the server
  - This means that the public cert of the server needs to configured in the trust store of the client for this to happen.
  Two Way SSL - The client authenticates the server & the server also authenticates the client.
  - This means that the public cert of the server needs to configured in the trust store of the client for this to happen.
  - Also the public cert of the client needs to be configured on the server's trust store
  Please refer to http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=%2Fcom.ibm.mq.csqzas.doc%2Fsy10660_.htm. In case of Two way SSL the step numbers 5 & 6 also occur.
  You can implement either of them between apache and weblogic.
  Hope this helps.
  Thanks,
  Patrick

• 2-way SSL when WL7 is client; get "Required peer certificates not supplied by peer"

  Background: WL7 is properly configured to use 2-way SSL, and works fine whenever
  its acting as the Server; i.e., I have 2-way SSL working between a Web Browser
  and WL7, or between Tomcat and WL7. However, when trying to get 2-way SSL (mutual
  authentication) working between a WL7 server acting as a client and another server
  such as Tomcat, acting as the server, I get a "Required peer certificates not
  supplied by peer" error. The initial ServerHello handshake is fine; the problem
  arises when the Tomcat server, for example, then requests WL7 to serve up its
  client certificate. It's as if WL7 does not know where to locate its "client"
  certificate.
  I had the same problem with Tomcat initially, where it would also not know how
  to locate its "client" certificte. I resolved the problem by setting the following
  system properties:
  javax.net.ssl.keyStore=...
  javax.net.ssl.keyStorePassword=...
  javax.net.ssl.trustStore=...
  javax.net.ssl.trustStorePassword=...
  Are their analogous system properties I need to set on the WL7 side of things,
  as I noticed that WL7 seems to use its own proprietary version of JSSE API's?
  How do I configure WL7 to locate its "client" certificate?
  Thanks! Your help is greatly appreciated.
  -Dan

  Weblogic uses Certicom SSL implementation which has classes that conflict with
  JSSE classes. As a result opening SSL connection from WLS over JSSE or API like
  SOAPConnection that uses JSSE does not work as expected. The javax.net.ssl properties
  are not supported and there is no replacement for the default identity keystore
  property.
  The best workaround I can think of in this case is to pass as the second parameter
  to SOAPConnection.call() method a URL instance created with a custom URLStreamHandler
  extending the weblogic.net.http.Handler. This handler can override the Handler.openConnection(URL)
  method and use the HttpsURLConnection.loadLocalIdentity method to initialize identity
  of the returned connection. For example:
  public class MyHandler extends weblogic.net.http.Handler {
  protected URLConnection openConnection(URL u) throws IOException {
  URLConnection c = super.openConnection();
  if (c instanceof weblogic.net.http.HttpsURLConnection) {
  // initialize ssl identity
  ((weblogic.net.http.HttpsURLConnection) c).loadLocalIdentity(certChain,
  privateKey);
  return c;
  URL someHTTPSUrlEndpoint = new URL("https", "localhost", 7002, "myfile", new MyHandler());
  replyMessage = con.call(someSOAPMessageInstance, someHTTPSUrlEndpoint);
  Pavel.
  "ddumitru" <[email protected]> wrote:
  >
  Thanks, Pavel, for replying,
  I've been reading and re-reading that page for quite a while now. Unfortunately,
  the examples given are for when WL7 is acting as the "server" and not
  the "client";
  i.e., when some other server, such as Tomcat, WebSphere, or Oracle 9IAS,
  reaches
  out to the WL7 instance first, or when one WL7 instance talks to another
  WL7 instance
  via JNDI.
  In my case, my WL7 instance needs to initiate a Web Service call; i.e.,
  needs
  to reach out to another server via a SAAJ (SOAP with Attachments) API
  call. My
  sending servlet uses the SAAJ (SOAP with attachments) API to make a Web
  Service
  call to another server, as follows:
  SOAPConnectionFactory scf = SOAPConnectionFactory.newInstance();
  SOAPConnection con = scf.createConnection();
  SOAPMessage replyMessage = con.call( someSOAPMessageInstance, someHTTPSUrlEndpoint
  With the SAAJ API, as illustrated above, I don't see a direct way of
  configuring
  (using URLConnection, SSLContext, SSLSocketFactory, etc.) the SSL connection
  prior
  to making a call, as suggested in the link you mentioned. Also, the
  receiving
  server may implement its Web Services using a non-BEA application server
  that
  may not even use the J2EE platorm. As such, I don't believe I can use
  the JNDI
  solution provided in that same link.
  Again, I was able to make 2-way SSL (Mutual Authentication) connections
  between
  Tomcat and WL7 instances using the SAAJ API's when Tomcat was the client
  initiating
  the SAAJ call. In this scenario, Tomcat requested WL7 for its certificate,
  WL7
  served it up, and Tomcat then verified it. Then, in turn, WL7 asked
  Tomcat for
  its certificate, Tomcat presented it, and WL7 was able to verify Tomcat's
  certificate.
  I suppose I was able to make it all work under this scenario because
  I was able
  to configure Tomcat, which is using native JSSE API's, to locate its
  "client"
  certificate by setting the following system properties, as mentioned
  previously:
  javax.net.ssl.keyStore=...
  javax.net.ssl.keyStorePassword=...
  javax.net.ssl.trustStore=...
  javax.net.ssl.trustStorePassword=...
  Based upon your feedback, I now understand that WL7 cannot be configured
  in a
  similar manner because WL7 uses its own version of the JSSE API's. Any
  ideas
  on what I might try next?
  Thanks!
  -Dan
  "Pavel" <[email protected]> wrote:
  WLS SSL API does not support any system properties for SSL identity.
  The client's
  identity has to be configured via methods of SSL API. The trust configuration
  of SSL client running on WL server and using WLS SSL API will be the
  same as of
  the WL server.
  See http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1019570
  for more information on this. "Writing Applications that Use SSL" contains
  code
  examples that use different SSL APIs to connect over two-way SSL.
  Pavel.
  "ddumitru" <[email protected]> wrote:
  Background: WL7 is properly configured to use 2-way SSL, and worksfine
  whenever
  its acting as the Server; i.e., I have 2-way SSL working between a
  Web
  Browser
  and WL7, or between Tomcat and WL7. However, when trying to get 2-way
  SSL (mutual
  authentication) working between a WL7 server acting as a client andanother
  server
  such as Tomcat, acting as the server, I get a "Required peer certificates
  not
  supplied by peer" error. The initial ServerHello handshake is fine;
  the problem
  arises when the Tomcat server, for example, then requests WL7 to serve
  up its
  client certificate. It's as if WL7 does not know where to locate its
  "client"
  certificate.
  I had the same problem with Tomcat initially, where it would also not
  know how
  to locate its "client" certificte. I resolved the problem by setting
  the following
  system properties:
  javax.net.ssl.keyStore=...
  javax.net.ssl.keyStorePassword=...
  javax.net.ssl.trustStore=...
  javax.net.ssl.trustStorePassword=...
  Are their analogous system properties I need to set on the WL7 sideof
  things,
  as I noticed that WL7 seems to use its own proprietary version of JSSE
  API's?
  How do I configure WL7 to locate its "client" certificate?
  Thanks! Your help is greatly appreciated.
  -Dan

• 2-Way SSL Web Service AssertionError

  I am using weblogic 9.1 and 2-way ssl-based web services. The issue is that when a stand-alone client accesses the web services, via the BEA recommended way, a host of errors occurs. Initially I had the webserviceclient+ssl.jar on the client classpath in addition to the weblogic.jar which were both in my development lib directory, and worked from there. Here is the progression of errors:
  1. ClassDefNotFound exception: weblogic.xml.schema.binding.util.ClassUtil$ClassUtilException
  Resolution = added webservice.jar to classpath
  2. ClassDefNotFound exception: com.bea.xml.XmlException
  Resolution = added xbean.jar to classpath
  3. java.lang.AssertionError: java.io.IOException
  This was a difficult one to figure out. I tried running the test client from both my IDE and command-line, and I narrowed it down to a really weird issue. The only way I was able to get it to work was to include the absolute reference to the weblogic.jar in the classpath of the client. i.e. BEA_HOME/weblogic91/server/lib/weblogic.jar. If I had a relative reference to weblogic.jar, i.e. ../lib/weblogic.jar, the above assertion error was thrown.
  Can anyone shed some light on this? I need to have a stand-alone client run a 2-way ssl web service and this client should not be expected to have a full blown weblogic 9.1 install.
  Cheers.

  WLS 9 does not have a separate client jar. So sorry, in the near future we might have to stick to the requirement of using the weblogic.jar.
  Just FYI, I have submitted a two-way ssl sample in dev2dev.
  https://codesamples.projects.dev2dev.bea.com/servlets/Scarab?id=S3
  thanks
  Jong