Weblogic 4.5 SSL
Hi Listers,
I have Weblogic 4.5 in porduction and I want use SSL.
I have generated certificates with openSSL and installed in Weblogic. Weblogic logs shows all things fines but the browser popups each time the message that the content contains no secure content!
Could anyone help me to figure out what`s wrong?
Thank you in advance and have nice day,
Ben
I suggest taking a look at the documentation on enabling Weblogic SSL in our
online documentation.
This describes completely a background of encryption and key lengths.
Thanks,
Michael Girdley
WLS Product Manager
Manuel Ley <[email protected]> wrote in message
news:8dfq30$r3h$[email protected]..
Do you enable SSL in the following mode:
1. 128-bit key encription?
2. 512-bit key encription?
3. 1024-bit key encription?
Similar Messages
-
Facing problem in installing certificate on Weblogic for the SSL
I am doing the setup for secure socket layer(SSL) in weblogic server
.I
have created the certificate which need for ssl by using the Openssl ,
after
that I entered path for all the file relate to setup by using the
weblogic
console. Once I have complete all this entries, I restarted the server ,
at
the time of restart its giving the following error. I am also sending
the
screen short of console and the log files as an attachment.
<Feb 4, 2002 4:45:46 PM GMT-05:00> <Alert> <WebLogicServer> <Security
configuration problem with certificat
e file config/cauvery-key.pem, java.io.EOFException>
java.io.EOFException
at weblogic.security.Utils.inputByte(Utils.java:133)
at
weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1039)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
at weblogic.Server.main(Server.java:35)
<Feb 4, 2002 4:45:58 PM GMT-05:00> <Notice> <Management> <Starting
discovery
of Managed Server... This feat
Please help us to solve this problemHi.
Try posting this question in the security newsgroup.
Thanks,
Michael
Ankur wrote:
I am doing the setup for secure socket layer(SSL) in weblogic server
I
have created the certificate which need for ssl by using the Openssl ,
after
that I entered path for all the file relate to setup by using the
weblogic
console. Once I have complete all this entries, I restarted the server ,
at
the time of restart its giving the following error. I am also sending
the
screen short of console and the log files as an attachment.
<Feb 4, 2002 4:45:46 PM GMT-05:00> <Alert> <WebLogicServer> <Security
configuration problem with certificat
e file config/cauvery-key.pem, java.io.EOFException>
java.io.EOFException
at weblogic.security.Utils.inputByte(Utils.java:133)
at
weblogic.security.ASN1.ASN1Header.inputTag(ASN1Header.java:125)
at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
at
weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
at
weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1039)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
at weblogic.Server.main(Server.java:35)
<Feb 4, 2002 4:45:58 PM GMT-05:00> <Notice> <Management> <Starting
discovery
of Managed Server... This feat
Please help us to solve this problem--
Michael Young
Developer Relations Engineer
BEA Support -
Issue porting WebLogic 8.1 SSL Socket code to WebLogic 9.2
I did not write this code, but am trying to port the code from Weblogic 8.1 to Weblogic 9.2. The code comes from a custom OpenLDAPAuthenticator, that uses a SSL Socket to connect to an LDAP server.
The following lines are used:
Socket socket = SSLSocketFactory.getDefaultJSSE().createSocket(host, port);
if (socket instanceof SSLSocket) {
SSLContextWrapper sslcontextwrapper = SSLContextManager.getInstance().getDefaultSSLContext();
sslcontextwrapper.forceHandshakeOnAcceptedSocket((SSLSocket) socket);
}Does anyone know what this forceHandshakeOnAcceptedSocket method does, and if there is way to write this in WebLogic 9.2?
ThanksI did not write this code, but am trying to port the code from Weblogic 8.1 to Weblogic 9.2. The code comes from a custom OpenLDAPAuthenticator, that uses a SSL Socket to connect to an LDAP server.
The following lines are used:
Socket socket = SSLSocketFactory.getDefaultJSSE().createSocket(host, port);
if (socket instanceof SSLSocket) {
SSLContextWrapper sslcontextwrapper = SSLContextManager.getInstance().getDefaultSSLContext();
sslcontextwrapper.forceHandshakeOnAcceptedSocket((SSLSocket) socket);
}Does anyone know what this forceHandshakeOnAcceptedSocket method does, and if there is way to write this in WebLogic 9.2?
Thanks -
Netscape SSL Proxy to Weblogic 6.0 SSL port doesn't work.
Has anyone tried Netscape iPlanet Proxying to Weblogic 6.0 port 7002 using SSL? I'm getting an error reponse when I look at the Netscape error log file. The message: "[12/Apr/2001:15:37:15] failure (29375): for host 191.162.18.16 trying to GET /Login.jsp, wl-proxy reports: Error reading WebLogic Response from 191.162.18.16:7002 at line 764 of proxy.cpp, errMsg='File not found'", but if I use port 7001, it works fine.This is my obj.conf:Service fn="wl-proxy" WebLogicHost="191.162.18.16" WebLogicPort="7002" SecureProxy="ON" TrustedCAFile="/opt/bea_weblogic/wlserver6.0/config/myserver/democert.pem" RequireSSLHostMatch="FALSE"
The server was stopped at 5:52 pm cst....
Dec 30, 2008 5:52:40 PM org.apache.coyote.http11.Http11Protocol destroy
INFO: Stopping Coyote HTTP/1.1 on http-12080
This is the log at start-up at 8:30 pm cst...
Dec 30, 2008 8:26:06 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\j2sdk1.4.2_13
Dec 30, 2008 8:26:06 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-12080
Dec 30, 2008 8:26:06 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1098 ms
Dec 30, 2008 8:26:06 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Dec 30, 2008 8:26:06 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.18
Dec 30, 2008 8:26:11 PM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
Dec 30, 2008 8:26:11 PM org.apache.catalina.core.StandardContext start
SEVERE: Context [GADXML] startup failed due to previous errors
Dec 30, 2008 8:26:13 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-12080
Dec 30, 2008 8:26:13 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Dec 30, 2008 8:26:13 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/187 config=null
Dec 30, 2008 8:26:13 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7488 ms -
Hi All,
we have enabled 2 way SSL in weblogic, we have one Admin Server and one managed (soa) server version 11.1.1.5
steps we have followed:
we have imported identity certificate and key file to a custom identity store
improted trust certificates to a custom trust keystore
in weblogic consile: soa_server1-> keystires : we have updated custom identity and trust details
in weblogic consile: soa_server1-> ssl - we have updated required custom identity details and selected " Client Certs Requested And Enforced" for Two Way Client Cert Behavior.
but while testing our process we are getting below error:
we have tried openssl to test the connectivity but not sure about the output, is there any way to trace the SSL connection?
any input will be really helpful.
<AIASessionPoolManagerFault xmlns="http://xmlns.oracle.com/AIASessionPoolManager">
-<part name="summary">
<summary xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
com.oracle.bpel.client.BPELFault: faultName: {{http://xmlns.oracle.com/AIASessionPoolManager}AIASessionPoolManagerFault}
messageType: {{http://schemas.oracle.com/bpel/extension}RuntimeFaultMessage}
parts: {{
summary=<summary xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error on AIASessionPoolManager.bpel when attempting Get operation</summary>
,detail=<detail xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error on AIASessionPoolManager.bpel: Operation=Get.
SessionPoolHost.getSession(Siebel,170006): getSession(Siebel,170006) failed: Thread [weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@107d5bb4] faild to initialize the session pool. SessionPoolHost.create() thread[weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@107d5bb4]: Failed to obtain a session after 3 attempts. SPM cannot successfully connect to web server Login credentials [endpoint: https://+<host>+:443/ngbeai_enu/start.swe?SWEExtSource=SecureWebService&SWEExtCmd=Execute&WSSOAP=1 ]
java.lang.Throwable: SOAPException occured when requesting : javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure
javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure.
</detail>
,code=<code xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error</code>}
</summary>
</part>
-<part name="detail">
<detail xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
Error on AIASessionPoolManager.bpel: Operation=Get.
SessionPoolHost.getSession(Siebel,170006): getSession(Siebel,170006) failed: Thread [weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@107d5bb4] faild to initialize the session pool. SessionPoolHost.create() thread[weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@107d5bb4]: Failed to obtain a session after 3 attempts. SPM cannot successfully connect to web server Login credentials [endpoint: https://+<host>+/ngbeai_enu/start.swe?SWEExtSource=SecureWebService&SWEExtCmd=Execute&WSSOAP=1 ]
java.lang.Throwable: SOAPException occured when requesting : javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure
javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure.
</detail>
</part>
TIA,
Vivek
Edited by: 909283 on Apr 15, 2013 12:07 AMHi Kishor/Rene,
Thanks for the reply, we have already referred to the mentioned Oracle Note and enabled SSL debugging.
while starting Admin server we are getting below output:
Can you please confirm from below logs that SSL connection is correct, i have also provided below the error message we are getting in our process.
<Apr 2, 2013 6:49:56 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 316588026>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write SSL_20_RECORD>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 105197569742293346305268
Issuer:DC=com, DC=<xyz>, DC=dir, DC=test, DC=testcore, CN= Test AD Objects CA1
Subject:C=AU, ST=NSW, L=Sydney, O=<xyz>, OU=Operations and Shared Services, CN= xyz>.com.au, EMAIL=<abcd>@<.com>
Not Valid Before:Thu Oct 11 11:00:23 EST 2012
Not Valid After:Sat Oct 11 11:00:23 EST 2014
Signature Algorithm:SHA1withRSA
>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 458601664052503175495693
Issuer:CN=<xyz> Test Policy CA
Subject:DC=com, DC=<xyz>, DC=dir, DC=test, DC=testcore, CN=<xyz> Test AD Objects CA1
Not Valid Before:Thu Nov 10 15:24:24 EST 2011
Not Valid After:Thu Nov 10 15:34:24 EST 2016
Signature Algorithm:SHA1withRSA
>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 105197569742293346305268
Issuer:DC=com, DC=<xyz>, DC=dir, DC=test, DC=testcore, CN=<xyz> Test AD Objects CA1
Subject:C=AU, ST=NSW, L=Sydney, O=<xyz>, OU=Operations and Shared Services, CN=<abcd>.<.com>, EMAIL=<abcd>@<.com>
Not Valid Before:Thu Oct 11 11:00:23 EST 2012
Not Valid After:Sat Oct 11 11:00:23 EST 2014
Signature Algorithm:SHA1withRSA
>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 458601664052503175495693
Issuer:CN=<xyz> Test Policy CA
Subject:DC=com, DC=<xyz>, DC=dir, DC=test, DC=testcore, CN=<xyz> Test AD Objects CA1
Not Valid Before:Thu Nov 10 15:24:24 EST 2011
Not Valid After:Thu Nov 10 15:34:24 EST 2016
Signature Algorithm:SHA1withRSA
>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: <abcd>.<.com>>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerKeyExchange RSA>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 70>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received CHANGE_CIPHER_SPEC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received HANDSHAKE>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Finished>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 8>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 26>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 26>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 26>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 24>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 45>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 45>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 45>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 15>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 30>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 30>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 30>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 18>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 23>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 23>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 23>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 20>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 41>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 41>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 41>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 7>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read(offset=0, length=8192)>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 SSL3/TLS MAC>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316569006 received APPLICATION_DATA: databufferLen 0, contentLength 13>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read databufferLen 13>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <316565651 read A returns 13>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <avalable(): 316565651 : 0 + 0 = 0>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 0
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
at javax.net.ssl.impl.SSLLayeredSocket.close(Unknown Source)
at weblogic.nodemanager.client.NMServerClient.disconnect(NMServerClient.java:276)
at weblogic.nodemanager.client.NMServerClient.done(NMServerClient.java:138)
at weblogic.nodemanager.mbean.NodeManagerRuntime.getState(NodeManagerRuntime.java:423)
at weblogic.nodemanager.mbean.NodeManagerRuntime.getState(NodeManagerRuntime.java:440)
at weblogic.server.ServerLifeCycleRuntime.getStateNodeManager(ServerLifeCycleRuntime.java:752)
at weblogic.server.ServerLifeCycleRuntime.getState(ServerLifeCycleRuntime.java:584)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.management.jmx.modelmbean.WLSModelMBean.getAttribute(WLSModelMBean.java:525)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttribute(DefaultMBeanServerInterceptor.java:666)
at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribute(JmxMBeanServer.java:638)
at weblogic.management.mbeanservers.domainruntime.internal.FederatedMBeanServerInterceptor.getAttribute(FederatedMBeanServerInterceptor.java:308)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$12.run(WLSMBeanServerInterceptorBase.java:326)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.getAttribute(WLSMBeanServerInterceptorBase.java:324)
at weblogic.management.mbeanservers.internal.JMXContextInterceptor.getAttribute(JMXContextInterceptor.java:157)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$12.run(WLSMBeanServerInterceptorBase.java:326)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.getAttribute(WLSMBeanServerInterceptorBase.java:324)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$12.run(WLSMBeanServerInterceptorBase.java:326)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.getAttribute(WLSMBeanServerInterceptorBase.java:324)
at weblogic.management.mbeanservers.internal.SecurityInterceptor.getAttribute(SecurityInterceptor.java:299)
at weblogic.management.jmx.mbeanserver.WLSMBeanServer.getAttribute(WLSMBeanServer.java:279)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$5$1.run(JMXConnectorSubjectForwarder.java:326)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$5.run(JMXConnectorSubjectForwarder.java:324)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.getAttribute(JMXConnectorSubjectForwarder.java:319)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1404)
at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265)
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1367)
at javax.management.remote.rmi.RMIConnectionImpl.getAttribute(RMIConnectionImpl.java:600)
at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222)
at javax.management.remote.rmi.RMIConnectionImpl_1035_WLStub.getAttribute(Unknown Source)
at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.getAttribute(RMIConnector.java:878)
at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:263)
at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:504)
at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380)
at $Proxy138.getState(Unknown Source)
at com.bea.console.actions.core.server.ServerTableAction.populateServerRuntimeTableBean(ServerTableAction.java:365)
at com.bea.console.actions.core.server.ServerTableAction$ServerTableWork.run(ServerTableAction.java:498)
at weblogic.work.commonj.CommonjWorkManagerImpl$WorkWithListener.run(CommonjWorkManagerImpl.java:203)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 316565651>
<Apr 2, 2013 6:49:57 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 316588026>
error in bpel process:
summary=<summary xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error on AIASessionPoolManager.bpel when attempting Get operation</summary>
,detail=<detail xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error on AIASessionPoolManager.bpel: Operation=Get.
SessionPoolHost.getSession(Siebel,190001): SessionPoolHost.create() thread[weblogic.work.j2ee.J2EEWorkManager$WorkWithListener@16670d1d]: Failed to obtain a session after 3 attempts. SPM cannot successfully connect to web server Login credentials [endpoint: https://<host>:443/eai_enu/start.swe?SWEExtSource=SecureWebService&SWEExtCmd=Execute&WSSOAP=1 ].
java.lang.Throwable: SOAPException occured when requesting : javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure
javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: Received fatal alert: handshake_failure</detail>
,code=<code xmlns:def="http://www.w3.org/2001/XMLSchema" xsi:type="def:string" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Error</code>}
</summary>
TIA,
Vivek
Edited by: 909283 on Apr 15, 2013 12:08 AM -
Apache Proxy Plugin with SSL in Weblogic Cluster
Hi,
I have configured a weblogic cluster and configured SSL. Then I configured the apache plugin to work with the cluster machines with non ssl and worked succesfull but when I configured the ssl communication between apache and weblogic I´m having problems.
The actual configuration is:
<Location /spmlws>
SetHandler weblogic-handler
WLLogFile /var/log/httpd/tmpweblogic1.log
DebugConfigInfo ON
Debug ALL
KeepAliveEnabled ON
KeepAliveSecs 15
WebLogicPort 7002
SecureProxy ON
TrustedCAFile /opt/freeware/etc/httpd/conf/trustedCA35cert.pem
TrustedCAFile /opt/freeware/etc/httpd/conf/trustedCA36cert.pem
WLProxySSL ON
RequireSSLHostMatch false
WebLogicCluster machine35:7002,machine36:7002
EnforceBasicConstraints false
</Location>
The problem is that the plugin always takes the last TrustedCAFile. In this way if machine36 is down the plugin tries to send all the request to machine35 but it takes the TrustedCAFile for the machine36 (/opt/freeware/etc/httpd/conf/trustedCA36cert.pem) hence the apache complains
[Wed Jun 30 11:13:56 2010] [error] [client 10.19.232.249] ap_proxy: trying GET /spmlws/OIMProvisioning at backend host '10.19.232.97/7002; got exception 'WRITE_ERROR_TO_SERVER [os error=0, line 796 of ../nsapi/URL.cpp]: '
What can I do to have multiple TrustedCAFile or to have working the communication between apache and weblogic cluster using SSL?
thanks in advanceAcording to the documentation this is not possible.
One way to achieve the load balancing of n-weblogic servers in cluster using ssl is to configure de HttpClusterServlet. -
Weblogic server 9.2 and SSL server certificate for the wrong site
I turned on SSL service for a weblogic 9.2 server and later on changed the hostname of the machine that weblogic was running on. So the hostname that my SSL server certificate was issued to has now became an invalid hostname. But my weblogic server continues to run SSL service without any exception. I can still access my web applications thru the SSL port (except of course I get a warning for the server certificate every time that it is for the "wrong site"). My question is this: should weblogic 9.2 verify the hostname in the server certificate and stop SSL service if the certificate is for the wrong site? Or is verifying the certificate strictly the job of the browser? Just want to make sure there is nothing wrong with my SSL configuration. Thanks.
So you are saying that something is wrong with my weblogic 9.2 ssl configuration? And that given a server certificate issued to a different hostname, my weblogic server should NOT be servicing ssl request and/or it should throw some sort of exception during startup? Thanks for clarifying.
-
Apache 2.2 21 forward Proxy 2 way SSL for weblogic server as a client
Hi All,
Currently, i am trying to implement a forward SSL proxy. The client will hit my apache server which in return will hit a IIS Server.
scenarios 1
client(weblogic)--*2 way SSL*Apache(forward proxy)*2 way SSL*-- IIS
If i were to implement 1 way ssl, i am able to see the content of the website.
client(weblogic) --- Apache(forward proxy) --- IIS
If i were to launch the web browser from the client machine (with the client certificate imported in the browser), i am able to view the content in the IIS. But if i were to simulate the connection from weblogic server, it just give me end of file exception (response contain no data) on the logs.
Below is my configuration
Listen 8080
<VirtualHost default:8080>
ServerName serverA
ErrorLog "logs/ssl_error_log"
CustomLog "logs/ssl_access_log" common
SSLProxyEngine On
SSLProxyMachineCertificateFile /certificate/servercert.cer
SSLProxyCACertificateFile /certificate/rootCA.cer
SSLProxyVerify require
SSLProxyVerifyDepth 10
ProxyRequests On
ProxyVia On
AllowConnect 12345
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
</VirtualHost>
For 2 way SSL, will the client forward their client certificate to my apache proxy server and apache will on the client behalf forward the client certificate to the IIS server for authenication?
Or the SSL authenication still happen between the client (weblogic) and the end server (IIS) bypassing the proxy server.
Please help.It is a domain wide setting. Can you not create a new domain? I do not think that you can handle it from web.xml. I have never seen such thing in web.xml.
-
SSL Hardware Accelerator supported by Weblogic 6.X
Does any one know if WebLogic supports Sun SSL Crypto hardware, ie: SSL Accelerator
hardware, Sun Part # X113A ?
Thank You
TuanHello Jerry,
Thank you very much for your help, here is an answer from
Michael Young of BEA. Here is the response:
Michael Young <[email protected]> wrote:
Hi.
WLS does not currently work with hardware SSL accelerators.
Regards,
Michael Jerry <[email protected]> wrote:
Hi Tuan,
BEA does not support WebLogic 6.1 and lower with SSL hardware accelerators
from any
vendor.
Cheers,
Joe Jerry
Tuan Phan wrote:
Does any one know if WebLogic supports Sun SSL Crypto hardware, ie:SSL Accelerator
hardware, Sun Part # X113A ?
Thank You
Tuan -
SSL Accelerator hardware for WebLogic
Hi All,
Does any one know if WebLogic supports Sun SSL Crypto hardware, ie: SSL Accelerator
hardware, Sun Part # X113A ?
Thank YouHi Michael,
Thank you very much for your help. I will keep checking the
released version for SSL/Hardware support.
Regards,
Tuan
Michael Young <[email protected]> wrote:
Hi Tuan.
The next major release of WLS due out this spring will have support for
hardware SSL accelerators. I don't have any detail beyond what I just
stated. Keep an eye out for the beta program for the WLS beta release.
This is not the WLS 7.0 preview currently on
http://commerce.bea.com/downloads/weblogic_server.jsp. The beta program
should be out sometime in the next few weeks.
Regards,
Michael
Tuan Phan wrote:
Hello Michael,
Thank you very much for your help. Does BEA have plan
to support any hardware based SSL in the future, how soon ?
Thank You
Tuan Phan
Michael Young <[email protected]> wrote:
Hi.
WLS does not currently work with hardware SSL accelerators.
Regards,
Michael
Tuan Phan wrote:
Hi All,
Does any one know if WebLogic supports Sun SSL Crypto hardware,
ie:
SSL Accelerator
hardware, Sun Part # X113A ?
Thank You--
Michael Young
Developer Relations Engineer
BEA Support
Michael Young
Developer Relations Engineer
BEA Support -
SSL Client example from dev2dev
Bruce,
I still have some questions unaswered.
1. Is there any "default" list of trusted CA that is used during handshake?
The SSLClient example does not have any references to trusted CA files. The
weblogic.webservice.client.ssl.trustedcerts property returns null. What
trusted CA is used in the SSLClient example? Considering the plural name of
the property, should it contain only one file name, or it can contain
several file names? Order? Delimiter?
2. I copied the SSL setup code from SSLClient to my own web service client,
but it does not work. My web service is made of stateless session bean, and
wsdl is generated dynamically. Is it possible, that certain wsdl settings
could affect handshake process? Maybe I need to copy certain wsdl tags from
the example?
3. What username/password should I use in IE when "Enter network password"
dialog is presented? The combination used to start weblogic server does not
work. The same combination works for non-SSL client. Why?
Thanks,
Michael J.
"Bruce Stephens" <[email protected]> wrote in message
news:[email protected]...
Hi Michael,
Thanks for the good feedback and this will be incorporated into a revised
example.
Concerning your questions toward the end, to set the list of trusted CA
certificates, you need the CA certificate in a file and you need to setthis
System property to the filename:
weblogic.webservice.client.ssl.trustedcerts
To turn off strict hostname checking during certificate validation, youneed to
set this property to "false":
weblogic.webservice.client.ssl.strictcertchecking
Thanks again,
Bruce
Michael Jouravlev wrote:
Bruce,
here are some issues that I wish you could help me with.
1) package.html from the simpleSSL example is outdated. The links posted
here do not work. Considering "Please pay careful attention" phrase I am
a
little bit worried if I missed something in my SSL configuration.
=== cut here ===
You must first setup and verify your WLS SSL configuration.
1. Set up your development shell as described in Quick Start.
2. Startup the WebLogic Server.
3. Monitor the log file for any errors.
4. Use the console and configure the WebLogic Service security asdescribed
by:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
Please pay careful attention to this step, especially concerning theSSL
protocol configuration:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
=== cut here ===
I use the following information:
1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
configure
server-wide SSL setup
2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
configure web service-related SSL setup.
2) In "Setup and verify the toUpper WebService" chapter the linksentitled
http://localhost:7001/toUpper/toUpper and
http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
but
maybe you would like to correct this.
3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
connect to https://localhost:7002/toUpper/toUpper , I receive the
"Security
Alert" dialog (I am using IE5) that there is a problem with security
certificate: name of the certificate does not match the name of thesite. It
is OK, because it is demo certificate. (Should I do "View
Certificate/Install Certificate" to proceed successfully or just to say
"Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
proceed. In the next window is "Do you want to display nonsecure items?"I
say "yes" and I am brought to the the test page. Now, when I try to testthe
service, I click on "toUpper" link and am presented with sample text and
"Invoke" button.
And when I press "Invoke" I am presented with a dialog window "Enternetwork
password" containing: Site: localhost, Realm: default, User name:
<blank>, Password: <blank>. So, the first serious issue is: what username
and password should I use? I tried username and password that I used to
start the server in set WLS_USER=<username> and set WLS_PW=<password> in
startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
either. What should I submit??? I did not change any security setting inmy
WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
>>
After "Enter network password" dialog fails to verify a user, I get apage
with the following text: "Failed to retrieve WSDL from
https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
the
protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
>>
Interesting enough, if I try to go directly to the link
https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
problem
and without any password windows. What is happening here?
4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
order for it to be compiled. I changed super( _port,ToUpperPort.class );
to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
original code does not work on 7.0GA. I successfully did run both Mainand
Main2 without username/password and with it. I also usedusername/password
from startWebLogic.cmd file and they worked. Why they do not work when Itry
to call test page from web browser?
5) Finally I compiled and did run the SSLClient. It worked. But the
questions here are:
BEA_HOME environment variable is not defined, and WebLogic SSL
implementation is used. How licence.bea was found while running theclient?
When I tried to build my own client, I got a message that I license fileis
needed. Or is it needed only if the client library webservices+ssl.jaris
used?
The most important question: What trusted CA is used by client and how
client finds it? No certificates are in the SSLClient directory and no
property settings telling where to find it. It is a puzzle for my why it
works here and why my own client does not work when the CA is supplied.
Thank you,
Michael J.Hi Michael,
I've asked our security folks to help answer your questions. The
weblogic.webservice.client.ssl.trustedcertfile file (located on the client
application computer) contains the certificates of CA (certificate authority).
The CAs are trusted to issue WebLogic Server certificates. The file can also
contain certificates that you trust directly. The file contains a collection of
PEM-encoded certificates. See:
http://e-docs.bea.com/wls/docs70/webserv/security.html#1056434
There shouldn't be any WSDL changes/tags required.
HTHs,
Bruce
Michael Jouravlev wrote:
Bruce,
I still have some questions unaswered.
1. Is there any "default" list of trusted CA that is used during handshake?
The SSLClient example does not have any references to trusted CA files. The
weblogic.webservice.client.ssl.trustedcerts property returns null. What
trusted CA is used in the SSLClient example? Considering the plural name of
the property, should it contain only one file name, or it can contain
several file names? Order? Delimiter?
2. I copied the SSL setup code from SSLClient to my own web service client,
but it does not work. My web service is made of stateless session bean, and
wsdl is generated dynamically. Is it possible, that certain wsdl settings
could affect handshake process? Maybe I need to copy certain wsdl tags from
the example?
3. What username/password should I use in IE when "Enter network password"
dialog is presented? The combination used to start weblogic server does not
work. The same combination works for non-SSL client. Why?
Thanks,
Michael J.
"Bruce Stephens" <[email protected]> wrote in message
news:[email protected]...
Hi Michael,
Thanks for the good feedback and this will be incorporated into a revised
example.
Concerning your questions toward the end, to set the list of trusted CA
certificates, you need the CA certificate in a file and you need to setthis
System property to the filename:
weblogic.webservice.client.ssl.trustedcerts
To turn off strict hostname checking during certificate validation, youneed to
set this property to "false":
weblogic.webservice.client.ssl.strictcertchecking
Thanks again,
Bruce
Michael Jouravlev wrote:
Bruce,
here are some issues that I wish you could help me with.
1) package.html from the simpleSSL example is outdated. The links posted
here do not work. Considering "Please pay careful attention" phrase I am
a
little bit worried if I missed something in my SSL configuration.
=== cut here ===
You must first setup and verify your WLS SSL configuration.
1. Set up your development shell as described in Quick Start.
2. Startup the WebLogic Server.
3. Monitor the log file for any errors.
4. Use the console and configure the WebLogic Service security asdescribed
by:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1052258
Please pay careful attention to this step, especially concerning theSSL
protocol configuration:
http://e-docs.bea.com/wls/docs70/adminguide/cnfgsec.html#1067988
=== cut here ===
I use the following information:
1. http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1127954 to
configure
server-wide SSL setup
2. http://edocs.bea.com/wls/docs70/webserv/security.html#1052043 to
configure web service-related SSL setup.
2) In "Setup and verify the toUpper WebService" chapter the linksentitled
http://localhost:7001/toUpper/toUpper and
http://localhost:7001/toUpper/toUpper?WSDL are wrong. Not a big deal,
but
maybe you would like to correct this.
3) Now the real issue: in the step (8), the "IMPORTANT STEP", when I tryto
connect to https://localhost:7002/toUpper/toUpper , I receive the
"Security
Alert" dialog (I am using IE5) that there is a problem with security
certificate: name of the certificate does not match the name of thesite. It
is OK, because it is demo certificate. (Should I do "View
Certificate/Install Certificate" to proceed successfully or just to say
"Yes" in the "Security Alert" window?). Anyway, I say "Yes", I do wantto
proceed. In the next window is "Do you want to display nonsecure items?"I
say "yes" and I am brought to the the test page. Now, when I try to testthe
service, I click on "toUpper" link and am presented with sample text and
"Invoke" button.
And when I press "Invoke" I am presented with a dialog window "Enternetwork
password" containing: Site: localhost, Realm: default, User name:
<blank>, Password: <blank>. So, the first serious issue is: what username
and password should I use? I tried username and password that I used to
start the server in set WLS_USER=<username> and set WLS_PW=<password> in
startWebLogic.cmd file. Does not work. "weblogic"/"weblogic" does notwork
either. What should I submit??? I did not change any security setting inmy
WebLogic server aside of SSL settings (all this realm stuff is greek tome.)
After "Enter network password" dialog fails to verify a user, I get apage
with the following text: "Failed to retrieve WSDL from
https://localhost:7002/toUpper/toUpper?WSDL. Please check the URL and
the
protocol: Write Channel Closed, possible SSL handshaking or trustfailure"
Interesting enough, if I try to go directly to the link
https://localhost:7002/toUpper/toUpper?WSDL , I get WSDL without any
problem
and without any password windows. What is happening here?
4) OK, I still want to run the Client. I modified ToUpperPort_Stub.javain
order for it to be compiled. I changed super( _port,ToUpperPort.class );
to super( _port ); I am using WL7.0 GA and I am not sure, is the callthat I
changed comes from the earlier Beta versions or from 7.0.0.1. Anyway,the
original code does not work on 7.0GA. I successfully did run both Mainand
Main2 without username/password and with it. I also usedusername/password
from startWebLogic.cmd file and they worked. Why they do not work when Itry
to call test page from web browser?
5) Finally I compiled and did run the SSLClient. It worked. But the
questions here are:
BEA_HOME environment variable is not defined, and WebLogic SSL
implementation is used. How licence.bea was found while running theclient?
When I tried to build my own client, I got a message that I license fileis
needed. Or is it needed only if the client library webservices+ssl.jaris
used?
The most important question: What trusted CA is used by client and how
client finds it? No certificates are in the SSLClient directory and no
property settings telling where to find it. It is a puzzle for my why it
works here and why my own client does not work when the CA is supplied.
Thank you,
Michael J. -
BAD_CERTIFICATE error calling a web service over SSL in ALSB 2.6
We have a business service on an ALSB 2.6 server (running on WL 9.2.1) that connects to a web service over SSL. When we try to run it, we get the following exception:
<Sep 17, 2009 7:49:17 AM PDT> <Error> <ALSB Kernel> <BEA-380001> <Exception on TransportManagerImpl.sendMessageToService, com.bea.
wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
com.bea.wli.sb.transports.TransportException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at com.bea.wli.sb.transports.TransportException.newInstance(TransportException.java:146)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOu
tboundMessageContext.java:310)
at com.bea.wli.sb.transports.http.HttpsTransportProvider.sendMessageAsync(HttpsTransportProvider.java:435)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
Truncated. see log file for complete stacktrace
javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
Truncated. see log file for complete stacktrace
This exception only occurs when hitting the web service through the bus. I have written a standalone Java application that posts to the web service and it works fine. I ran the application on the server where the ALSB is running using the same jdk (1.5.0_06 - the version that ships with 9.2.1) and the same cacerts file so I know it's not a problem with the certificate not being trusted. I have tried updating the cacerts file to the latest one distributed with JRE 1.6 and it still doesn't work.
After 8 hours of troubleshooting, I'm out of ideas. Does anyone have any suggestiosn?
Thanks.
Matt
Edited by: user6946981 on Sep 17, 2009 7:58 AMAre you sure that your standalone application is using the same keystore (eg. cacert)? Default WebLogic configuration uses different keystore (demo).
I saw BAD_CERTIFICATE error only once and the cause was in keytool that somehow corrupted certificate during import. Deleting and importing certificate again helped me, but I doubt you have the same problem as your standalone application works.
Another idea ... Is hostname varification used? I know that the error message would look different if this was the cause, but try to add this parameter to your weblogic startup script: -Dweblogic.security.SSL.ignoreHostnameVerification=true
Last but not least, there is difference between your standalone application and ALSB runtime as WebLogic uses Certicom SSL provider. If you don't find the reason, contact Oracle support. Maybe they can help you to tweak Certicom provider in some way. -
Hi,
1) Used clientgen utility to create stub classes based on wsdl file
application is build using following ant task
2) Created a java application which acts as a client for invoking generated stubs (in step 1) for comunicating with webservice over HTTPS protocol.
3) Able to comunicate with required webservice through normal java client.
4) Integrate the above created java application in weblogic workflows. All the required jar (stubs and application) files are available in APP-INF/lib directory ofworrkflow application.
5) While invoking java application from work flow (to communicate with webservice) we get the following error
SOAP Fault:javax.xml.rpc.soap.SOAPFaultException: The server at https://www.3pv.
net/3PVWebServices/3PVWebServices.asmx returned a 403 error code (Forbidden). P
lease ensure that your URL is correct and that the correct protocol is in use.
Detail:
<detail>
<bea_fault:stacktrace xmlns:bea_fault="http://www.bea.com/servers/wls70/webse
rvice/fault/1.0.0">weblogic.webservice.util.AccessException: The server at https
://www.3pv.net/3PVWebServices/3PVWebServices.asmx returned a 403 error code (For
bidden). Please ensure that your URL is correct and that the correct protocol i
s in use.
at weblogic.webservice.binding.soap.HttpClientBinding.handleErrorRespons
e(HttpClientBinding.java:371)
at weblogic.webservice.binding.soap.HttpClientBinding.receive(HttpClient
Binding.java:233)
at weblogic.webservice.core.handler.ClientHandler.handleResponse(ClientH
Thanks
Sandip MehtaHey exact problem i am facing
1. Can access webservice through my thin java client using the stubs generated by clientgen.
2. But get 403 error when running inside weblogic.
8.1 SP2
Also saw in SP4 release notes....
CR185228:
The WebService SSL client failed to connect the service when "weblogic.webservice.client.ssl.strictcertchecking" was not set to false. WebLogic Server now connects to the service with this property set to either true or false."
Does this mean if i set
weblogic.webservice.client.ssl.strictcertchecking =false in SP2 my call from within weblogic will work
I appreciate immediate feedback.
Sachin -
SSL problem: SSL Forbidden or 12204 SSL port specified is not allowed
Hello there,
we have a BIG PROBLEM on a production system.
Some user on internet using IEXplore 5.0x could'nt access our https page.
Error reported are:
SSL Forbidden
SSL port specified is not allowed
We are using SSL on port 7002
This is the weblogic properties reagrd SSL:.
weblogic.security.ssl.enable=true
# SSL listen port
weblogic.system.SSLListenPort=7002
Any suggestion?
Is there a possibility to use port 80 both for https and http?
Any help will be apprciated.
THANK'S!I think you need to setup your proxy server to allow 7002 port,
or use port 443 for SSL ( it is the default proxy secured port)
Hope this will help
Mohds
"Paul Patrick" <[email protected]> wrote:
If this is a production problem, you should file a problem report with BEA
Support.
But I didn't see any certificates for the server registered. Without
certificates and a private
key the SSL protocol will not work.
Paul Patrick
"Antimo" <[email protected]> wrote in message
news:3a12cc80$[email protected]..
Hello there,
we have a BIG PROBLEM on a production system.
Some user on internet using IEXplore 5.0x could'nt access our https page.
Error reported are:
SSL Forbidden
SSL port specified is not allowed
We are using SSL on port 7002
This is the weblogic properties reagrd SSL:.
weblogic.security.ssl.enable=true
# SSL listen port
weblogic.system.SSLListenPort=7002
Any suggestion?
Is there a possibility to use port 80 both for https and http?
Any help will be apprciated.
THANK'S! -
Hi,
Has anyone tried (and maybe succeeded) in accessing an
RPC-style Web Service deployed on WebLogic Server 6.1 using
SSL? I have a Web Service deployed and am able to access it using JNDI and the
weblogic.soap.http.SoapInitialContextFactory
INITIAL_CONTEXT_FACTORY. However, when I try to set the
Context.SECURITY_PROTOCOL to "ssl" and access the secure port,
I get a "java.net.SocketException: Unexpected end of file from
the server" error message.
Does the weblogic.soap.http.SoapInitialContextFactory not
support SSL? Do I need to do the SOAP/XML messaging myself,
without being able to make use of the WebLogic convenience
classes? Thanks! RobAlright!
Glad you got it working ;-)
Actually, the problem with the protocol being hardcoded to http in the wsdl.jsp,
is a bit strange. It's unusual that the BEA engineers that coded the wsgen component
and support classes, didn't use something like the following:
<soap:address location="<%= request.getScheme() + "://" + request.getServerName()
+ ":" + request.getServerPort() %>/security/examples/webservices/security/PhoneBookService"/>
I don't use wsgen too much, because I need to have more control over the J2EE
packaging. It (wsgen) is great for spitting out stuff, but not really setup for
doing Web service packaging that use classes (i.e. helper files, frameworks, etc.)
that it doesn't generate. I think they (BEA) might be looking into integrating
the Web Services assembly process with other tools like WebGain, Forte, etc. to
alleviate these types of issues.
Anyway, glad you got it working, so now you can help somebody else (time permitting,
of course) with this topic in the future!
Regards,
Mike Wooten
"Rob Nelson" <[email protected]> wrote:
>
Mike,
Thank you very much for your response! The next to
last sentence did it for me (when you mentioned checking
that the location attribute of the soap:address element
was set properly)! I noticed that when I viewed the WSDL
file via the browser (by clicking on the link in the
index.html page), I saw http://host:<unsecure_port> when
I requested it over the unsecure port, but I saw
http://host:<secure_port> when I requested the WSDL over
the secure port. Notice it did not say https!
So, I unjarred the EAR file that was generated by my
wsgen task, and then unjarred the generated WAR file
contained therein. When I looked at wsdl.jsp, I noticed
that "http" was hard-coded in the location attribute, but
that the host name and port number were dynamically
generated. So I added a scriplet to dynamically place an
"s" after "http" (if request.isSecure()) and rejarred up
the WAR and EAR files.
Now when I deployed the EAR file, I see "https" when
I request the WSDL over the secure port, and my client
(actually your client;) works! Awesome! I really appreciate
your help! Now my only issue is why did the wsdl.jsp have
"http" hard-coded, not accounting for secure requests.
These files were generated by the WSGEN task in ANT.
I figure it's either: I have a configuration problem,
I have a problem with my ANT build script, my version of
WebLogic Server (6.1 w/SP1 built 9/18/2001) has a bug, or
maybe you just have to manually go in and modify the wsdl.jsp
file if you want to use https :(. Please let me know if
you have any insight on this, and I will also follow up
with WebLogic support. Thanks again! Rob
"Michael Wooten" <[email protected]> wrote:
Hi Rob,
I am absolutely sure the code I posted works, so we need to approach
this from
a different angle ;-)
First, I know why the Context.SECURITY_PROTOCOL approach doesn't works.
It's because
the namespace in the Web Services code examples is not the same oneas
the one
used for RMI objects, EJBs, JDBC Data Sources, etc. For those objects,
the Context.PROVIDER_URL
is something like "t3://localhost:7001", and the INITIAL_CONTEXT_FACTORY
is "weblogic.jndi.WLInitialContextFactory".
The one being used with WebLogic Web Services, is mainly just functioning
as a
mechanism for manufacturing WebServiceProxy objects, because it is a
non-instanciable!
It does this by using a subclass of javax.naming.Context called SOAPContext,
which
is completely hidden from you, but also doesn't do much except implement
the lookup()
method. The implementation of this method ignores the Context.SECURITY_URL
property,
but it does pay attention to the "java.naming.security.principal" and
"java.naming.security.credentials"
properties. You don't need these properties for SSL, just Basic Authentication.
Enough about that, though. The service end-point is a servlet right?
So this means
it has a URL that begins with http or https, which in turn means the
WebLogic
servlet engine gets the SOAP request and sends it to the StatelessSessionAdapter
servlet. To WLS, this is just like any other HTTP/HTTPS request sent
to it ;-)
There is no special "SOAP-related" HTTP/HTTPS handler in WLS, but the
SSL challenge
dance still happens. So my first question is, are you sure you havethe
HTTPS
attributes set properly in the WebLogic console. SSL/HTTPS should be
enabled and
the "Hostname Verification Ignored" checkbox should be checked. Next,
are you
sure the URL assigned to the location attribute of the <service> element
in the
WSDL is correct (i.e. https://localhost:7002)? Are you using the "dynamic
client"
approach?
Regards,
Mike Wooten
"Rob Nelson" <[email protected]> wrote:
Mike,
Thanks for your response. I downloaded the code example that
you
posted
last week, as well as the code example that you posted in October for
a similar
request (BEA Support pointed me towards that). Unfortunately, I still
can't get
the Web Service to respond to the client request when the client uses
the HTTPS
port for the WebLogic Server.
I tried two different client approaches. The first uses the client
code
that you posted in October, the WebServiceProxy approach. The second
approach
is based on the example in the WebLogic documentation, which uses the
weblogic.soap.SoapInitialContextFactory
class with the javax.naming.Context object to perform a lookup on the
service
(which closely resembles rmi without the narrowing).
Both client classes fail to invoke the the service itself viaHTTPS
(although
they both work when making HTTP requests to the unsecure port). However,
when
I run the client based on the client class that you posted in October
and make
an HTTPS request, I can see in the output where it is able to download
the WSDL
file and use it (via the WebServiceProxy) to describe the availablemethods
for
the associated Web Service. It is only when the actual invoke() method
is called
on the SoapMethod object (which in turn sends the XML request to the
Web Service
Servlet), that the server doesn't respond, and the client fails with
an UnexpectedEndOfFileException
(i.e. no response).
So, do you know why the servlet that the RPC-style Web Serviceuses
to handle
requests would not respond to HTTPS requests, when it processes HTTP
requests
without a problem (using the same client code that fails with the HTTPS
request)?
I am using WebLogic Server 6.1 w/SP1 on a Solaris 8 platform. Thanks
for any
advice you can give me! Rob
"Michael Wooten" <[email protected]> wrote:
Hi Rob,
Check out the attached zip for "insights" into how to do this. It
contains
the
code for two Web service "consumers" (that the new fangled word fora
"client")
and the web.xml and weblogic.xml for the RPC-style Web Service, that
they consume.
Hope this helps,
Mike Wooten
"Rob Nelson" <[email protected]> wrote:
Hi,
Has anyone tried (and maybe succeeded) in accessing an
RPC-style Web Service deployed on WebLogic Server 6.1 using
SSL? I have a Web Service deployed and am able to access it using
JNDI
and the
weblogic.soap.http.SoapInitialContextFactory
INITIAL_CONTEXT_FACTORY. However, when I try to set the
Context.SECURITY_PROTOCOL to "ssl" and access the secure port,
I get a "java.net.SocketException: Unexpected end of file from
the server" error message.
Does the weblogic.soap.http.SoapInitialContextFactory not
support SSL? Do I need to do the SOAP/XML messaging myself,
without being able to make use of the WebLogic convenience
classes? Thanks! Rob
Maybe you are looking for
-
All Speakers Suddenly Not Working!
Everything was fine until yesterday and I didn't do anything to the phone that might have caused this. I suddenly noticed that the speakers do not work, but through the headphones music will play. I can talk to people on the phone too, just not hear
-
Where can I find the configuration profiles I installed on my iPod?
Befores it used to be under Preferences > General >Profiles. But I can't find it in iOS 6...
-
I'm running LV in Classic on OS X 10.2 Been working great for months. Last night, LV decided it can't save my files anymore. I get the following message: "File permission error occurred. LabVIEW Save error code 48: Could not move temporary file to de
-
my home button has been getting stuck i have to hold it down for awhile before anything pops up on my screen. The top button works, and i have done a soft reset it will work for a couple of min then revert back to how it was..
-
M5035MFP displays Permanent Storage Write Failed after firmware update to 48.301.7
After updating the firmware to 48.301.7, I have two M5035MFP machines that are displaying "68 Permanent Storage Write Failed" error messages. The users can press Continue and printing will proceed normally for another 10-50 pages when the message wil