• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Weblogic SSL certificate

 
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi

Am trying to deply an EJB in weblogic 10.3 which in installed(Installed with SSL certificate) in a UNIX box. Am trying to invoke the ejb using a pojo class by using the url

t3s://506.APED.2652:7001. am using t3s protocol only but still am unable to access the EJB. please help me out.

Whether I need to do something with the keystore file.
 
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What is the error that you encountered ?

t3s://506.APED.2652:7001



Is this the URL you used to connect ?
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes that is the url.

Exception
----------
SSL Handshake when connecting to the weblogic server
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
IF SSL is installed in the weblogic. Then what are things we need to handle

For now only I changed the protocol from t3 to t3s.
 
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi

try to use https instead of t3s .
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

SSL Handshake when connecting to the weblogic server



The SSL handshake process is failing with your client. This is probably because your certificate is self signed.

1. Extract the certificate to a .cer file.
2. Import the certificate to a keystore.
3. Tell your java client to use this keystore (can be done using some system properties).
4. The SSL handshake should go through.
 
Ranch Hand
Posts: 874
Android VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

kamal kannan wrote:Hi

try to use https instead of t3s .




t3 is weblogic propertiary protocol to communicate between weblogic servers and its client. you need to use t3 to connect to JNDI , LDAP..
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak,

Am new to this process. Couls you please give me some links or clear picture about how to do that

Tell your java client to use this keystore (can be done using some system properties).

whether I need to do java code changes.
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

whether I need to do java code changes.



Yep.

I did have sample code for this a while back. I do not have it anymore. I ll try to get you started on this. You can do some research on google and finish the task. Its simple

1. Extract the SSL certificate. Visit the SSL url of your weblogic server. This should be https://server:7002, if SSL is enabled for the server. Looks like it is from whatever you described.

1.a Click on the lock icon you see on the browser at the bottom right corner. Most browsers will allow you to extract the certificate. Store this certificate in the hard disk.

1.b Use the keytool.exe java tool to import this certificate to a new keystore. This keystore will be used to save certificates / keys and can be used by your java client.

2. Configure your client to use this keystore. Some examples are given here -> http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SecureConnSample

Research on public-private key SSL handshakes. Symmetric and Asymmetric methods of encryption will also give you a good idea of what you are trying to do.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak,

Thanks a lot for the information. my weblogic is installed in the unix box. Also please suggest me how to set the keystore file in a system properties.
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should be able to do this whether or no the app server runs in Unix. As for the system property, mmm... wait a minute. You need to set the system property only when you need 2 way SSL authentication or a custom keystore. So do this instead of setting the property

1. Extract the certificate and put it into the cacerts default keystore that comes with your client JDK/JRE.
2. Run the client. It will work
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak,

Since the implementation is for production and we were looking for some solid solution.

Can I map the key and cert in the context object by editing the existing java code. if possible please assist us with some code samples.
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Since the implementation is for production and we were looking for some solid solution.



This is the way everyone does it. It is indeed 'solid'.

Can I map the key and cert in the context object by editing the existing java code. if possible please assist us with some code samples.



Initial context ? The context should not be bothered about the underlying protocol security.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak,

Did you mean the only way to resolve the handshake issue is

1. Extract the certificate and put it into the cacerts default keystore that comes with your client JDK/JRE.
2. Run the client. It will work


Am I rite. Right now we are using the JDK which comes with Weblogic.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak,

I can able to view the cacerts file in the path \bea\jdk150_11\jre\lib\security .

Am new to these things. Please help us

1. How to edit the cacerts file.
2. where to add the key and cert.
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Meet Gaurav wrote:Deepak,

I can able to view the cacerts file in the path \bea\jdk150_11\jre\lib\security .

Am new to these things. Please help us

1. How to edit the cacerts file.
2. where to add the key and cert.



cacerts is a keystore. Add the certificate to this keystore
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak,

Please don't mistaken us. We are new to this process. We don't know how to add this certificate.

I guess this is possible using the keytool.exe.

Anything else we have to do from the client side to invoke SSL weblogic.

1. instead of t3 we are going to use t3s.
2. adding the keystore to cacerts file.

Anything am missing ? Please help us Deepak.
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Please don't mistaken us



I am not mistaking anyone. Peace


1. instead of t3 we are going to use t3s.
2. adding the keystore to cacerts file.



The cacerts file is by itself a keystore. You are adding a certificate to this keystore file. And yes, keytool can help you.
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes Deepak am sorry. Am adding a certificate to this keystore file.

Anything else I have to do, other than this two. For accessing the SSL server from a java client.

1. instead of t3 we are going to use t3s.
2. adding the keystore to cacerts file.


 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No that should be it. An additional piece of information if you hit a road block

Your handshake may still fail if the host verification fails. That is, if the certificate is issued for the common name 1.2.3.4 and you request http://dns-name instead of http://1.2.3.4, verification at the java client will fail. You can either issue a new and valid certificate or you can override host name verification in the client to ignore this problem (not recommended) or yet still, you can request for the correct name in the t3s url.

 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak Can I go for this.. Please confirm


 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Looks good. I usually type the entire thing in a single line instead of writing a script, since I might not need to use the command again.

 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak please correct me if am wrong.

This is the command am using to import.



The cert.txt




This is enough or anything else I need to add in the cert.txt
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That looks like it should work. Your client should have no trouble after you do this.

You are doing this in DEV first right ?
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak,

Yes first we are going to try this in DEV. But I guess I have to search for an alternative solution for Production. Because I guess they will not allow these things in Prod.

Please suggest me for an alternative solution if any.

Anything else I need to add in the cert.txt. Otherthan

-----BEGIN CERTIFICATE-----
AAAAAAAAAAAAAAA/Dummy value
-----END CERTIFICATE-----
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Meet Gaurav wrote:Deepak,

Yes first we are going to try this in DEV. But I guess I have to search for an alternative solution for Production. Because I guess they will not allow these things in Prod.

Please suggest me for an alternative solution if any.

Anything else I need to add in the cert.txt. Otherthan

-----BEGIN CERTIFICATE-----
AAAAAAAAAAAAAAA/Dummy value
-----END CERTIFICATE-----



Why would they not allow this in production and who are "they". If you do not want to do this in production you can get yourself a valid SSL certificate. A certificate valid for one year costs as little as 20$.

You do not need to add anything in cert.txt other than what the extracted cert contains. It is best not to touch anything without the use of a tool
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak,

Am not sure, they were weblogic admin persons and I have to check with them.

If I add the certificate in the keystore then all java clients which are running in the JVM instance will trusted by default rite.
 
Deepak Bala
Bartender
Posts: 6663
5
MyEclipse IDE Firefox Browser Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

If I add the certificate in the keystore then all java clients which are running in the JVM instance will trusted by default rite.



You can also put this into your own keystore and ask the client to use that particular keystore. There is a system property that helps you do that. Check for javax.net.ssl.truststore under this link http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
 
Meet Gaurav
Ranch Hand
Posts: 492
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Deepak,

Finally this resolved our issue

export ARGS="-Dweblogic.security.SSL.trustedCAKeyStore=/opt/tmp/cert/SSLTrust.jks -Dweblogic.security.SSL.ignoreHostnameVerify=true"

And changing the protocol from t3 to t3s.

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Gurav

I am facing the almost same issue, i followed the stpes as per the conversation of your and deepak, but still not working..... please reply me, i want to talk with u.
 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hii all,
Even i am facing same issue in weblogic ssl Dertificate. i have imported certificate in appropiate way on linux server,i have attached error with this issue.

below is the error
weblogic.wsee.jaxrpc.soapfault.WLSOAPFaultException: Failed to receive message javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from slo-qnt-ca2.ifw.hedani.net - 159.156.154.22 --> cssnowbuild.service-now.com was not trusted causing SSL handshake failure.
-> [Security:090477]Certificate chain received from slo-qnt-ca2.ifw.hedani.net - 159.156.154.22 --> cssnowbuild.service-now.com was not trusted causing SSL handshake failure.

can onyone help in soving error.
 
Ranch Hand
Posts: 53
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I am new to weblogic certification. can anyone guide me how to certify a web-application for HTTPS protocls. We are unable to do that. I have tried following some guides but they are not helpful.

Thanks and regards
Dilip
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic