Reputation: 1011
weblogic ssl handshake failure trust store issue
I am getting ssl handshake failure when i try to invoke https service call within weblogic. I have added the server certificate into weblogic trust store -"cacerts".
Command used to add the trust store in weblogic startup script :
JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore="/weblogic92/server/lib/cacerts" ${JAVA_OPTIONS}"
export JAVA_OPTIONS
Am i missing anything else - Any pointers to fix this issue ?
Tested the ssl connection within app server box using SSLPoke.java and it was successful.
java -Djavax.net.ssl.trustStore=/weblogic92/server/lib/cacerts
-Djavax.net.ssl.trustStorePassword=changeit SSLPoke 192.16.2.6 8443
Weblogic server log trace:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1628)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:230)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:224)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1027)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:120)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:574)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:510)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:888)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1117)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:629)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
Upvotes: 3
Views: 37690
Answers (3)
Reputation: 1683
I am aware that this is very old thread, but since I faced the same challenge when getting my web application that is deployed on Weblogic (12.1) to communicate to an external webservice over HTTPS and worked through various solution to finally get it to work, few pointers from my work is provided in hope that it will be helpful to someone in future.
Oracle's official document on this topic is available here
How WebLogic Server Locates Trust
---------------------------------
WebLogic Server uses the following algorithm when it loads its trusted CA certificates:
1. If the keystore is specified by the -Dweblogic.security.SSL.trustedCAkeystore
command-line argument, load the trusted CA certificates from that keystore.
2. Else if the keystore is specified in the configuration file (config.xml), load
trusted CA certificates from the specified keystore. If the server is configured
with DemoTrust, trusted CA certificates will be loaded from the
WL_HOME\server\lib\DemoTrust.jks and the JDK cacerts keystores.
3. Else if the trusted CA file is specified in the configuration file (config.xml),
load trusted CA certificates from that file (this is only for compatibility
with 6.x SSL configurations).
4. Else load trusted CA certificates from WL_HOME\server\lib\cacerts keystore.
I tried option number 1, i.e. provided path to cacert -Dweblogic.security.SSL.trustedCAkeystore having imported the certificate at recommended truststore inside the running JDK but it did not work. Although I know that the import was successful as it works with a Java class that I wrote to access same HTTPS location by running it on same JDK but from outside of Weblogic.
Subsequently, I tried option number 2, i.e. I imported the certificate in DemoTrust.jks located at WL_HOME\server\lib\DemoTrust.jks. This SUCCESSFULLY allowed my deployed web application to communicate with external webservice over HTTPS
Upvotes: 2
Reputation: 311023
It is a quotes problem. Remove the pointless inner quotation marks:
JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore=/weblogic92/server/lib/cacerts ${JAVA_OPTIONS}"
Upvotes: 0
Reputation: 643
There are several other things you could try:
Have you also tried JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.trustedCAKeyStore=/weblogic92/server/lib/cacerts"
Try adding the certificates using the console (servers->server_name->keystores)
You might also have to add following java options:
-Dweblogic.security.SSL.verbose=true
-Dweblogic.security.SSL.enable.renegotiation=true
-Dsun.security.ssl.allowUnsafeRenegotiation=true
In servers->server_name->SSL (advanced) check Use JSSE SSL.
Check Use server certs.
Change Hostname Verification to None
Upvotes: 1
Related Questions
- WebLogic javax.net.ssl.SSLHandshakeException
- enabling HTTPs on weblogic server not working
- java web service client trying to access web service through SSL - TrustManagerFactoryImpl is not initialized
- how to configure weblogic to resolve SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY?
- Getting SSL handshake error
- SSL Handshake Failure when calling a REST service
- WebLogic SSL Handshake error
- javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from intranet.xxx.com
- Exception in SSL Handshaking
- weblogic ssl with custom truststore