Reputation: 11
how to enable trust for chain certs in weblogic or java
I have an Oracle service Bus domain running on weblogic 10.3.6 with 2 managed servers in cluster. We have a proxy service deployed on this domain which goes to an external Business service for validating address. This Business Service is listening on SSL port and SSL cert has EntrustCACert>IntermidateCert1>IntermidateCert2>ServerCert
Issue: Getting below error during connectivity testing -
General runtime error: [Security:090548]The certificate chain received from ws2.site1.com - 197.109.80.xxx contained a V3 CA certificate which was missing the basic constraints.
Solutions i have tried:
1) added JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.enforceConstraints=off " in the startup script and it resolve the issue. But i was told this is not the prefered way and use trust keystore to implement.
2)to implement trust, I copied all the 4 certs in following reverse order EntrustCACert>IntermidateCert1>IntermidateCert2>ServerCert in one file named DSperian.pem and imported in Jrockit cacerts file( /apps/Oracle/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/security/cacerts ) using below command but getting the same above error.
keytool -import -alias DSperian -trustcacerts -file DSperian.pem -keystore cacerts
Question: Please let me know if im doing the right way to import cert to create trust. so my OSB domain will blindly trust the Business service ( web-service) and ignore the "basic constraints" error. Do i need to utilize weblogic specific trust keystore file but this OSB weblogic is running on non-ssl port ? are there any other options available ? Asking Business-service to update their cert to include "basic constraints" is not an option.
Upvotes: 0
Views: 4847
Answers (1)
Reputation: 5845
There is actually a problem with your certificate.
Security certificates have a set of constraints that allow them to perform certain functions (or restrict them to certain functions).
Have a look at each of the certificates and ensure that they have constraints assigned to them that are suitable for the task.
To get more details on the error enable SSL debugging in your web logic server add the following to your server startup script
-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
More information in Configure SSL in WebLogic server
Use the following command to validate your keystone
java utils.ValidateCertChain -jks my key mykeystore
Then, whoever provided the root certificate needs to fix up your issues.
Upvotes: 1
Related Questions
- weblogic ssl handshake failure trust store issue
- java web service client trying to access web service through SSL - TrustManagerFactoryImpl is not initialized
- Weblogic 10.3.3 and SSL SHA256 certs
- enabling SSL on weblogic
- ssl weblogic with identity keystore
- WebLogic SSL Handshake error
- javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from intranet.xxx.com
- WebLogic Server - SSL - Multiple certificates
- Trusted CA Certificate Issue in Jdeveloper Weblogic server
- weblogic ssl with custom truststore