SSL client issue
Tony
certificates. This is
why Certicom is thinking they are not self signed.
From your log:
Issuer:C=US, ST=Texas, L=McKinney, O=Experian-Scorex, OU=Support,
CN=TransactWebCertificate
Subject:C=US, ST=Texas, L=McKinney, O=Experian-Scorex, OU=Support,
CN=205.174.35.197
Note the log indicates the CN is different, so Certicom is looking for a CA
certificate with a SubjectDN that
matches the IssueDN of that certificate. If it doesn't find a trusted CA
that matches that IssuerDN it will
not be able to complete the chain and trust it.
Verify whether the IssuerDN and SubjectDN inthe certificate really match
exactly. If not, confirm whether
those certs really are self signed, or if they really do have CA's that you
need to add to your trusted CA list
on your client. If the certificates are supposed to be self signed, then
chang the subjectDN and IssuerDN to match.
Tony
"George Aung" <ga...@juniper.com> wrote in message
news:3f0c2062$1...@newsgroups.bea.com...
>
> We are in the process of migrating from WLS 5.1 to WLS 7.2 and we are
having issues
> with using SSL client(i.e. call other secured URLs from WebLogic 7.2 -
Self Signed
> and from commerical CAs) This is a working code in WLS 5.1.
>
> THis is what we used to do in WLS 5.1, JDK1.2.2 on Solairs 7 with 1.0.2
versions
> of jnet.jar, jsse.jar and jcert.jar.
>
> 1) Import client certs from self signed using keytool into <installed
jdk>/jre/lib/security/jssecacerts.
> 2) Ensure that jsse.jar, jnet.jar and jcert.jar are in the class path.
> 3) Following code snippet works like a charm:-
>
>
System.setProperty"java.protocol.handler.pkgs","com.sun.net.ssl.internal.www
.protocol");
> Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
>
> String fullUrlStr = (m_useHTTPS ? HTTPS : HTTP) + m_url;
> m_logger.log("full url str=" + fullUrlStr, LogLevel.DEBUG, methodName);
>
> URL url = new URL( fullUrlStr );
>
> HttpURLConnection conn = (HttpURLConnection)url.openConnection();
> conn.setDoInput( true );
> conn.setDoOutput( true );
> conn.setUseCaches( false );
> if( dataType == DATA_XML ){
> conn.setRequestProperty("Content-Type", "text/xml");
> }else {
> //
> // netscape & .Net workaround
> //
> conn.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded");
> }
> //
> // post data
> //
> DataOutputStream output = null;
> output = new DataOutputStream( conn.getOutputStream() );
> output.writeBytes( data );
> output.flush();
> output.close();
>
> // Return codes
> // 2** SUCCESS
> // 3** REDIRECTION
> // 4** CLIENT ERROR
> // 5** SERVER ERROR
> if( conn.getResponseCode() >= 400 ) {
> throw new IOException( conn.getResponseMessage() );
> }
> BufferedReader input = new BufferedReader( new InputStreamReader(
> conn.getInputStream() ) );
>
> String str = null;
> while( ((str = input.readLine())) != null ) {
> respData.append( str );
> }
> input.close();
>
> return respData.toString();
>
>
>
> When we do the same with WLS7.2, JDK 1.3.1_06 on Solaris 8 with jsse.jar
version
> 1.0.3 then we get the
> following exception. ( WebLogic seems to be intercepting SSL - BEA uses
certicom
> to do this ). BEA has suggested removing jsse.jar and remove registering
of "com.sun.net.ssl.internal.www.protocol"
> as security provider and add "weblogic.net" into security provider and use
weblogic.net.http.HttpURLConnection
> instead of HttpURLConnection. This only seems to work with versign or
thawte but
> not with Self Signed sites and we have alot of vendors that we connect
that are
> self signed. Any clues?:
>
>
>
> Home class name = com.juniper.bus.decision.ejb.DecisionHome
> JDK Protocol Handlers and Security Providers:
> java.protocol.handler.pkgs - com.sun.net.ssl.internal.www.protocol
> provider[0] - SUN - SUN (DSA key/parameter generation; DSA signing;
SHA-1,
> MD5 digests; SecureRandom; X.509 certificates; JKS keystore)
> provider[1] - SunRsaSign - SUN's provider for RSA signatures
> provider[2] - SunJSSE - Sun JSSE provider(implements RSA Signatures,
PKCS12,
> SunX509 key/trust factories, SSLv3, TLSv1)
>
>
> <Jul 8, 2003 10:10:03 AM EDT> <Debug> <TLS> <000000> <Weblogic license is
export
> limited>
> <Jul 8, 2003 10:10:08 AM EDT> <Debug> <TLS> <000000> <clientInfo settings
applied>
> <Jul 8, 2003 10:10:08 AM EDT> <Debug> <TLS> <000000> <Filtering JSSE
SSLSocket>
> <Jul 8, 2003 10:10:08 AM EDT> <Debug> <TLS> <000000>
<SSLIOContextTable.addContext(ctx):
> 8109733>
> <Jul 8, 2003 10:10:08 AM EDT> <Debug> <TLS> <000000> <SSLSocket will be
Muxing>
> <Jul 8, 2003 10:10:08 AM EDT> <Debug> <TLS> <000000>
<SSLIOContextTable.findContext(is):
> 2189658>
> <Jul 8, 2003 10:10:08 AM EDT> <Debug> <TLS> <000000> <write HANDSHAKE
offset =
> 0 length = 77>
> <Jul 8, 2003 10:10:08 AM EDT> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
> <Jul 8, 2003 10:10:08 AM EDT> <Debug> <TLS> <000000> <isMuxerActivated:
false>
> <Jul 8, 2003 10:10:08 AM EDT> <Debug> <TLS> <000000>
<SSLFilter.isActivated: false>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <7837106
readRecord()>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <7837106 received
HANDSHAKE>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE:
ServerHello>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <HANDSHAKEMESSAGE:
Certificate>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <Performing hostname
validation
> checks: 205.174.35.197>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <validationCallback:
validateErr
> = 4>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> < cert[0] = Serial
number:
> 246526388047040191922181
> Issuer:C=US, ST=Texas, L=McKinney, O=Experian-Scorex, OU=Support,
CN=TransactWebCertificate
> Subject:C=US, ST=Texas, L=McKinney, O=Experian-Scorex, OU=Support,
CN=205.174.35.197
> Not Valid Before:Thu Jul 03 11:32:43 EDT 2003
> Not Valid After:Sat Jul 03 11:42:43 EDT 2004
> Signature Algorithm:SHAwithRSA
> >
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <Validation error =
4>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <Certificate chain is
incomplete>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <SSLTrustValidator
returns:
> 4>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <Trust status (4):
CERT_CHAIN_INCOMPLETE>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <NEW ALERT:
com.certicom.tls.record.alert.Alert@4d99c
> Severity: 2 Type: 42
> java.lang.Throwable: Stack trace
> at weblogic.security.utils.SSLSetup.debug(SSLSetup.java:245)
> at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
> at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
> Source)
> at
com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unkn
own
> Source)
> at
com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Un
known
> Source)
> at
com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(U
nknown
> Source)
> at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
Source)
> at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
> at
com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
> Source)
> at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
> Source)
> at com.certicom.tls.record.WriteHandler.write(Unknown Source)
> at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:67)
> at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:125)
> at java.io.FilterOutputStream.flush(FilterOutputStream.java:121)
> at
weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:97)
> at
weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:28
4)
> at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:235)
> at
weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:6
62)
> at
com.juniper.core.util.HTTPHelper.sendPostData(HTTPHelper.java:499)
> at
com.juniper.core.util.HTTPHelper.sendPostData(HTTPHelper.java:413)
> at com.juniper.utility.scorex.ScorexDAO.post(ScorexDAO.java:1516)
> at
com.juniper.utility.scorex.ScorexDAO.getApplicationResponse(ScorexDAO.java:1
769)
> at com.juniper.utility.scorex.ScorexDAO.apply(ScorexDAO.java:320)
> at
com.juniper.bus.decision.vdao.DecisionScorexDAO.apply(DecisionScorexDAO.java
:108)
> at
com.juniper.bus.decision.JuniperScorexDAO.apply(JuniperScorexDAO.java:40)
> at
com.juniper.bus.decision.DecisionBO.decisionApplication(DecisionBO.java:161)
> at
com.juniper.bus.decision.ejb.DecisionBean.decisionApplication(DecisionBean.j
ava:71)
> at
com.juniper.bus.decision.ejb.DecisionBean_afavb0_EOImpl.decisionApplication(
DecisionBean_afavb0_EOImpl.java:100)
> at com.juniper.bus.apply.ApplyBO.decision(ApplyBO.java:588)
> at com.juniper.bus.apply.ApplyBO.process(ApplyBO.java:169)
> at com.juniper.bus.apply.ejb.ApplyBean.process(ApplyBean.java:89)
> at
com.juniper.bus.apply.ejb.ApplyBean_11sitq_EOImpl.process(ApplyBean_11sitq_E
OImpl.java:314)
> at
com.juniper.app.apply.web.action.ApplicationAction.confirmAction(Application
Action.java:279)
> at
com.juniper.app.apply.web.action.ApplicationAction.perform(ApplicationAction
.java:100)
> at
org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.ja
va:1786)
> at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1585)
> at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:509)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
> at
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
tStubImpl.java:1058)
> at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:401)
> at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:306)
> at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
ebAppServletContext.java:5445)
> at
weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
r.java:780)
> at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:3105)
> at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:2588)
> at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:213)
> at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:189)
> >
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <write ALERT offset =
0 length
> = 2>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <close(): 7837106>
> <Jul 8, 2003 10:10:09 AM EDT> <Debug> <TLS> <000000> <Exception during
handshake,
> stack trace follows
> javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or
unuseable
> certificate was received.
> at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown
> Source)
> at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown
> Source)
> at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
> Source)
> at
com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown
> Source)
> at
com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unkn
own
> Source)
> at
com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Un
known
> Source)
> at
com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(U
nknown
> Source)
> at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
Source)
> at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
> at
com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
> Source)
> at
com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
> Source)
> at com.certicom.tls.record.WriteHandler.write(Unknown Source)
> at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:67)
> at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:125)
> at java.io.FilterOutputStream.flush(FilterOutputStream.java:121)
> at
weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:97)
> at
weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:28
4)
> at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:235)
> at
weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:6
62)
> at
com.juniper.core.util.HTTPHelper.sendPostData(HTTPHelper.java:499)
> at
com.juniper.core.util.HTTPHelper.sendPostData(HTTPHelper.java:413)
> at com.juniper.utility.scorex.ScorexDAO.post(ScorexDAO.java:1516)
> at
com.juniper.utility.scorex.ScorexDAO.getApplicationResponse(ScorexDAO.java:1
769)
> at com.juniper.utility.scorex.ScorexDAO.apply(ScorexDAO.java:320)
> at
com.juniper.bus.decision.vdao.DecisionScorexDAO.apply(DecisionScorexDAO.java
:108)
> at
com.juniper.bus.decision.JuniperScorexDAO.apply(JuniperScorexDAO.java:40)
> at
com.juniper.bus.decision.DecisionBO.decisionApplication(DecisionBO.java:161)
> at
com.juniper.bus.decision.ejb.DecisionBean.decisionApplication(DecisionBean.j
ava:71)
> at
com.juniper.bus.decision.ejb.DecisionBean_afavb0_EOImpl.decisionApplication(
DecisionBean_afavb0_EOImpl.java:100)
> at com.juniper.bus.apply.ApplyBO.decision(ApplyBO.java:588)
> at com.juniper.bus.apply.ApplyBO.process(ApplyBO.java:169)
> at com.juniper.bus.apply.ejb.ApplyBean.process(ApplyBean.java:89)
> at
com.juniper.bus.apply.ejb.ApplyBean_11sitq_EOImpl.process(ApplyBean_11sitq_E
OImpl.java:314)
> at
com.juniper.app.apply.web.action.ApplicationAction.confirmAction(Application
Action.java:279)
> at
com.juniper.app.apply.web.action.ApplicationAction.perform(ApplicationAction
.java:100)
> at
org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.ja
va:1786)
> at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1585)
> at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:509)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
> at
weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
tStubImpl.java:1058)
> at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:401)
> at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
:306)
> at
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
ebAppServletContext.java:5445)
> at
weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
r.java:780)
> at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
ntext.java:3105)
> at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
:2588)
> at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:213)
>
>
>
>
>