<Invalid/unknown SSL header was received from peer nakina-132.nakinasys.loc
Denis Baudin
Using 8.1 I am running in a clustered environment. I have 1 question and 1 issue.
I have an Admin server, a managed server, and a load balancer (as a managed server also). I am trying to enable SSL on the load balancer. My first question is regarding the startup. When I start my managed servers, I noticed them loading the keystores numerous times:
<Nov 16, 2004 2:18:37 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Nakina\ossFramework\dist\bea\weblogic81\server\lib\DemoTrust.jks.>
<Nov 16, 2004 2:18:37 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Nakina\ossFramework\dist\j2sdk1.4.2_05\jre\lib\security\cacerts.>
<Nov 16, 2004 2:18:48 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Nakina\ossFramework\dist\bea\weblogic81\server\lib\DemoTrust.jks.>
<Nov 16, 2004 2:18:48 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Nakina\ossFramework\dist\j2sdk1.4.2_05\jre\lib\security\cacerts.>
<Nov 16, 2004 2:19:34 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Nakina\ossFramework\dist\bea\weblogic81\server\lib\DemoTrust.jks.>
<Nov 16, 2004 2:19:34 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Nakina\ossFramework\dist\j2sdk1.4.2_05\jre\lib\security\cacerts.>
<Nov 16, 2004 2:19:36 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Nakina\ossFramework\dist\bea\weblogic81\server\lib\DemoTrust.jks.>
<Nov 16, 2004 2:19:36 PM EST> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file C:\Nakina\ossFramework\dist\j2sdk1.4.2_05\jre\lib\security\cacerts.>
If I enable SSL debug logs I see this exception:
<Nov 16, 2004 2:51:40 PM EST> <Debug> <TLS> <000000> <SSLSetup: loading trusted CA certificates>
<Nov 16, 2004 2:51:40 PM EST> <Debug> <TLS> <000000> <SSLSetup: SSLManager not yet initialized
weblogic.security.service.NotYetInitializedException: [Security:090392]SecurityServiceManager not yet initialized.
at weblogic.security.service.SecurityServiceManagerDelegateImpl.getSecurityService(SecurityServiceManagerDelegateImpl.java:156)
at weblogic.security.service.SecurityServiceManager.getSecurityService(SecurityServiceManager.java:175)
at weblogic.security.utils.SSLSetup.getTrustedCAs(SSLSetup.java:705)
at weblogic.security.utils.SSLSetup.getSSLContext(SSLSetup.java:548)
at weblogic.security.SSL.SSLSocketFactory.<init>(SSLSocketFactory.java:71)
at weblogic.security.SSL.SSLSocketFactory.getJSSE(SSLSocketFactory.java:101)
at weblogic.net.http.HttpClient.New(HttpClient.java:209)
at weblogic.net.http.HttpsURLConnection.getHttpClient(HttpsURLConnection.java:246)
at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:217)
at weblogic.management.Admin.checkAdminServerIsRunning(Admin.java:1545)
at weblogic.management.Admin.isAdminServerRunning(Admin.java:1617)
at weblogic.management.Admin.createInstance(Admin.java:1399)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:770)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
at weblogic.Server.main(Server.java:32)
It does not seem to stop the server from running and eventually things quiet down. Any reason/need/way to fix this?
*******************************
Second issue. I am using a servlet through the load balancer to forward to my managed app server. Below is a snippet from my web.xml file:
<servlet>
<servlet-name>HttpClusterServlet</servlet-name>
<servlet-class>weblogic.servlet.proxy.HttpClusterServlet</servlet-class>
<init-param>
<param-name>WebLogicCluster</param-name>
<param-value>nakina-132:9002
<!-- List of cluster members e.g nakina-130:13666|nakina-109:13666 -->
</param-value>
</init-param>
<init-param>
<param-name>SecureProxy</param-name>
<param-value>ON</param-value>
</init-param>
</servlet>
As I understand, this should enable the SSL with the SecureProxy parameter. However I get the error on the managed server running port 9002 as it's SSL port:
<Nov 16, 2004 2:59:22 PM EST> <Warning> <Security> <BEA-090476> <Invalid/unknown SSL header was received from peer nakina-132.nakinasys.local - 192.168.0.87 during SSL handshake.>
If I remove the SecureProxy parameter, I get much more complaining about Plaintext:
<Nov 16, 2004 2:59:22 PM EST> <Warning> <Security> <BEA-090476> <Invalid/unknown SSL header was received from peer nakina-132.nakinasys.local - 192.168.0.87 during SSL handshake.>
<Nov 16, 2004 2:59:22 PM EST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer nakina-132.nakinasys.local - 192.168.0.87 instead of an SSL handshake.>
<Nov 16, 2004 2:59:24 PM EST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer nakina-132.nakinasys.local - 192.168.0.87 instead of an SSL handshake.>
<Nov 16, 2004 2:59:26 PM EST> <Warning> <Security> <BEA-090475> <Plaintext data for protocol HTTP was received from peer nakina-132.nakinasys.local - 192.168.0.87 instead of an SSL handshake.>
So I believe it is trying to use SSL with the SecureProxy parameter set (at least something changes). But why am I still getting the Invalid/unknown SSL header error. Enabling the SSL debug logs does not really provide much more information, that I can see.
All servers are being run through the same domain. SSL is enabled on all servers, and listen ports disabled. My webtier has the transport-guarantee set to CONFIDENTIAL.
Thanks in advance,
Denis.
psmelkov
The second issue might be caused by an unsupported version number in the ssl header. I'd file a support case for this.
Pavel.