aspose file tools*
The moose likes BEA/Weblogic and the fly likes Weblogic SSL certificate Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » BEA/Weblogic
Bookmark "Weblogic SSL certificate" Watch "Weblogic SSL certificate" New topic
Author

Weblogic SSL certificate

Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Hi

Am trying to deply an EJB in weblogic 10.3 which in installed(Installed with SSL certificate) in a UNIX box. Am trying to invoke the ejb using a pojo class by using the url

t3s://506.APED.2652:7001. am using t3s protocol only but still am unable to access the EJB. please help me out.

Whether I need to do something with the keystore file.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

What is the error that you encountered ?



Is this the URL you used to connect ?


SCJP 6 articles - SCJP 5/6 mock exams - More SCJP Mocks
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Yes that is the url.

Exception
----------
SSL Handshake when connecting to the weblogic server
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
IF SSL is installed in the weblogic. Then what are things we need to handle

For now only I changed the protocol from t3 to t3s.
kamal kannan
Ranch Hand

Joined: Oct 06, 2006
Posts: 33
Hi

try to use https instead of t3s .


SCJP 1.5 95% /SCWCD 1.5 93% /RHCE EL4 100% /WEBLOGIC 9.2 SYSTEM ADMINISTRATION 100% / Oracle Weblogic 10g Server Certified System Export 88%
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

SSL Handshake when connecting to the weblogic server


The SSL handshake process is failing with your client. This is probably because your certificate is self signed.

1. Extract the certificate to a .cer file.
2. Import the certificate to a keystore.
3. Tell your java client to use this keystore (can be done using some system properties).
4. The SSL handshake should go through.
Balu Sadhasivam
Ranch Hand

Joined: Jan 01, 2009
Posts: 874

kamal kannan wrote:Hi

try to use https instead of t3s .



t3 is weblogic propertiary protocol to communicate between weblogic servers and its client. you need to use t3 to connect to JNDI , LDAP..
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak,

Am new to this process. Couls you please give me some links or clear picture about how to do that

Tell your java client to use this keystore (can be done using some system properties).

whether I need to do java code changes.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

whether I need to do java code changes.


Yep.

I did have sample code for this a while back. I do not have it anymore. I ll try to get you started on this. You can do some research on google and finish the task. Its simple

1. Extract the SSL certificate. Visit the SSL url of your weblogic server. This should be https://server:7002, if SSL is enabled for the server. Looks like it is from whatever you described.

1.a Click on the lock icon you see on the browser at the bottom right corner. Most browsers will allow you to extract the certificate. Store this certificate in the hard disk.

1.b Use the keytool.exe java tool to import this certificate to a new keystore. This keystore will be used to save certificates / keys and can be used by your java client.

2. Configure your client to use this keystore. Some examples are given here -> http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SecureConnSample

Research on public-private key SSL handshakes. Symmetric and Asymmetric methods of encryption will also give you a good idea of what you are trying to do.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak,

Thanks a lot for the information. my weblogic is installed in the unix box. Also please suggest me how to set the keystore file in a system properties.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

You should be able to do this whether or no the app server runs in Unix. As for the system property, mmm... wait a minute. You need to set the system property only when you need 2 way SSL authentication or a custom keystore. So do this instead of setting the property

1. Extract the certificate and put it into the cacerts default keystore that comes with your client JDK/JRE.
2. Run the client. It will work
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak,

Since the implementation is for production and we were looking for some solid solution.

Can I map the key and cert in the context object by editing the existing java code. if possible please assist us with some code samples.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

Since the implementation is for production and we were looking for some solid solution.


This is the way everyone does it. It is indeed 'solid'.

Can I map the key and cert in the context object by editing the existing java code. if possible please assist us with some code samples.


Initial context ? The context should not be bothered about the underlying protocol security.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak,

Did you mean the only way to resolve the handshake issue is

1. Extract the certificate and put it into the cacerts default keystore that comes with your client JDK/JRE.
2. Run the client. It will work


Am I rite. Right now we are using the JDK which comes with Weblogic.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak,

I can able to view the cacerts file in the path \bea\jdk150_11\jre\lib\security .

Am new to these things. Please help us

1. How to edit the cacerts file.
2. where to add the key and cert.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

Meet Gaurav wrote:Deepak,

I can able to view the cacerts file in the path \bea\jdk150_11\jre\lib\security .

Am new to these things. Please help us

1. How to edit the cacerts file.
2. where to add the key and cert.


cacerts is a keystore. Add the certificate to this keystore
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak,

Please don't mistaken us. We are new to this process. We don't know how to add this certificate.

I guess this is possible using the keytool.exe.

Anything else we have to do from the client side to invoke SSL weblogic.

1. instead of t3 we are going to use t3s.
2. adding the keystore to cacerts file.

Anything am missing ? Please help us Deepak.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

Please don't mistaken us


I am not mistaking anyone. Peace


1. instead of t3 we are going to use t3s.
2. adding the keystore to cacerts file.


The cacerts file is by itself a keystore. You are adding a certificate to this keystore file. And yes, keytool can help you.
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Yes Deepak am sorry. Am adding a certificate to this keystore file.

Anything else I have to do, other than this two. For accessing the SSL server from a java client.

1. instead of t3 we are going to use t3s.
2. adding the keystore to cacerts file.


Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

No that should be it. An additional piece of information if you hit a road block

Your handshake may still fail if the host verification fails. That is, if the certificate is issued for the common name 1.2.3.4 and you request http://dns-name instead of http://1.2.3.4, verification at the java client will fail. You can either issue a new and valid certificate or you can override host name verification in the client to ignore this problem (not recommended) or yet still, you can request for the correct name in the t3s url.

Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak Can I go for this.. Please confirm


Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

Looks good. I usually type the entire thing in a single line instead of writing a script, since I might not need to use the command again.

Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak please correct me if am wrong.

This is the command am using to import.



The cert.txt




This is enough or anything else I need to add in the cert.txt
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

That looks like it should work. Your client should have no trouble after you do this.

You are doing this in DEV first right ?
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak,

Yes first we are going to try this in DEV. But I guess I have to search for an alternative solution for Production. Because I guess they will not allow these things in Prod.

Please suggest me for an alternative solution if any.

Anything else I need to add in the cert.txt. Otherthan

-----BEGIN CERTIFICATE-----
AAAAAAAAAAAAAAA/Dummy value
-----END CERTIFICATE-----
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

Meet Gaurav wrote:Deepak,

Yes first we are going to try this in DEV. But I guess I have to search for an alternative solution for Production. Because I guess they will not allow these things in Prod.

Please suggest me for an alternative solution if any.

Anything else I need to add in the cert.txt. Otherthan

-----BEGIN CERTIFICATE-----
AAAAAAAAAAAAAAA/Dummy value
-----END CERTIFICATE-----


Why would they not allow this in production and who are "they". If you do not want to do this in production you can get yourself a valid SSL certificate. A certificate valid for one year costs as little as 20$.

You do not need to add anything in cert.txt other than what the extracted cert contains. It is best not to touch anything without the use of a tool
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak,

Am not sure, they were weblogic admin persons and I have to check with them.

If I add the certificate in the keystore then all java clients which are running in the JVM instance will trusted by default rite.
Deepak Bala
Bartender

Joined: Feb 24, 2006
Posts: 6661
    
    5

If I add the certificate in the keystore then all java clients which are running in the JVM instance will trusted by default rite.


You can also put this into your own keystore and ask the client to use that particular keystore. There is a system property that helps you do that. Check for javax.net.ssl.truststore under this link http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
Meet Gaurav
Ranch Hand

Joined: Oct 08, 2008
Posts: 492
Deepak,

Finally this resolved our issue

export ARGS="-Dweblogic.security.SSL.trustedCAKeyStore=/opt/tmp/cert/SSLTrust.jks -Dweblogic.security.SSL.ignoreHostnameVerify=true"

And changing the protocol from t3 to t3s.

Milind Chaudhari
Greenhorn

Joined: Jul 28, 2011
Posts: 2
Hi Gurav

I am facing the almost same issue, i followed the stpes as per the conversation of your and deepak, but still not working..... please reply me, i want to talk with u.
Nirmit Mutalik
Greenhorn

Joined: May 15, 2013
Posts: 6
Hii all,
Even i am facing same issue in weblogic ssl Dertificate. i have imported certificate in appropiate way on linux server,i have attached error with this issue.

below is the error
weblogic.wsee.jaxrpc.soapfault.WLSOAPFaultException: Failed to receive message javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from slo-qnt-ca2.ifw.hedani.net - 159.156.154.22 --> cssnowbuild.service-now.com was not trusted causing SSL handshake failure.
-> [Security:090477]Certificate chain received from slo-qnt-ca2.ifw.hedani.net - 159.156.154.22 --> cssnowbuild.service-now.com was not trusted causing SSL handshake failure.

can onyone help in soving error.
Dilip H Pashupathi
Ranch Hand

Joined: Jul 24, 2013
Posts: 33
Hi,

I am new to weblogic certification. can anyone guide me how to certify a web-application for HTTPS protocls. We are unable to do that. I have tried following some guides but they are not helpful.

Thanks and regards
Dilip
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Weblogic SSL certificate