8 Replies Latest reply: Jul 19, 2012 6:08 AM by 947416 RSS

    Problems with Oracle Web Logic 10.3.6, certificates and proxies

    947416
      Good morning.

      We are trying to establish a SSL connection using Apache Cxf and WebLogic Server 10.3.6.

      For that, we are passing through a proxy. Using Apache Tomcat, the test is ok, we can connect to the endpoint correctly. But in WebLogic 10.3.6, we have problems with the certificates.

      In our code, we are loading the certificates programatically.

      The web-services-config.xml is the following:

      <?xml version="1.0" encoding="UTF-8"?>

      <beans
           xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd"
           xmlns:http="http://cxf.apache.org/transports/http/configuration"
           xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:jaxws="http://cxf.apache.org/jaxws"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans">
           <jaxws:client address="@SNE.SNE_WS_URL@"
                serviceClass="com.bankia.sne.ws.clientes.buzonAPESNE.APESNEBuzonWSTipoPuerto"
                id="puertoAPESNEBuzonWS" />
           
           <http:conduit name="@SNE.SNE_WS_URL@">
                <http:client Connection="Keep-Alive" AutoRedirect="true"
                     ProxyServerType="HTTP" ProxyServerPort="@SNE.PROXY_PORT@"
                     ProxyServer="@SNE.PROXY_HOST@" />
                
                <http:proxyAuthorization>+
                     <sec:UserName>@SNE.PROXY_USER@</sec:UserName>
                     <sec:Password>@SNE.PROXY_PASSWORD@</sec:Password>
                </http:proxyAuthorization>
                
                <http:tlsClientParameters>
                     
                     <sec:cipherSuitesFilter>
                          <!-- these filters ensure that a ciphersuite with export-suitable or
                               null encryption is used, but exclude anonymous Diffie-Hellman key change
                               as this is vulnerable to man-in-the-middle attacks -->
                          <sec:include>.*EXPORT.*</sec:include>
                          <sec:include>.*EXPORT1024.*</sec:include>
                          <sec:include>.*WITHDES_.*</sec:include>
                          <sec:include>.*WITHNULL_.*</sec:include>
                          <sec:exclude>.*DHanon_.*</sec:exclude>
                     </sec:cipherSuitesFilter>
                </http:tlsClientParameters>
           </http:conduit>
      </beans>

      That's the code used for establish the CXF connection:

      private void configuraConexion(Buzon buzon){
                try {
                     
                     
                     
                     LOGGER.debug("Configurando conexión con el sevicio Web para el buzón con id " + buzon.getId() + " ...");
                     Client client = ClientProxy.getClient(puertoAPESNEBuzonWS);
           
                     HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
                     TLSClientParameters tlsParams = httpConduit.getTlsClientParameters();
                     
                     Certificado certificado = buzon.getCertificado();
                     byte[] bytes = certificado.bytesCertificado();
                     
                     CertificadoSerializable certSerializado = (CertificadoSerializable)Serializador.desserializar(bytes);
                     
                     //Cargamos el truststore de disco
                     TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                     KeyStore truststore = KeyStore.getInstance(Propiedades.getProperty(KEY_SERVICIO_WEB_ALMACEN_TRUSTSTORE));
                     String contrasenia = Propiedades.getProperty(KEY_SERVICIO_WEB_TRUSTORE_PASSWORD);
                     // -- provide your truststore
                     File ficheroTruststore = null;
                     String rutaTrustore = Propiedades.getProperty(KEY_SERVICIO_WEB_TRUSTORE_RUTA) Propiedades.getProperty(KEY_SERVICIO_WEB_NOMBRE_TRUSTSTORE);
                     
                     LOGGER.debug("rutaTrustore --> " + rutaTrustore);
                     
                     if (rutaTrustore!=null){+
                          ficheroTruststore = new File(rutaTrustore);
                     }
                     
                URL url = null;
                     if(ficheroTruststore == null || !ficheroTruststore.exists()){
                          url = Localizador.getResource(Propiedades.getProperty(KEY_SERVICIO_WEB_NOMBRE_TRUSTSTORE));
                          ficheroTruststore = new File(url.getPath());
                          truststore.load(url.openStream(), contrasenia.toCharArray());
                     }else{
                          truststore.load(new FileInputStream(ficheroTruststore), contrasenia.toCharArray());                    
                     }
                     
                     LOGGER.info("[ServicioWSBuzonAPESNEImpl.configuraConexion] Fichero truststore.pks recuperado de "+ficheroTruststore.getPath());
                     
                     trustFactory.init(truststore);
                     TrustManager[] tm = trustFactory.getTrustManagers();
                     tlsParams.setTrustManagers(tm);
                     
                     //Cargamos el Keystore de base de datos
                     KeyStore keyStore = KeyStore.getInstance(Propiedades.getProperty(KEY_SERVICIO_WEB_TIPO_ALMACEN_KEYSTORE));
                     keyStore.load(null, certificado.getContrasenia().toCharArray());
                     keyStore.setKeyEntry(certificado.getAlias(), certSerializado.getClavePrivada(), certificado.getContrasenia().toCharArray(), certSerializado.getCadena());
                     
                     // set our key store+
                     // (used to authenticate the local SSLSocket to its peer)
                     KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                     keyFactory.init(keyStore, certificado.getContrasenia().toCharArray());
                     
                     KeyManager[] km = keyFactory.getKeyManagers();
                     tlsParams.setKeyManagers(km);
                     
                     httpConduit.setTlsClientParameters(tlsParams);
                     LOGGER.debug("Conexión configurada satisfactoriamente");
                }catch (Exception e) {
                     LOGGER.error("Error al configurar la conexión del servicio Web", e);
                     throw new WSBuzonException("Error al configurar la conexión del servicio Web: " + e.getMessage());
                }
                
           }


      We don't know how to solve this issue? Please, could you help us?

      Thanks in advance,
      Jaime.

      Edited by: j2eedevelopment on 10-jul-2012 10:05
        • 1. Re: Problems with Oracle Web Logic 10.3.6, certificates and proxies
          903917
          What are the errors you're getting? Also, could you remove the "+" signs in your post as that would make the code more readable?
          • 2. Re: Problems with Oracle Web Logic 10.3.6, certificates and proxies
            947416
            Hi Zack, thanks for the answer.
            I've cleaned the code below.
            Our problem is the following: we wan't to use many keystores, in function the user who is connected in the application. For that reason, we wan't to give the keyStore from Java Client, because we've saw that, in WebLogic, you can select one keystore, but only one. For that reason, we wantto change the keystore in run time execution, dinamically.
            The problem we have found are the following:
            1) If we configure WebLogic with the correct keystore and trustore, we are not able to change keysotre and trustore in runtime execution, so we have to us always the same keystore and we don't want this.
            2) Also, I'm trying now to use JaxWS instead Apache Cxf, and I've tried to put the ssl properties of the system with the following code:
            System.setProperty(JAVAXNETSSLTRUST_STORE, trustore);
            System.setProperty(JAVAXNETSSLTRUST_STORE_PASSWORD, trustStorePassword);
            System.setProperty(JAVAXNETSSLKEY_STORE, keyStore);
            System.setProperty(JAVAXNETSSLKEY_STORE_PASSWORD, keyStorePassword);
            System.setProperty(JAVAXNETSSLKEY_STORE_TYPE, keyStoreType);

            Thanks in advance,
            Jaime.
            • 3. Re: Problems with Oracle Web Logic 10.3.6, certificates and proxies
              903917
              You might consider using KeyStore.PrivateKeyEntry which would allow for several private keys that could authenticate to one public key on your server (http://docs.oracle.com/javase/6/docs/api/java/security/KeyStore.html).

              That way, you could setup a private key for any client that could match against the one public key.

              I've used this overall approach in other applications successfully in the past (having several private keys that are able to authenticate with one public key on a server).

              Not sure if I'm way off the path you're trying to go or not, but it's at least something to consider...
              • 4. Re: Problems with Oracle Web Logic 10.3.6, certificates and proxies
                947416
                Thanks for the information Zack, the problem now is that we wan't to change in runtime execution the private key we are using.
                Also, we have had problem with Cxf behind a proxy.

                If you can give us some information, it could be nice for us.

                Thanks in advance,
                Jaime.
                • 5. Re: Problems with Oracle Web Logic 10.3.6, certificates and proxies
                  903917
                  Hmmm - you'll have to check out the documentation on KeyStore and Java Security for examples on how to do that...
                  • 6. Re: Problems with Oracle Web Logic 10.3.6, certificates and proxies
                    947416
                    Hi Zack,

                    Do you know how to change dinammically the keystore selected in runtime execution?
                    Our business is the following:

                    We have an EAR application, the user logins inside, each user has its own keystore associated, for that reason, we want to create the SSL session AFTER the user has going inside. For that reason, configure keystore in WebLogic and selected one is not a solution for our selves, do you understand what I mean?

                    Is it possible to change dinammically, in runtime execution, change the keystore for establish ssl connections?
                    That is:
                    1) Run WebLogic.
                    2) Starts applicaction.
                    3) One user login, loads it's keystore, creates an SSL context, and make a WebService call.
                    4) Later, another user login into the application, loads it's keystore,creates an SSL context, loads it's keystore and make a WebService call.

                    We have make it so nice in Apache Tomcat, why WebLogic is so complicated in this sense?

                    Is there any chance to configure dinamiccaly the keystores in an EAR deploying in WebLogic or WebLogic has this limitation?

                    Thanks in advance,
                    Jaime.
                    • 7. Re: Problems with Oracle Web Logic 10.3.6, certificates and proxies
                      903917
                      Jaime,

                      These are great questions but I'm sorry to say I don't know the answers to them :(

                      All I can recommend for you at this point is to read up and study through any documentation revolving around KeyStore, SSL and web services with WebLogic Server. It's no doubt going to take you some time but Oracle has some good PDFs that describe the ins and outs of each of the technologies I listed above.

                      One particular PDF that you might want to get started with is http://docs.oracle.com/cd/E21764_01/web.1111/e13713.pdf (Securing WebLogic Web Services for Oracle WebLogic Server).
                      • 8. Re: Problems with Oracle Web Logic 10.3.6, certificates and proxies
                        947416
                        Ok, we have find the following solution:
                        1) define HttpsURLConnection.setDefaultSSLSocketFactory(ssl_ctx.getSocketFactory()); (sslConext have trustore and keystore)
                        2) define proxy sistem properties
                        System.setProperty("weblogic.webservice.transport.https.proxy.host", host);
                        System.setProperty("weblogic.webservice.transport.http.proxy.port", port);
                        System.setProperty("weblogic.webservice.transport.https.proxy.port", port);
                        System.setProperty("http.proxy.host", host);
                        System.setProperty("https.proxy.host", host);
                        System.setProperty("http.proxy.port", port);
                        System.setProperty("https.proxy.port", port);
                        System.setProperty("http.proxy.user", user);
                        System.setProperty("https.proxy.user", user);
                        System.setProperty("http.proxy.password", pwd);
                        System.setProperty("https.proxy.password", pwd);
                        System.setProperty("weblogic.net.proxyAuthenticatorClassName", "utils.Authenticator");
                        3) Define a class called for example utils.Authenticator, which implements ProxyAuthenticator.
                        4) Mark -DUseSunHttpHandler=true as script weblogic startup parameter.

                        Thanks in advance,
                        Jaime.