2 Replies Latest reply: Sep 12, 2012 8:59 AM by 961455 RSS

    I am having trouble Trouble implementing one-way SSL on WebLogic 9.2...

    961455
      I am having trouble Trouble implementing one-way SSL on WebLogic 9.2. I am using Demo Identity and Demo Trust certificates with a SSL Listen Port Enabled on 7002, and a Two Way Client Cert Behavior of Client Certs Not Requested. I assume that by using Client Certs Not Requested that there is no need to install certificates on user's computers.

      When weblogic is restarted, I get the following log telling me it works...

      <Sep 11, 2012 9:35:16 AM PDT> <Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias DemoIdentity from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoIdentity.jks.>
      <Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file E:\bea\WEBLOG~1\server\lib\DemoTrust.jks.>
      <Sep 11, 2012 9:35:17 AM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file e:\bea\jdk150_12\jre\lib\security\cacerts.>
      <Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "Default" is now listening on 10.9.20.172:7000 for protocols iiop, t3, ldap, http.>
      <Sep 11, 2012 9:35:17 AM PDT> <Notice> <Server> <BEA-002613> <Channel "DefaultSecure" is now listening on 10.9.20.172:7002 for protocols iiops, t3s, ldaps, https.>

      However, when I open the console in https://server:7002/console, I get the following error in log file...

      <Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090481> <NO_CERTIFICATE alert was received from x.y.z.com - 10.37.10.54. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
      <Sep 11, 2012 9:43:45 AM PDT> <Warning> <Security> <BEA-090508> <Certificate chain received from x.y.z.com - 10.37.10.54 was incomplete.>

      I do not understand why I am getting this error when I assume there is no need to install certificates on user's computers. Can't someone please explain what is going on? Thanks in advance.
        • 1. Re: I am having trouble Trouble implementing one-way SSL on WebLogic 9.2...
          Faisal Khan
          can you paste your config.xml here?
          • 2. Re: I am having trouble Trouble implementing one-way SSL on WebLogic 9.2...
            961455
            <?xml version='1.0' encoding='UTF-8'?>
            <domain xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xsi:schemaLocation="http://www.bea.com/ns/weblogic/90/security/extension http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/90/security/xacml http://www.bea.com/ns/weblogic/90/security/xacml.xsd http://www.bea.com/ns/weblogic/90/security http://www.bea.com/ns/weblogic/90/security.xsd http://www.bea.com/ns/weblogic/920/domain http://www.bea.com/ns/weblogic/920/domain.xsd http://www.bea.com/ns/weblogic/90/security/wls http://www.bea.com/ns/weblogic/90/security/wls.xsd">
            <name>nctcis</name>
            <domain-version>9.2.3.0</domain-version>
            <security-configuration>
            <name>nctcis</name>
            <realm>
            <sec:authentication-provider xsi:type="wls:default-authenticatorType">
            <sec:name>DefaultAuthenticator</sec:name>
            <sec:control-flag>SUFFICIENT</sec:control-flag>
            </sec:authentication-provider>
            <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
            <sec:name>DefaultIdentityAsserter</sec:name>
            <sec:active-type>AuthenticatedUser</sec:active-type>
            </sec:authentication-provider>
            <sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
            <sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
            <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
            <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
            <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
            <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
            <sec:name>myrealm</sec:name>
            </realm>
            <default-realm>myrealm</default-realm>
            <anonymous-admin-lookup-enabled>true</anonymous-admin-lookup-enabled>
            <credential-encrypted>{3DES}PyUkjWRp8JGpk75BYSbvQ6OWYgA9SZq2nj2IuENa2vxrMy835GMRZ+GGKhJiWapjt0mMC2ohcxxlIMNUZJUH2gCjbB5kQUmA</credential-encrypted>
            <node-manager-username>system</node-manager-username>
            <node-manager-password-encrypted>{3DES}KmaZDZGQC6spYVY12CbJGA==</node-manager-password-encrypted>
            </security-configuration>
            <jta>
            <timeout-seconds>1800</timeout-seconds>
            <abandon-timeout-seconds>3600</abandon-timeout-seconds>
            <max-transactions>100000</max-transactions>
            <max-resource-unavailable-millis>100000</max-resource-unavailable-millis>
            </jta>
            <log>
            <name>nctcis</name>
            <file-name>e:/netcracker/logs/wl-domain.log</file-name>
            <file-min-size>5120</file-min-size>
            </log>
            <server>
            <name>nctcisAdmin</name>
            <ssl>
            <enabled>true</enabled>
            <hostname-verifier xsi:nil="true"></hostname-verifier>
            <hostname-verification-ignored>false</hostname-verification-ignored>
            <client-certificate-enforced>true</client-certificate-enforced>
            <two-way-ssl-enabled>false</two-way-ssl-enabled>
            <server-private-key-alias>tcisdevbpagov_cert</server-private-key-alias>
            <server-private-key-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</server-private-key-pass-phrase-encrypted>
            <use-server-certs>false</use-server-certs>
            </ssl>
            <log>
            <name>nctcisAdmin</name>
            <file-name>e:/netcracker/logs/weblogic.log</file-name>
            <file-min-size>5120</file-min-size>
            </log>
            <listen-port>7000</listen-port>
            <web-server>
            <name>nctcisAdmin</name>
            <web-server-log>
            <name>nctcisAdmin</name>
            <file-name>e:/netcracker/logs/access.log</file-name>
            <file-min-size>5120</file-min-size>
            </web-server-log>
            </web-server>
            <listen-address>tcis.dev.bpa.gov</listen-address>
            <key-stores>DemoIdentityAndDemoTrust</key-stores>
            <custom-identity-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_identity.jks</custom-identity-key-store-file-name>
            <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
            <custom-identity-key-store-pass-phrase-encrypted>{3DES}T21dXO5l79SRI+xSmGOE+A==</custom-identity-key-store-pass-phrase-encrypted>
            <custom-trust-key-store-file-name>E:\bea\jdk150_12\bin\tcisdevbpagov_trust.jks</custom-trust-key-store-file-name>
            <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
            <custom-trust-key-store-pass-phrase-encrypted>{3DES}I++r0/FEMRGFrqF47pYZJA==</custom-trust-key-store-pass-phrase-encrypted>
            </server>
            <embedded-ldap>
            <name>nctcis</name>
            <credential-encrypted>{3DES}i51JYfmoGyFTxPjiCjjtXWwza1t13k56Ls7fmdqtKB0=</credential-encrypted>
            </embedded-ldap>
            <configuration-version>9.2.3.0</configuration-version>
            <app-deployment>
            <name>NetCracker</name>
            <target>nctcisAdmin</target>
            <module-type>ear</module-type>
            <source-path>applications\NetCracker</source-path>
            <security-dd-model>DDOnly</security-dd-model>
            <staging-mode>nostage</staging-mode>
            </app-deployment>
            <app-deployment>
            <name>pictures</name>
            <target>nctcisAdmin</target>
            <module-type>war</module-type>
            <source-path>e:\pictures</source-path>
            <security-dd-model>DDOnly</security-dd-model>
            <staging-mode>nostage</staging-mode>
            </app-deployment>
            <jms-server>
            <name>NCJMSServer</name>
            <target>nctcisAdmin</target>
            <temporary-template-resource>NCJMSModule</temporary-template-resource>
            <temporary-template-name>NetCrackerTemplate</temporary-template-name>
            <message-buffer-size>100000</message-buffer-size>
            </jms-server>
            <self-tuning>
            <max-threads-constraint>
            <name>MaxThreadsConstraint</name>
            <target>nctcisAdmin</target>
            <count>40</count>
            </max-threads-constraint>
            <work-manager>
            <name>default</name>
            <target>nctcisAdmin</target>
            <max-threads-constraint>MaxThreadsConstraint</max-threads-constraint>
            <work-manager-shutdown-trigger>
            <stuck-thread-count>1000</stuck-thread-count>
            </work-manager-shutdown-trigger>
            </work-manager>
            </self-tuning>
            <jms-system-resource>
            <name>NCJMSModule</name>
            <target>nctcisAdmin</target>
            <sub-deployment>
            <name>BEA_JMS_MODULE_SUBDEPLOYMENT_NCJMSServer</name>
            <target>NCJMSServer</target>
            </sub-deployment>
            <descriptor-file-name>jms/ncjmsmodule-jms.xml</descriptor-file-name>
            </jms-system-resource>
            <admin-server-name>nctcisAdmin</admin-server-name>
            <jdbc-system-resource>
            <name>NetCrackerDataSource</name>
            <target>nctcisAdmin</target>
            <descriptor-file-name>jdbc/NetCrackerDataSource-5713-jdbc.xml</descriptor-file-name>
            </jdbc-system-resource>
            <jdbc-system-resource>
            <name>NetCrackerDataSourceNonTX</name>
            <target>nctcisAdmin</target>
            <descriptor-file-name>jdbc/NetCrackerDataSourceNonTX-6926-jdbc.xml</descriptor-file-name>
            </jdbc-system-resource>
            </domain>

            Edited by: user6904153 on Sep 12, 2012 6:57 AM