1 Reply Latest reply: Oct 4, 2012 4:49 AM by Cuong Pham RSS

    SSL Handshake exception NodeManager with Custom Identity-Trust

    Cuong Pham
      Hi everyone.
      I've created java identity keystore with keytool, sign it with my openssl CA server. Everything seem to be okay with WebLogic Server SSL. My domain work well with that keystore and that is currently running with domain administration port 9002.
      But the problem occurs when I use that custom keystore identity/trust for NodeManager. On the host app.tinhvan.vnet, I run some weblogic server instances, private key on that host has alias "app.tinhvan.vnet" (cn=app.tinhvan.vnet).

      This is configuration on file nodemanager.properties
      ##IDENTITY
      KeyStores=CustomIdentityAndCustomTrust
      CustomIdentityKeyStoreFileName=/home/oracle/Oracle/Middleware/user_projects/domains/mydomain/identity.jks
      CustomIdentityKeyStorePassPhrase={3DES}agMximOb10eXADzoDbo2Xg==
      CustomIdentityAlias=app.tinhvan.vnet
      CustomIdentityPrivateKeyPassPhrase={3DES}agMximOb10eXADzoDbo2Xg==
      CustomIdentityKeyStoreType=JKS
      ### ================ END - Custom Identity / Trust config ================
      DomainsFile=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.domains
      LogLimit=0
      DomainsDirRemoteSharingEnabled=false
      PropertiesVersion=10.3
      AuthenticationEnabled=true
      NodeManagerHome=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager
      JavaHome=/home/oracle/jrockit-jdk1.6.0_31/jre
      LogLevel=INFO
      DomainsFileEnabled=true
      StartScriptName=startWebLogic.sh
      ListenAddress=app.tinhvan.vnet
      NativeVersionEnabled=true
      ListenPort=5556
      LogToStderr=true
      SecureListener=true
      LogCount=1
      DomainRegistrationEnabled=false
      StopScriptEnabled=true
      QuitEnabled=true
      LogAppend=true
      StateCheckInterval=500
      CrashRecoveryEnabled=true
      StartScriptEnabled=true
      LogFile=/home/oracle/Oracle/Middleware/wlserver_10.3/common/nodemanager/nodemanager.log
      LogFormatter=weblogic.nodemanager.server.LogFormatter
      ListenBacklog=10
      When start NodeManager and login to it with nmConnect on WLST, I get this error:
      <Oct 3, 2012 9:58:10 PM> <WARNING> <Uncaught exception in server handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from app.tinhvan.vnet - 192.168.50.161. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
      javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was received from app.tinhvan.vnet - 192.168.50.161. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.
           at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
           at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertReceived(Unknown Source)
           at com.certicom.tls.record.alert.AlertHandler.handle(Unknown Source)
           at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
           at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
           at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
           at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
           at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
           at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
           at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
           at com.certicom.tls.record.ReadHandler.read(Unknown Source)
           at com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
           at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:264)
           at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:306)
           at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:158)
           at java.io.InputStreamReader.read(InputStreamReader.java:167)
           at java.io.BufferedReader.fill(BufferedReader.java:136)
           at java.io.BufferedReader.readLine(BufferedReader.java:299)
           at java.io.BufferedReader.readLine(BufferedReader.java:362)
           at weblogic.nodemanager.server.Handler.run(Handler.java:71)
           at java.lang.Thread.run(Thread.java:662)
      I do not want to use IgnoreHostnameVerification option due to some security policy. Please tell me some idea to solve this problem.
      Thank in advance.

      Cuong Pham

      Edited by: Cuong Pham on Oct 4, 2012 3:40 PM
        • 1. Re: SSL Handshake exception NodeManager with Custom Identity-Trust
          Cuong Pham
          P/S:
          With custom identity/trust mentioned above, I can login to https://app.tinhvan.vnet:9002/console normally. But when I try to log in on WLST with connect() command, I get the following error:
          wls:/offline> connect('weblogic','webl0gic','t3s://app.tinhvan.vnet:7002')
          Connecting to t3s://app.tinhvan.vnet:7002 with userid weblogic ...
          <Oct 4, 2012 2:45:56 AM ICT> <Warning> <Security> <BEA-090542> <Certificate chain received from app.tinhvan.vnet - 192.168.50.161 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
          Traceback (innermost last):
            File "<console>", line 1, in ?
            File "<iostream>", line 22, in connect
            File "<iostream>", line 646, in raiseWLSTException
          WLSTException: Error occured while performing connect : Error getting the initial context. There is no server running at t3s://app.tinhvan.vnet:7002
          Use dumpStack() to view the full stacktrace
          And ...
          wls:/offline> connect('weblogic','webl0gic','t3s://app.tinhvan.vnet:9002')
          Connecting to t3s://app.tinhvan.vnet:9002 with userid weblogic ...
          <Oct 4, 2012 2:45:03 AM ICT> <Warning> <Security> <BEA-090542> <Certificate chain received from app.tinhvan.vnet - 192.168.50.161 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
          Traceback (innermost last):
            File "<console>", line 1, in ?
            File "<iostream>", line 22, in connect
            File "<iostream>", line 646, in raiseWLSTException
          WLSTException: Error occured while performing connect : Error getting the initial context. There is no server running at t3s://app.tinhvan.vnet:9002
          Use dumpStack() to view the full stacktrace
          Because Administration port enabled, so this message can be considered normal
          wls:/offline> connect('weblogic','webl0gic','t3://app.tinhvan.vnet:7001')
          Connecting to t3://app.tinhvan.vnet:7001 with userid weblogic ...
          Traceback (innermost last):
            File "<console>", line 1, in ?
            File "<iostream>", line 22, in connect
            File "<iostream>", line 646, in raiseWLSTException
          WLSTException: Error occured while performing connect : User 'principals=[weblogic, Administrators]' has administration role. All tasks by adminstrators must go through an Administration Port.
          Use dumpStack() to view the full stacktrace
          wls:/offline> dumpStack()
          This Exception occurred at Thu Oct 04 02:46:28 ICT 2012.
          javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User 'principals=[weblogic, Administrators]' has administration role. All tasks by adminstrators must go through an Administration Port.]
          Please help me. Any suggestion is appreciated :(

          Regards