8 Replies Latest reply: Apr 20, 2012 4:58 PM by 932203 RSS

    two way SSL with jax-ws on weblogic 10.3.1.1

    771572
      I'm desperately trying to create a webservice client using jax-ws for two way ssl (mutual authentication). The client shoud be a web service (war) not a normal fat java client (jar).Could someone please give me any help? I've tried with the ssl context but it dosn't work :(

      BlokIzmenjava service= new BlokIzmenjava(new URL("https://wwwt.ajpes.si/wsBlokIzmenjava/BlokIzmenjava.asmx?WSDL"), new QName("http://www.ajpes.si/blok_izmenjava", "BlokIzmenjava"));
      BlokIzmenjavaSoap port=service.getBlokIzmenjavaSoap();

      KeyStore ks = KeyStore.getInstance("JKS");
      ks.load(new FileInputStream("D:/Podatki/Workspace1031/TestWorkSpace/TestWS/src/nkbm/ws/Ajpes.jks"), "trustpass".toCharArray());

      KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
      kmf.init(ks, "trustpass".toCharArray());

      javax.net.ssl.SSLContext sslCtx = SSLContext.getInstance("SSL");
      TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
      tmf.init(ks);
      TrustManager tms[] = tmf.getTrustManagers();
      sslCtx.init(kmf.getKeyManagers(), tms, null);

      javax.net.ssl.SSLSocketFactory ssl = (javax.net.ssl.SSLSocketFactory) sslCtx.getSocketFactory();
      Map<String, Object> requestContext = ((BindingProvider) port).getRequestContext();
      requestContext.put(com.sun.xml.internal.ws.developer.JAXWSProperties.SSL_SOCKET_FACTORY, ssl);

      port.test("aaaaa");


      The thing is that this solution works on a fat client(as a jar) but it dosn't work as a client (webservice) deployed on weblogic server. I've also set the everything in the weblogic console (SSL,keystores) and it still dosn't work :(

      any help would b appretiated!

      thank you!

      Edited by: user10677650 on 30.6.2010 6:37
        • 1. Re: two way SSL with jax-ws on weblogic 10.3.1.1
          Faisal Khan
          Try using SSLAdapter Classes

          http://download.oracle.com/docs/cd/E12839_01/web.1111/e13713/transport.htm#i238955

          If u want to use the server keystore for the Cleint deployed on WLS, u just need to enable use server certs option from the console.
          WLS will take of sending the client cert to the server and validating the server certificate.


          -Faisal
          • 2. Re: two way SSL with jax-ws on weblogic 10.3.1.1
            771572
            Isn't the SSL adapter meant to be used for jax-rpc webservices?
            "JAX-RPC clients can use the SSLAdapter mechanism described in Using a Custom SSL Adapter with Reliable Messaging to persist the state of a request over an SSL connection"

            I have already tried with weblogic.wsee.jaxws.sslclient.SSLClientUtil...still I always get the error (this error is with ssl debug mode on)....



            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 31921099>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write SSL_20_RECORD>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 994001646
            Issuer:C=si, O=state-institutions, OU=sigen-ca
            Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
            Not Valid Before:Fri Nov 17 14:26:17 CET 2006
            Not Valid After:Thu Nov 17 14:56:17 CET 2011
            Signature Algorithm:SHA1withRSA
            >
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 994001646
            Issuer:C=si, O=state-institutions, OU=sigen-ca
            Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
            Not Valid Before:Fri Nov 17 14:26:17 CET 2006
            Not Valid After:Thu Nov 17 14:56:17 CET 2011
            Signature Algorithm:SHA1withRSA
            >
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: wwwt.ajpes.si>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(sock): 12457751>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <close(): 27314217>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 31288249>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 262>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received CHANGE_CIPHER_SPEC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Finished>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 342>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 493>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <5095980 read(offset=0, length=8192)>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: HelloRequest>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 147>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 994001646
            Issuer:C=si, O=state-institutions, OU=sigen-ca
            Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
            Not Valid Before:Fri Nov 17 14:26:17 CET 2006
            Not Valid After:Thu Nov 17 14:56:17 CET 2011
            Signature Algorithm:SHA1withRSA
            >
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 994001646
            Issuer:C=si, O=state-institutions, OU=sigen-ca
            Subject:C=si, O=state-institutions, OU=sigen-ca, OU=org-web, OU=AJPES - 14717468, CN=WWWT.AJPES.SI + ?=2345775710058
            Not Valid Before:Fri Nov 17 14:26:17 CET 2006
            Not Valid After:Thu Nov 17 14:56:17 CET 2011
            Signature Algorithm:SHA1withRSA
            >
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: wwwt.ajpes.si>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateRequest>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <No suitable identity certificate chain has been found.>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 7>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 262>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC, offset = 0, length = 1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 16>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received CHANGE_CIPHER_SPEC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RC4>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received HANDSHAKE>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Finished>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 SSL3/TLS MAC>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <32946105 received APPLICATION_DATA: databufferLen 0, contentLength 2073>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <5095980 read databufferLen 2073>
            <1.7.2010 8:38:39 CEST> <Debug> <SecuritySSL> <BEA-000000> <5095980 read A returns 2073>
            1.7.2010 8:38:39 com.sun.xml.ws.server.sei.EndpointMethodHandler invoke
            SEVERE: The server sent HTTP status code 403: Forbidden
            com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 403: Forbidden
                 at com.sun.xml.ws.transport.http.client.HttpTransportPipe.checkStatusCode(HttpTransportPipe.java:225)
                 at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:191)
                 at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:101)
                 at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
                 at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
                 at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
                 at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
                 at com.sun.xml.ws.client.Stub.process(Stub.java:246)
                 at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
                 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
                 at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
                 at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
                 at $Proxy166.blokVrni(Unknown Source)
                 at nkbm.ws.TestAjpes1.hello(TestAjpes1.java:59)
                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:597)
                 at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:101)
                 at weblogic.wsee.jaxws.WLSInstanceResolver$WLSInvoker.invoke(WLSInstanceResolver.java:83)
                 at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:152)
                 at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:264)
                 at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:93)
                 at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
                 at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
                 at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
                 at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
                 at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:249)
                 at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:453)
                 at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:250)
                 at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140)
                 at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:298)
                 at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:211)
                 at weblogic.wsee.jaxws.JAXWSServlet.doPost(JAXWSServlet.java:297)
                 at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
                 at weblogic.wsee.jaxws.JAXWSServlet.service(JAXWSServlet.java:87)
                 at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
                 at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
                 at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
                 at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
                 at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
                 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3590)
                 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
                 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
                 at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200)
                 at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106)
                 at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428)
                 at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
                 at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
            <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 0
            java.lang.Exception: New alert stack
                 at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
                 at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
                 at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
                 at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
                 at weblogic.net.http.HttpClient.closeServer(HttpClient.java:528)
                 at weblogic.net.http.KeepAliveCache$1.run(KeepAliveCache.java:111)
                 at java.util.TimerThread.mainLoop(Timer.java:512)
                 at java.util.TimerThread.run(Timer.java:462)
            >
            <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
            <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <close(): 5095980>
            <1.7.2010 8:39:01 CEST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 31921099>



            any ideas?
            thank you again!

            Edited by: user10677650 on 30.6.2010 23:42
            • 3. Re: two way SSL with jax-ws on weblogic 10.3.1.1
              Faisal Khan
              From the stack trace it appears that the SSL HAnshake is successful.

              But you are getting the following erorr

              com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 403: Forbidden

              This means that you are not authorized to access the webservice.

              Where does the webservice reside?
              Is there a gateways/proxy in beween?
              Does the webservice require any authentication?

              -Faisal
              http://weblogic-wonders.com
              • 4. Re: two way SSL with jax-ws on weblogic 10.3.1.1
                771572
                When I turn on the debug mode the service resides at the beggining...so when it gets to the code

                BlokIzmenjava service= new BlokIzmenjava(new URL("https://wwwt.ajpes.si/wsBlokIzmenjava/BlokIzmenjava.asmx?WSDL"), new QName("http://www.ajpes.si/blok_izmenjava", "BlokIzmenjava"));

                if I create the serivice with local wsdl the service goes trough:

                BlokIzmenjava service= new BlokIzmenjava();

                but get to the error when I try to call it -> port.test("aaaaa");


                we do have a proxy in our firm, but the problem is that when I call the service from the fat client (main java program) the the webservice returns the response....it also works (I get the response) when I try to write the client as a webservice and deploy and run t on tomcat...didn't try on glassfish yet....

                the problem is when I try to call it from WLS...then I get the error descibed above.....

                any ideas?
                • 5. Re: two way SSL with jax-ws on weblogic 10.3.1.1
                  771572
                  I've found a solution to this problem...

                  you have to set the properties in console (keystore and ssl)...and the option "Use Server Certs" has to be checked...

                  The option "Use Server Certs" means that a client application running within Weblogic will use the WL managed server's identity certificate as its client certificate. Otherwise, the client application is responsible for selecting the keystore, and presenting the certificate as part of the handshake.


                  So if this option is not selected then the application deployed on the WLS shoud be responsible responsible for selecting the keystore and presenting the certificate

                  but I still don't understdand....according to the page http://download.oracle.com/docs/cd/E12839_01/web.1111/e13713/transport.htm#i238955 this code shoud be the solution:

                  String clientKeyStore = ...;
                  String clientKeyStorePasswd = ...;
                  String clientKeyAlias = ...;
                  String clientKeyPass = ...;
                  String trustKeystore = ...;
                  String trustKeystorePasswd = ...;

                  PersistentSSLInfo sslInfo = new PersistentSSLInfo();
                  sslInfo.setKeystore(clientKeyStore);
                  sslInfo.setKeystorePassword(clientKeyStorePasswd);
                  sslInfo.setKeyAlias(clientKeyAlias);
                  sslInfo.setKeyPassword(clientKeyPass);
                  sslInfo.setTrustKeystore(trustKeystore);

                  //user can print out the sslInfo for debug
                  System.out.print(sslInfo.toString());

                  //Put sslInfo into requestContext for persistence, it might be required by JAX-WS
                  advance features, such as, RM, Callback
                  ((BindingProvider) port).getRequestContext().put(
                  JAXWSProperties.CLIENT_PERSISTENT_SSL_INFO, sslInfo);

                  //Alternatively, you can directly set a SSLSocketFactory if persistence is
                  not necessary. Note: The following line should be omitted if sslInfo is set with
                  above line.
                  ((BindingProvider) port).getRequestContext().put(
                  JAXWSProperties.SSL_SOCKET_FACTORY,
                  SSLClientUtil.getSSLSocketFactory(sslInfo));



                  if I try to use weblogic.wsee.jaxws.JAXWSProperties there is no option like CLIENT_PERSISTENT_SSL_INFO.... so I treid to use other solution




                  KeyStore ks = KeyStore.getInstance("JKS");
                  ks.load(new FileInputStream("D:/Podatki/Workspace1031/TestWorkSpace/TestWS/src/nkbm/ws/Ajpes.jks"), "trustpass".toCharArray());

                  KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                  kmf.init(ks, "trustpass".toCharArray());
                  KeyManager[] km=kmf.getKeyManagers();
                                 
                  TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
                  tmf.init(ks);
                  TrustManager tms[] = tmf.getTrustManagers();

                  ((BindingProvider) port).getRequestContext().put(JAXWSProperties.SSL_SOCKET_FACTORY, SSLClientUtil.getSSLSocketFactory(km,tmf))

                  so the port is set to use the SSLSocketFactory (responsible responsible for selecting the keystore and presenting the certificate ).... but the solution dosn't work....I always get the error descibed in the first post....

                  anyone succeded to acces a two way communication with other servers without using the WLS console (setting the keystore and truststore)??
                  • 6. Re: two way SSL with jax-ws on weblogic 10.3.1.1
                    525344
                    bump cause i'm having the same problem (CLIENT_PERSISTENT_SSL_INFO doesn't exist) and the client code won't attach the cert if i use SSL_CLIENT_FACTORY

                    can't find any other info on this because Oracle's documentation for this topic has always been terribad
                    • 8. Re: two way SSL with jax-ws on weblogic 10.3.1.1
                      932203
                      Hi user10677650,

                      did you manage to resolve the issuet?

                      I am spending the nights facing the same problem on Weblogic 10.3.3. If you succeeded, could let me know how?
                      I absolutely need to let the application choose the client authentication certificate at runtime without taking it from Weblogic console.

                      Thank you so much
                      alex