Forum Stats

  • 3,827,919 Users
  • 2,260,839 Discussions
  • 7,897,407 Comments

Discussions

Failed to connect to Web Service API

TakeTheLongPath
TakeTheLongPath Member Posts: 30
edited Aug 21, 2015 10:42AM in Oracle VM Server for x86

I have switched my OVMM (3.3.3) weblogic server to using a non-self-signed SSL certificate.

I am able to get into Weblogic console. But the OVM console and CLI have errors.

Log entry:

==> AdminServer.out <==

<2015-08-19T10:08:13.812-0500> <Error> <com.oracle.ovm.appfw.coreinterface.ConnectionManager> <BEA-000000> <AppFw session 1: Failed to connect to Web Service API.

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:151)

  at com.sun.jersey.api.client.Client.handle(Client.java:648)

  at com.sun.jersey.api.client.WebResource.handle(WebResource.java:680)

  at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)

  at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:558)

  Truncated. see log file for complete stacktrace

Caused By: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)

  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)

  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)

  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)

  Truncated. see log file for complete stacktrace

Caused By: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)

  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)

  at sun.security.validator.Validator.validate(Validator.java:260)

  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)

  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)

  Truncated. see log file for complete stacktrace

Caused By: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)

  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)

  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)

  at sun.security.validator.Validator.validate(Validator.java:260)

  Truncated. see log file for complete stacktrace

>

Steps to get here:

1. I have a private key and certificate generated using OpenSSL because I need PEM version to use with Apache as well.

2. I import the private key and certificate into a brand new keystore using an ImportKey.class file (Import private key and certificate into Java Key Store (JKS))

3. Import the CA for the certificate above into jks and mark as trusted

4. copy the new jks to   /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/

5. Set the ENV variables:

export JAVA_HOME=/u01/app/oracle/java/
export WL_HOME=/u01/app/oracle/Middleware/wlserver_10.3/
export MW_HOME=/u01/app/oracle/Middleware

6. run script provided to "setsslkey" to the one in the jks

"  /u01/app/oracle/ovm-manager-3/ovm_upgrade/bin/ovmkeytool.sh setsslkey "

Was successful.

Restarted OVMM service and connected to weblogic and OVM console and the Certificate is green! Success!

Able to log in to weblogic console.

Not able to log in to the OVMM console.

Google showed me a blog and script to run to configure the client certs:

/u01/app/oracle/ovm-manager-3/bin/configure_client_cert_login.sh from Harri's Oracle Technology Blog: OracleVM 3.3.1 and External Authentication

This completes -- this solved an error before when I had to restore from a backup after a failed update.

Still get the errors above.

I have imported my host certificate and my CA's certificate into the ovmtrust JKS file in /u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/

(because I know the passwords to them, having previously run the re-create-all script...)

Tagged:
Adam Robinson

Best Answer

  • TakeTheLongPath
    TakeTheLongPath Member Posts: 30
    edited Aug 21, 2015 10:42AM Answer ✓

    This is a known bug to be fixed in 3.4.1.

    If you, gentle reader searching the community on an issue like this, have this problem and support, open a ticket to receive a patch (hopefully for 3.3.3, but definitely for 3.3.2 and earlier).

    I did not actually receive a patch but I did manage to get everything resolved.

    --So--

    You might try running this command, using the PEM version of your CA certificate in the path.

    I was not aware that the config_client_cert_login.sh script took any arguments. That was not in the documentation that I remember.

    'cd /u01/app/oracle/ovm-manager-3/bin'

      './configure_client_cert_login.sh /path/to/customer/rootcacert/name.cer'

    Support sent me a patch for 3.3.2 and in the instructions there was this little gem above. The patch did not work since I am running 3.3.3 and I kind of expected that.

    However, when I failed back to my original 3.3.3 EAR and build file I had success! And it might just be because I needed to specify the path to the CA file? Or when I ran this command using the 3.3.2 patch it actually did something even though the web app was completely broken from a GUI experience. Not sure.

    TakeTheLongPathAdam Robinson

Answers

  • TakeTheLongPath
    TakeTheLongPath Member Posts: 30
    edited Aug 19, 2015 5:53PM

    Adding a note of additional tests - and still no solution.

    I have found and modified the cacerts file(s) included in the OVMM solution and imported the CA and the host certificates into them. No change.

    I have run a java command line test of SSL using the cacerts and the modified ovmca.jks, ovmtrust.jks, and the identity jks file.

    They pass!

    -Djavax.net.ssl.trustStore=/u01/app/oracle/ovm-manager-3/domains/ovm_domain/security/2_ovmtrust.jks -Djavax.net.ssl.trustStorePassword=mypassword SSLPoke myhost.name.here 7002

    Successfully connected

    It smells like a common SSL trust issue for the Certificate Authority of the certificate I am using, but that should be ruled out. Right?

  • TakeTheLongPath
    TakeTheLongPath Member Posts: 30
    edited Aug 21, 2015 10:42AM Answer ✓

    This is a known bug to be fixed in 3.4.1.

    If you, gentle reader searching the community on an issue like this, have this problem and support, open a ticket to receive a patch (hopefully for 3.3.3, but definitely for 3.3.2 and earlier).

    I did not actually receive a patch but I did manage to get everything resolved.

    --So--

    You might try running this command, using the PEM version of your CA certificate in the path.

    I was not aware that the config_client_cert_login.sh script took any arguments. That was not in the documentation that I remember.

    'cd /u01/app/oracle/ovm-manager-3/bin'

      './configure_client_cert_login.sh /path/to/customer/rootcacert/name.cer'

    Support sent me a patch for 3.3.2 and in the instructions there was this little gem above. The patch did not work since I am running 3.3.3 and I kind of expected that.

    However, when I failed back to my original 3.3.3 EAR and build file I had success! And it might just be because I needed to specify the path to the CA file? Or when I ran this command using the 3.3.2 patch it actually did something even though the web app was completely broken from a GUI experience. Not sure.

    TakeTheLongPathAdam Robinson
This discussion has been closed.