Https with BPEL 11 — oracle-tech

    Forum Stats

  • 3,702,035 Users
  • 2,239,551 Discussions
  • 7,835,727 Comments

Discussions

Https with BPEL 11

MipiMipi Posts: 33 Red Ribbon

Hi all,

I need invoce https endpoint from bpel but i don't have the certificate.

I have correct response if try with curl in comand line, but if I try the comand curl in Java class in Bpel i don't have response, the response i blank.

I have try with http bindings service and the response is "javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake".

There is a properties of  http bindings by trust the certificate?

Thanks for all response.

Mipi

Tagged:

Answers

  • Martien van den AkkerMartien van den Akker Posts: 2,756 Bronze Crown
    edited June 2019

    Hi,

    You should add the public certificate of the remote service to the trust store of the weblogic server running your SOA Suite. This should not affect your BPEL service, there's no property to set in BPEL.

    Regards,
    Martien

  • MipiMipi Posts: 33 Red Ribbon
    edited June 2019

    there is a guide?

  • Martien van den AkkerMartien van den Akker Posts: 2,756 Bronze Crown
    edited June 2019

    Hi Mipi,

    There are loads of examples of adding a certificat to the Java keystore. For instance:

    https://stackoverflow.com/questions/4325263/how-to-import-a-cer-certificate-into-a-java-keystore

    But you need to have the public certificate of the service. And know what the trust store is that is used in Weblogic.

    To check that, go to the Admin Console, select your soa server and click on the subtab Configuration/Keystores:

    pastedImage_2.png

    After updating the Keystore, restart your server or try just restarting the SSL on the control tab.

    Regards,

    Martien

  • MipiMipi Posts: 33 Red Ribbon
    edited June 2019

    Thanks!

    Now there is  this configuration:

    pastedImage_0.png

    I have use this import

    keytool -import -alias servercert -file cxxxx.crt -keystore client.jks -storepass welcome1.

    How can I change the configuration without losing the old one?

    Thanks

  • Martien van den AkkerMartien van den Akker Posts: 2,756 Bronze Crown
    edited June 2019

    Apparently you already have a trust.jks, as set in the Custom Trust Keystore field.

    Now, it's allways a good idea to take a backup of that file.

    If you do so then you can run the keytool -import line safely, provided that your cxxxx.crt is the public certificate file.  You can allways put the backup of the trust store back and restart the SSL.

    Regards,
    Martien

  • MipiMipi Posts: 33 Red Ribbon
    edited June 2019

    Can I try solutions in java or python? In python i have code ready|

    When I  try also java class but I have ever javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake also use

    java class pass already in weblogic?

  • Martien van den AkkerMartien van den Akker Posts: 2,756 Bronze Crown
    edited June 2019
    Can I try solutions in java or python? In python i have code ready|

    I don't know how you would imagine that. And besides why would you? BPEL/Weblogic is perfectly capable of that, so you would not need any code change to BPEL. It would unnecessarily  clutter up your BPEL code.

    You would need to figure out why you get this error.

    In weblogic you could enable Debug on the Debug Tab on the particular server. Then Expand weblogic->security and check the SSL parts and click enable (first lock&edit). Make sure that the minimum severity to log of the server is to debug (on the server). The server will log the debug messages right away, no restart needed.

    https://orclfmw.wordpress.com/2014/05/09/enable-ssl-debug-in-weblogic/

    Afterwards, make sure you disable debugging again.

    Regars,
    Martien

  • MipiMipi Posts: 33 Red Ribbon
    edited June 2019

    I have enabled degus for ssl

    the log is :

    java.io.EOFException: SSL peer shut down incorrectly

    at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:462)

    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)

    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1324)

    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:700)

    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:98)

    at java.io.ByteArrayOutputStream.writeTo(ByteArrayOutputStream.java:150)

    at HTTPClient.HTTPConnection.sendRequest(HTTPConnection.java:3398)

    at HTTPClient.HTTPConnection.handleRequest(HTTPConnection.java:3310)

    at HTTPClient.HTTPConnection$10.run(HTTPConnection.java:3061)

    and

    com.oracle.bpel.client.BPELFault: faultName: {{http://schemas.oracle.com/bpel/extension}remoteFault}

    messageType: {{http://schemas.oracle.com/bpel/extension}RuntimeFaultMessage}

    parts: {{

    summary=<summary>oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "https:/xxxx" successfully due to: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake</summary>

    ,detail=<detail>Unable to invoke endpoint URI "https:xxxxx" successfully due to: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

    I have try add cert in domani->Security-->KeyStore ad i hava modify trust adding new alias with my cert. but the connection https is already KO.

  • Martien van den AkkerMartien van den Akker Posts: 2,756 Bronze Crown
    edited June 2019

    Hi Michelle,

    What do you mean with 'but the connection https is already KO'? You mean 'OK'?

    And what do you mean with 'i hava modify trust adding new alias'? I expect that adding the certificate with some self-chosen recognizable alias would do. It's important that you have the complete certificate chain though.

    This one helps to fetch the certificate chain of a server and import it: https://www.avisi.nl/blog/2012/09/12/quick-way-to-retrieve-a-chain-of-ssl-certificates-from-a-server

    And this one gives you a few hints to check/list the certificates in the keystore using keytool: My work: How to check certificate validity using keytool command

    Around the error, there should be more logging about the SSL handshake. Could you check that? There is a clear start of setting up the connection and how the handshake goes. I think that there lies the clue. This error seems merely the result of a failing handshake.

    Regards,

    Martien

Sign In or Register to comment.