4 Replies Latest reply on May 5, 2010 7:28 AM by vigdal

    SSL

    PJVI
      From an OC4j I am communicating over SSL with another extern service.
      I do this by adding this OC4J_JVM_ARGS in the startup :

      -Djavax.net.ssl.keyStore=.\mykeystore.jks
      -Djavax.net.ssl.keyStorePassword=testtest
      -Djavax.net.ssl.trustStore=.\ mykeystore.jks
      -Djavax.net.ssl.trustStorePassword=testtest

      I do not know if this is the correct way to do it, but the communication works.
      But it looks like this is influencing on the local rmi handling?
      OC4J is constant and repeatedly generating a SEVERE logging saying :
      javax.naming.CommunicationException: Received fatal alert: handshake_failure [Root exception is javax.net.ssl.SSLHandshakeException:
              Received fatal alert: handshake_failure] for URL: ormis://139.116.6.69:23944/defaultjavax.naming.NamingException:
      Error reading application-client descriptor: Error communicating with server: Received fatal alert:
      handshake_failure; nested exception is:
      at oracle.j2ee.naming.ApplicationClientInitialContextFactory.getApplicationContext(ApplicationClientInitialContextFactory.java:127)


      The ip 139.116.6.69 is the localhost.
      Does anyone know why OC4J are using ORMIS and not RMI in my case or
      know the correct way to let OC4J act as a client, calling an external service using SSL.

      /Per Jørgen Vigdal
        • 1. Re: SSL
          René van Wijk
          The following are correct:

          -Djavax.net.ssl.trustStore=/DemoTrust.jks
          -Djavax.net.ssl.trustStorePassword=DemoTrustKeyStorePassPhrase
          -Djavax.net.ssl.keyStore=/ClientIdentity.jks
          -Djavax.net.ssl.keyStorePassword=mypassword

          The Java SSL package used for client-side SSL support does not provide Java system properties to specify the client identity store's private key passphrase or key pair alias that the client should use as its identity. This lack of Java system properties effectively requires that the passphrase for private key be the same as the password for the keystore that contains the key for Java SE-based 2-way SSL clients. It also means that the client keystore can include only one private key and X.509 certificate pair to enable the Java runtime to locate the required key pair.

          Hope this helps
          • 2. Re: SSL
            PJVI
            Hello
            I did what you suggested, but I still get the same result. To me it looks like the OC4J are
            trying to do a local ormis lookup instead of an ordinary ormi lookup because of the
            configuration changes. Why is that ?
            I also
            I give the complete stacktrace under and hope that
            anyone can see the problem ?


            10/04/22 13:12:06 SEVERE: CoreRemoteMBeanServer.fetchMBeanServerEjbRemote Error reading application-client descriptor: Error communicating with server: Received fatal alert: handshake_failure; nested exception is:
            javax.naming.CommunicationException: Received fatal alert: handshake_failure [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure] for URL: ormis://139.116.6.69:23944/defaultjavax.naming.NamingException: Error reading application-client descriptor: Error communicating with server: Received fatal alert: handshake_failure; nested exception is:
            javax.naming.CommunicationException: Received fatal alert: handshake_failure [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure] [Root exception is java.lang.InstantiationException: Error communicating with server: Received fatal alert: handshake_failure; nested exception is:
                    javax.naming.CommunicationException: Received fatal alert: handshake_failure [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]]
            at oracle.j2ee.naming.ApplicationClientInitialContextFactory.getApplicationContext(ApplicationClientInitialContextFactory.java:127)
            at oracle.j2ee.naming.ApplicationClientInitialContextFactory.getInitialContext(ApplicationClientInitialContextFactory.java:117)
            at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
            at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
            at javax.naming.InitialContext.init(InitialContext.java:223)
            at javax.naming.InitialContext.<init>(InitialContext.java:197)
            at oracle.oc4j.admin.jmx.client.CoreRemoteMBeanServer.fetchMBeanServerEjbRemote(CoreRemoteMBeanServer.java:468)
            at oracle.oc4j.admin.jmx.client.CoreRemoteMBeanServer.<init>(CoreRemoteMBeanServer.java:161)
            at oracle.oc4j.admin.jmx.client.RemoteMBeanServer.<init>(RemoteMBeanServer.java:128)
            at oracle.oc4j.admin.jmx.client.RemoteMBeanServer.getMBeanServer(RemoteMBeanServer.java:152)
            at oracle.oc4j.admin.jmx.client.ClientMBeanServerProxyFactory.getMBeanServer(ClientMBeanServerProxyFactory.java:68)
            at oracle.oc4j.admin.jmx.remote.rmi.RMIJMXConnectorImpl.getConnector(RMIJMXConnectorImpl.java:190)
            at oracle.oc4j.admin.jmx.remote.JMXConnectorImpl.connect(JMXConnectorImpl.java:400)
            at oracle.oc4j.admin.jmx.remote.JMXConnectorImpl.connect(JMXConnectorImpl.java:352)
            at oracle.sysman.ias.studio.jmx.oc4j.Oc4jJMXConnectionFactory._getMBeanServer(Oc4jJMXConnectionFactory.java:294)
            at oracle.sysman.ias.studio.jmx.oc4j.Oc4jJMXConnectionFactory.getMBeanServer(Oc4jJMXConnectionFactory.java:368)
            at oracle.sysman.ias.studio.jmx.spi.JMXConnectorImpl.<init>(JMXConnectorImpl.java:120)
            at oracle.sysman.ias.studio.jmx.spi.JMXConnectorImpl.getInstance(JMXConnectorImpl.java:107)
            at oracle.sysman.ias.studio.jmx.spi.JMXConnectionHelper.getJMXConnector(JMXConnectionHelper.java:81)
            at oracle.sysman.ias.studio.jmx.spi.JMXConnectionHelper.getJMXConnector(JMXConnectionHelper.java:94)
            at oracle.sysman.ias.studio.jmx.JMXConnectionManager.getConnection(JMXConnectionManager.java:70)
            at oracle.sysman.ias.studio.jmx.JMXTarget.getConnection(JMXTarget.java:335)
            at oracle.sysman.ias.studio.app.PostLogonPageHandler.testLocalConnection(PostLogonPageHandler.java:535)
            at oracle.sysman.ias.studio.app.PostLogonPageHandler.testStoredCredentials(PostLogonPageHandler.java:480)
            at oracle.sysman.ias.studio.app.PostLogonPageHandler.prepareData(PostLogonPageHandler.java:235)
            at oracle.sysman.emSDK.svlt.PageHandler.handleRequest(PageHandler.java:391)
            at oracle.sysman.emSDK.svlt.EMServlet.myDoGet(EMServlet.java:765)
            at oracle.sysman.emSDK.svlt.EMServlet.doGet(EMServlet.java:283)
            at oracle.sysman.ias.studio.app.StudioConsole.doGet(StudioConsole.java:385)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
            at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
            at oracle.sysman.ias.studio.app.BrowserVersionFilter.doFilter(BrowserVersionFilter.java:75)
            at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
            at oracle.sysman.ias.studio.app.MultipleJVMFilter.doFilter(MultipleJVMFilter.java:85)
            at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:17)
            at oracle.sysman.ias.studio.app.PostLogonFilter.doFilter(PostLogonFilter.java:80)
            at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:17)
            at oracle.sysman.ias.studio.app.ShortHostnameRedirectFilter.doFilter(ShortHostnameRedirectFilter.java:68)
            at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)
            at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)
            at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)
            at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
            at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:221)
            at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:122)
            at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:111)
            at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
            at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239)
            at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34)
            at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880)
            at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
            at java.lang.Thread.run(Thread.java:595)
            Caused by: java.lang.InstantiationException: Error communicating with server: Received fatal alert: handshake_failure; nested exception is:
            javax.naming.CommunicationException: Received fatal alert: handshake_failure [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
            at com.oracle.naming.J2EEContext.create(J2EEContext.java:103)
            at oracle.j2ee.naming.ApplicationClientInitialContextFactory.getApplicationContext(ApplicationClientInitialContextFactory.java:124)
            ... 51 more
            Caused by: oracle.oc4j.rmi.OracleRemoteException: Received fatal alert: handshake_failure; nested exception is:
            javax.naming.CommunicationException: Received fatal alert: handshake_failure [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
            at oracle.oc4j.deployment.ApplicationClientResourceFinder.lookupResourceFinder(ApplicationClientResourceFinder.java:110)
            at oracle.oc4j.deployment.ApplicationClientResourceFinder.getFinder(ApplicationClientResourceFinder.java:123)
            at oracle.oc4j.deployment.ApplicationClientResourceFinder.getLocation(ApplicationClientResourceFinder.java:75)
            at oracle.oc4j.deployment.ApplicationClientResourceFinder.getEjbBinding(ApplicationClientResourceFinder.java:38)
            at com.oracle.naming.J2EEContext.addEJBReferenceEntries(J2EEContext.java:541)
            at com.oracle.naming.J2EEContext.create(J2EEContext.java:96)
            ... 52 more
            Caused by: javax.naming.CommunicationException: Received fatal alert: handshake_failure [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
            at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:296)
            at com.evermind.server.rmi.RMIClientContext.lookup(RMIClientContext.java:51)
            at oracle.oc4j.deployment.ApplicationClientResourceFinder.lookupResourceFinder(ApplicationClientResourceFinder.java:101)
            ... 57 more
            Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
            at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
            at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1650)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:618)
            at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
            at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
            at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
            at oracle.oc4j.rmi.ClientRmiTransport.connectToServer(ClientRmiTransport.java:83)
            at oracle.oc4j.rmi.ClientSocketRmiTransport.connectToServer(ClientSocketRmiTransport.java:68)
            at com.evermind.server.rmi.RMIClientConnection.connect(RMIClientConnection.java:646)
            at com.evermind.server.rmi.RMIClientConnection.sendLookupRequest(RMIClientConnection.java:190)
            at com.evermind.server.rmi.RMIClientConnection.lookup(RMIClientConnection.java:174)
            at com.evermind.server.rmi.RMIClient.lookup(RMIClient.java:287)
            ... 59 more
            • 3. Re: SSL
              René van Wijk
              Which version of the OC4J are you using, i can remember there being some problems with version lower than 10.1.3.*.

              Could try it with a newer version for example 10.1.3.5

              When i created a client to connect, i used the following code

              InputStream inputStream = null;
              KeyStore keystore = null;
              KeyManagerFactory keyManagerFactory = null;
              SSLContext sslContext = null;

              inputStream = new FileInputStream(new File(fileLocatie));
              keystore = KeyStore.getInstance(instance);
              keystore.load(inputStream, password.toCharArray());
              keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
              keyManagerFactory.init(keystore, password.toCharArray());
              sslContext = SSLContext.getInstance("SSLv3");
              sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
              HTTPConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
              • 4. Re: SSL
                vigdal
                Hei

                I was able to get rid of the message bye
                removing the
                Djavax.net.ssl.trustStore=.\ mykeystore.jks
                -Djavax.net.ssl.trustStorePassword=testtest
                from OC4J_JVM_ARGS and instead putting the trusted cert in the jre\lib\security\cacerts java keystore

                - Per Jørgen