0 Replies Latest reply: Mar 8, 2013 1:21 PM by 995763 RSS

    Weblogic app server wsdl web service call with SSL Validation error = 16

    995763
      Weblogic app server wsdl web service call with SSL Validation error = 16

      I need to make wsdl web service call in my weblogic app server. The web service is provided by a 3rd party vendor. I keep getting error
      Cannot complete the certificate chain: No trusted cert found
      Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure
      Validation error = 16

      From the SSL debug log, I can see 3 verisign hierarchy certs are correctly loaded (see 3 lines in the log message starting with “adding as trusted cert”). But somehow after first handshake, I got error “Cannot complete the certificate chain: No trusted cert found”.

      Here is how I load trustStore and keyStore in my java program:
           System.setProperty("javax.net.ssl.trustStore",”cacerts”);
           System.setProperty("javax.net.ssl.trustStorePassword", trustKeyPasswd);
           System.setProperty("javax.net.ssl.trustStoreType","JKS");
      System.setProperty("javax.net.ssl.keyStoreType","JKS");
      System.setProperty("javax.net.ssl.keyStore", keyStoreName);
           System.setProperty("javax.net.ssl.keyStorePassword",clientCertPwd);      System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump","true");

      Here is how I create cacerts using verisign hierarchy certs (in this order)
      1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignClass3G5PCA3Root.txt -alias "Verisign Class3 G5P CA3 Root"
      1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediatePrimary.txt -alias "Verisign C3 G5 Intermediate Primary"
      1.6.0_29/jre/bin/keytool -import -trustcacerts -keystore cacerts -storepass changeit -file VerisignC3G5IntermediateSecondary.txt -alias "Verisign C3 G5 Intermediate Secondary"

      Because my program is a weblogic app server, when I start the program, I have java command line options set as:
      -Dweblogic.security.SSL.trustedCAKeyStore=SSLTrust.jks
      -Dweblogic.security.SSL.ignoreHostnameVerification=true
      -Dweblogic.security.SSL.enforceConstraints=strong
      That SSLTrust.jks is the trust certificate from our web server which sits on a different box. In our config.xml file, we also refer to the SSLTrust.jks file when we bring up the weblogic app server.

      In addition, we have working logic to use some other wsdl web services from the same vendor on the same SOAP server. In the working web service call flows, we use clientgen to create client stub, and use SSLContext and WLSSLAdapter to load trustStore and keyStore, and then bind the SSLContext and WLSSLAdapter objects to the webSerive client object and make the webservie call. For the new wsdl file, I am told to use wsimport to create client stub. In the client code created, I don’t see any way that I can bind SSLContext and WLSSLAdapter objects to the client object, so I have to load certs by settting system pramaters. Here I attached the the wsdl file.

      I have read many articles. It seems as long as I can install the verisign certs correctly to web logic server, I should have fixed the problem. Now the questions are:
      1.     Do I create “cacerts” the correct order with right keeltool options?
      2.     Since command line option “-Dweblogic.security.SSL.trustedCAKeyStore” is used for web server jks certificate, will that cause any problem for me?
      3.     Is it possible to use wsimport to generate client stub that I can bind SSLContext and WLSSLAdapter objects to it?
      4.     Do I need to put the “cacerts” to some specific weblogic directory?


      ---------------------------------wsdl file
      <wsdl:definitions name="TokenServices" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:tns="http://tempuri.org/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
           <wsp:Policy wsu:Id="TokenServices_policy">
                <wsp:ExactlyOne>
                     <wsp:All>
                          <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
                               <wsp:Policy>
                                    <sp:TransportToken>
                                         <wsp:Policy>
                                              <sp:HttpsToken RequireClientCertificate="true"/>
                                         </wsp:Policy>
                                    </sp:TransportToken>
                                    <sp:AlgorithmSuite>
                                         <wsp:Policy>
                                              <sp:Basic256/>
                                         </wsp:Policy>
                                    </sp:AlgorithmSuite>
                                    <sp:Layout>
                                         <wsp:Policy>
                                              <sp:Strict/>
                                         </wsp:Policy>
                                    </sp:Layout>
                               </wsp:Policy>
                          </sp:TransportBinding>
                          <wsaw:UsingAddressing/>
                     </wsp:All>
                </wsp:ExactlyOne>
           </wsp:Policy>
           <wsdl:types>
                <xsd:schema targetNamespace="http://tempuri.org/Imports">
                     <xsd:import schemaLocation="xsd0.xsd" namespace="http://tempuri.org/"/>
                     <xsd:import schemaLocation="xsd1.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
                </xsd:schema>
           </wsdl:types>
           <wsdl:message name="ITokenServices_GetUserToken_InputMessage">
                <wsdl:part name="parameters" element="tns:GetUserToken"/>
           </wsdl:message>
           <wsdl:message name="ITokenServices_GetUserToken_OutputMessage">
                <wsdl:part name="parameters" element="tns:GetUserTokenResponse"/>
           </wsdl:message>
           <wsdl:message name="ITokenServices_GetSSOUserToken_InputMessage">
                <wsdl:part name="parameters" element="tns:GetSSOUserToken"/>
           </wsdl:message>
           <wsdl:message name="ITokenServices_GetSSOUserToken_OutputMessage">
                <wsdl:part name="parameters" element="tns:GetSSOUserTokenResponse"/>
           </wsdl:message>
           <wsdl:portType name="ITokenServices">
                <wsdl:operation name="GetUserToken">
                     <wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetUserToken" message="tns:ITokenServices_GetUserToken_InputMessage"/>
                     <wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetUserTokenResponse" message="tns:ITokenServices_GetUserToken_OutputMessage"/>
                </wsdl:operation>
                <wsdl:operation name="GetSSOUserToken">
                     <wsdl:input wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserToken" message="tns:ITokenServices_GetSSOUserToken_InputMessage"/>
                     <wsdl:output wsaw:Action="http://tempuri.org/ITokenServices/GetSSOUserTokenResponse" message="tns:ITokenServices_GetSSOUserToken_OutputMessage"/>
                </wsdl:operation>
           </wsdl:portType>
           <wsdl:binding name="TokenServices" type="tns:ITokenServices">
                <wsp:PolicyReference URI="#TokenServices_policy"/>
                <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
                <wsdl:operation name="GetUserToken">
                     <soap12:operation soapAction="http://tempuri.org/ITokenServices/GetUserToken" style="document"/>
                     <wsdl:input>
                          <soap12:body use="literal"/>
                     </wsdl:input>
                     <wsdl:output>
                          <soap12:body use="literal"/>
                     </wsdl:output>
                </wsdl:operation>
                <wsdl:operation name="GetSSOUserToken">
                     <soap12:operation soapAction="http://tempuri.org/ITokenServices/GetSSOUserToken" style="document"/>
                     <wsdl:input>
                          <soap12:body use="literal"/>
                     </wsdl:input>
                     <wsdl:output>
                          <soap12:body use="literal"/>
                     </wsdl:output>
                </wsdl:operation>
           </wsdl:binding>
           <wsdl:service name="TokenServices">
                <wsdl:port name="TokenServices" binding="tns:TokenServices">
                     <soap12:address location="https://ws-eq.demo.i-deal.com/PhxEquity/TokenServices.svc"/>
                     <wsa10:EndpointReference>
                          <wsa10:Address>https://ws-eq.demo.xxx.com/PhxEquity/TokenServices.svc</wsa10:Address>
                     </wsa10:EndpointReference>
                </wsdl:port>
           </wsdl:service>
      </wsdl:definitions>

      ----------------------------------application log
      adding as trusted cert:
      Subject: CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      Algorithm: RSA; Serial number: 0x641be820ce020813f32d4d2d95d67e67
      Valid from Sun Feb 07 19:00:00 EST 2010 until Fri Feb 07 18:59:59 EST 2020

      adding as trusted cert:
      Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      Algorithm: RSA; Serial number: 0x3c9131cb1ff6d01b0e9ab8d044bf12be
      Valid from Sun Jan 28 19:00:00 EST 1996 until Wed Aug 02 19:59:59 EDT 2028

      adding as trusted cert:
      Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      Algorithm: RSA; Serial number: 0x250ce8e030612e9f2b89f7054d7cf8fd
      Valid from Tue Nov 07 19:00:00 EST 2006 until Sun Nov 07 18:59:59 EST 2021

      <Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Cipher: SunPKCS11-Solaris version 1.6 for algorithm DESede/CBC/NoPadding>
      <Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Cipher for algorithm DESede>
      <Mar 7, 2013 6:59:21 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>

      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSetup: loading trusted CA certificates>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 28395435>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 SSL3/TLS MAC>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <25779276 received HANDSHAKE>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
      Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
      Not Valid Before:Tue Dec 18 19:00:00 EST 2012
      Not Valid After:Wed Jan 07 18:59:59 EST 2015
      Signature Algorithm:SHA1withRSA
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
      Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
      Not Valid Before:Sun Feb 07 19:00:00 EST 2010
      Not Valid After:Fri Feb 07 18:59:59 EST 2020
      Signature Algorithm:SHA1withRSA
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
      Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
      Not Valid Before:Tue Dec 18 19:00:00 EST 2012
      Not Valid After:Wed Jan 07 18:59:59 EST 2015
      Signature Algorithm:SHA1withRSA
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
      Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
      Not Valid Before:Sun Feb 07 19:00:00 EST 2010
      Not Valid After:Fri Feb 07 18:59:59 EST 2020
      Signature Algorithm:SHA1withRSA
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
      <Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - xx.xxx.xxx.156 was not trusted causing SSL handshake failure.>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
      java.lang.Exception: New alert stack
           at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
           at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
           at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
           at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
           at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
           at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
           at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
           at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
           at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
           at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
           at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
           at com.certicom.tls.record.WriteHandler.write(Unknown Source)
           at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
           at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
           at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
           at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
           at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
           at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
           at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
           at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
           at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
           at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
           at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
           at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
           at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
           at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
           at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
           at javax.xml.ws.Service.<init>(Service.java:56)
           at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
           at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
           at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
           at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
           at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
           at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
           at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
           at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
           at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
           at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
           at weblogic.security.service.SecurityManager.runAs(Unknown Source)
           at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
           at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
           at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
           at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
           at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 6457753>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 22803607>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 14640403>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 115>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 SSL3/TLS MAC>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <23376797 received HANDSHAKE>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHello>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Cannot complete the certificate chain: No trusted cert found>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 2400410601231772600606506698552332774
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
      Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
      Not Valid Before:Tue Dec 18 19:00:00 EST 2012
      Not Valid After:Wed Jan 07 18:59:59 EST 2015
      Signature Algorithm:SHA1withRSA
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 133067699711757643302127248541276864103
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
      Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
      Not Valid Before:Sun Feb 07 19:00:00 EST 2010
      Not Valid After:Fri Feb 07 18:59:59 EST 2020
      Signature Algorithm:SHA1withRSA
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 16>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial number: 2400410601231772600606506698552332774
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
      Subject:C=US, ST=New York, L=New York, O=xxx LLC, OU=GTIG, CN=ws-eq.demo.xxx.com
      Not Valid Before:Tue Dec 18 19:00:00 EST 2012
      Not Valid After:Wed Jan 07 18:59:59 EST 2015
      Signature Algorithm:SHA1withRSA
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial number: 133067699711757643302127248541276864103
      Issuer:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
      Subject:C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
      Not Valid Before:Sun Feb 07 19:00:00 EST 2010
      Not Valid After:Fri Feb 07 18:59:59 EST 2020
      Signature Algorithm:SHA1withRSA
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 16>
      <Mar 7, 2013 6:59:22 PM EST> <Warning> <Security> <BEA-090477> <Certificate chain received from ws-eq.demo.xxx.com - 12.29.210.156 was not trusted causing SSL handshake failure.>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Validation error = 16>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is untrusted>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 16>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (16): CERT_CHAIN_UNTRUSTED>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
      java.lang.Exception: New alert stack
           at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
           at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
           at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
           at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
           at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
           at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
           at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
           at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
           at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
           at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
           at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
           at com.certicom.tls.record.WriteHandler.write(Unknown Source)
           at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
           at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
           at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
           at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
           at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
           at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
           at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
           at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:100)
           at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
           at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
           at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
           at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
           at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:296)
           at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
           at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
           at javax.xml.ws.Service.<init>(Service.java:56)
           at ideal.ws2j.eqtoken.TokenServices.<init>(TokenServices.java:64)
           at com.citi.ilrouter.util.IpreoEQSSOClient.invokeRpcPortalToken(IpreoEQSSOClient.java:165)
           at com.citi.ilrouter.servlets.T3LinkServlet.doPost(T3LinkServlet.java:168)
           at com.citi.ilrouter.servlets.T3LinkServlet.doGet(T3LinkServlet.java:206)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
           at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
           at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
           at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
           at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
           at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(Unknown Source)
           at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
           at weblogic.security.service.SecurityManager.runAs(Unknown Source)
           at weblogic.servlet.internal.WebAppServletContext.securedExecute(Unknown Source)
           at weblogic.servlet.internal.WebAppServletContext.execute(Unknown Source)
           at weblogic.servlet.internal.ServletRequestImpl.run(Unknown Source)
           at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
           at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
      >
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
      <Mar 7, 2013 6:59:22 PM EST> <Debug> <SecuritySSL> <BEA-000000> <close(): 16189141>