4 Replies Latest reply: Mar 20, 2013 5:58 AM by 600889 RSS

    outbound network access limitations

    600889
      Hello,

      I would like to know if it is possible from a deployed application in the JCS to get access to secure network resources outside of the JCS. For example, can I get access to a web service provide by google? It seems from the whitelisting app that we're quite limited in terms of networking classes one can use.

      I did a quick test using weblogic.net.http.HttpsURLConnection (which happily passes the whitelist tool), but any connection attempt to secure host fails. Doing a plain http request using java.net.HttpURLConnection does work as expected.

      What are our plans regarding availability of outbound connectivity, more specifically https? Is JCS going to provide a proxy service to monitor and regulate usage of this?

      Thank you,


      Ernst.

      Edited by: Ernst Eeldert on Mar 14, 2013 4:00 PM
        • 1. Re: outbound network access limitations
          anandk
          Hi Ernst,

          We definitely allow accessing external resources via HTTP. Couple of things to remember (1) the hostname verification has to pass, i.e. the certificate issued for the external resource should match the hostname you are connecting to, (2) the certificate should be signed by a well know authority. The ones we trust are in cacerts.jks of JDK 1.6. As long as the well know CA cert is in the standard cacerts.jks, that cerificate authority is trusted. Self-signed certificates will not work.

          Having said that, if you can give us an example of resource you tried to access and did not work. Please give us the exact error message you see in the service log. We might be able to identify the issue.

          thanks,
          -Anand.
          • 2. Re: outbound network access limitations
            600889
            Hello Anand,

            indeed the hostname verification was the culprit. The certificate of the host I was trying to access here had cn=*.oracle.com, which doesn't match the actual hostname of ontrackeap.oracle.com. I worked around it by implementing a custom weblogic.security.SSL.HostnameVerifier, which is not ideal, but works for now.

            On a sidenote, I also tried the same requests using Apache httpclient 4.2, and even though the jar files get approved by the whitelist tool, executing an http request results in the java security exceptions. Running the same code on a local weblogic server works as expected.

            Thanks,

            Ernst.
            • 3. Re: outbound network access limitations
              600889
              Hmm, still no joy here. You can access the test servlet I wrote at:

              https://java-trialajry.java.us1.oraclecloudapps.com/CloudHerd/outboundtest

              I keep running into access denied issues due to socket usage:

              java.security.AccessControlException: access denied (java.net.SocketPermission 148.87.12.71:443 connect,resolve)
                   at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
                   at java.security.AccessController.checkPermission(AccessController.java:549)
                   at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
                   at java.lang.SecurityManager.checkConnect(SecurityManager.java:1034)
                   at java.net.Socket.connect(Socket.java:524)
                   at weblogic.net.http.HttpsClient.openWrappedSSLSocket(HttpsClient.java:557)
                   at weblogic.net.http.HttpsClient.openServer(HttpsClient.java:286)
                   at weblogic.net.http.HttpsClient.openServer(HttpsClient.java:363)
                   at weblogic.net.http.HttpsClient.New(HttpsClient.java:520)
                   at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:239)
                   at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:279)
                   at oracle.social.demoherd.XClientCloud.post(XClientCloud.java:120)
                   at oracle.social.demoherd.XClientCloud.connect(XClientCloud.java:94)
                   at oracle.social.demoherd.OutboundTest.doPost(OutboundTest.java:42)


              Here's the code (using weblogic.net.http.HttpsURLConnection):

              URLConnection c = (HttpsURLConnection)new URL(url).openConnection();
              if (APIRANDOMID != null) {
              c.addRequestProperty("X-Waggle-RandomID", APIRANDOMID);
              }
              if (JSESSIONID != null) {
              c.addRequestProperty("Cookie", JSESSIONID.split(";", 2)[0]);
              }
              c.setRequestProperty("Content-Type", "application/json");
              c.setRequestProperty("Accept-Charset", CHARSET);
              c.setRequestProperty("Accept", "application/json");
              ((HttpsURLConnection)c).setHostnameVerifier(DO_NOT_VERIFY);
              c.setConnectTimeout(TIMEOUT);


              Thanks.

              Ernst.
              • 4. Re: outbound network access limitations
                600889
                Still no joy here. No matter which implementation (JSSE, weblogic) or library (apache httpclient) I use, it always ends up at not being able to open a socket connection. For reference, the full code of my class is here: http://pastebin.com/kjQ5aq6i

                This class uses the weblogic.net.http.HttpsURLConnection implementation, which, according to weblogic documentation, is the one to use.

                As my JCS service is about to expire in a week, a quick response would be highly appreciated.

                Thank you,

                Ernst.