This discussion is archived
4 Replies Latest reply: Mar 20, 2013 3:58 AM by 600889 RSS

outbound network access limitations

600889 Newbie
Currently Being Moderated
Hello,

I would like to know if it is possible from a deployed application in the JCS to get access to secure network resources outside of the JCS. For example, can I get access to a web service provide by google? It seems from the whitelisting app that we're quite limited in terms of networking classes one can use.

I did a quick test using weblogic.net.http.HttpsURLConnection (which happily passes the whitelist tool), but any connection attempt to secure host fails. Doing a plain http request using java.net.HttpURLConnection does work as expected.

What are our plans regarding availability of outbound connectivity, more specifically https? Is JCS going to provide a proxy service to monitor and regulate usage of this?

Thank you,


Ernst.

Edited by: Ernst Eeldert on Mar 14, 2013 4:00 PM
  • 1. Re: outbound network access limitations
    879125 Newbie
    Currently Being Moderated
    Hi Ernst,

    We definitely allow accessing external resources via HTTP. Couple of things to remember (1) the hostname verification has to pass, i.e. the certificate issued for the external resource should match the hostname you are connecting to, (2) the certificate should be signed by a well know authority. The ones we trust are in cacerts.jks of JDK 1.6. As long as the well know CA cert is in the standard cacerts.jks, that cerificate authority is trusted. Self-signed certificates will not work.

    Having said that, if you can give us an example of resource you tried to access and did not work. Please give us the exact error message you see in the service log. We might be able to identify the issue.

    thanks,
    -Anand.
  • 2. Re: outbound network access limitations
    600889 Newbie
    Currently Being Moderated
    Hello Anand,

    indeed the hostname verification was the culprit. The certificate of the host I was trying to access here had cn=*.oracle.com, which doesn't match the actual hostname of ontrackeap.oracle.com. I worked around it by implementing a custom weblogic.security.SSL.HostnameVerifier, which is not ideal, but works for now.

    On a sidenote, I also tried the same requests using Apache httpclient 4.2, and even though the jar files get approved by the whitelist tool, executing an http request results in the java security exceptions. Running the same code on a local weblogic server works as expected.

    Thanks,

    Ernst.
  • 3. Re: outbound network access limitations
    600889 Newbie
    Currently Being Moderated
    Hmm, still no joy here. You can access the test servlet I wrote at:

    https://java-trialajry.java.us1.oraclecloudapps.com/CloudHerd/outboundtest

    I keep running into access denied issues due to socket usage:

    java.security.AccessControlException: access denied (java.net.SocketPermission 148.87.12.71:443 connect,resolve)
         at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
         at java.security.AccessController.checkPermission(AccessController.java:549)
         at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
         at java.lang.SecurityManager.checkConnect(SecurityManager.java:1034)
         at java.net.Socket.connect(Socket.java:524)
         at weblogic.net.http.HttpsClient.openWrappedSSLSocket(HttpsClient.java:557)
         at weblogic.net.http.HttpsClient.openServer(HttpsClient.java:286)
         at weblogic.net.http.HttpsClient.openServer(HttpsClient.java:363)
         at weblogic.net.http.HttpsClient.New(HttpsClient.java:520)
         at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:239)
         at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:279)
         at oracle.social.demoherd.XClientCloud.post(XClientCloud.java:120)
         at oracle.social.demoherd.XClientCloud.connect(XClientCloud.java:94)
         at oracle.social.demoherd.OutboundTest.doPost(OutboundTest.java:42)


    Here's the code (using weblogic.net.http.HttpsURLConnection):

    URLConnection c = (HttpsURLConnection)new URL(url).openConnection();
    if (APIRANDOMID != null) {
    c.addRequestProperty("X-Waggle-RandomID", APIRANDOMID);
    }
    if (JSESSIONID != null) {
    c.addRequestProperty("Cookie", JSESSIONID.split(";", 2)[0]);
    }
    c.setRequestProperty("Content-Type", "application/json");
    c.setRequestProperty("Accept-Charset", CHARSET);
    c.setRequestProperty("Accept", "application/json");
    ((HttpsURLConnection)c).setHostnameVerifier(DO_NOT_VERIFY);
    c.setConnectTimeout(TIMEOUT);


    Thanks.

    Ernst.
  • 4. Re: outbound network access limitations
    600889 Newbie
    Currently Being Moderated
    Still no joy here. No matter which implementation (JSSE, weblogic) or library (apache httpclient) I use, it always ends up at not being able to open a socket connection. For reference, the full code of my class is here: http://pastebin.com/kjQ5aq6i

    This class uses the weblogic.net.http.HttpsURLConnection implementation, which, according to weblogic documentation, is the one to use.

    As my JCS service is about to expire in a week, a quick response would be highly appreciated.

    Thank you,

    Ernst.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points