0 Replies Latest reply on Jan 5, 2019 12:03 PM by rohit204

    javax.net.ssl.SSLHandshakeException & java.security.cert.CertPathBuilderException

    rohit204

      Hi All,

       

      Does anyone have experience establishing connection to a SSL enabled WebLogic Administration Console [12.2.1.2] using admin port 9002 from JMXConnectoryFactory using default DemoIdentity & Demokeystores?

       

      We are using DemoTrust keys [DemoIdentity.jks & DemoTrust.jks to establish an SSL enabled weblogic connection using administration port 9002.

      The Java Trust Keystore is placed under <Java-home>/jre/lib/security/cacerts. - Java 1.8 SDK.

       

      Attempting to connect to weblogic admin port using command line connects successfully after executing below two steps -

      1, setWLSEnv.cmd

      2. java -Dweblogic.security.TrustKeyStore=DemoTrust weblogic.WLST

       

      Getting an exception below when attempt to connect within eclipse using javax.management.remote.JMXConnectorFactory.connect in a java code.

      <Jan 5, 2019 11:23:54 AM GMT-08:00> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>

      <Jan 5, 2019 11:23:54 AM GMT-08:00> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>

      <Jan 5, 2019 11:23:54 AM GMT-08:00> <Info> <Security> <BEA-090909> <Using the configured custom SSL Hostname Verifier implementation: weblogic.security.utils.SSLWLSHostnameVerifier$NullHostnameVerifier.>

      ...

      ...

      ...

      ...

      ...

      main, fatal error: 46: General SSLEngine problem

      com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

          java.security.cert.CertPathValidatorException: The certificate issued by CN=CertGenCA, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US is not trusted; internal cause is:

          java.security.cert.CertPathValidatorException: Certificate chaining error

      %% Invalidated:  [Session-2, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256]

      main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown

      main, WRITE: TLSv1.2 Alert, length = 2

      main, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem

      main, called closeOutbound()

      main, closeOutboundInternal()

      Exception in thread "main" java.io.IOException: Failed to initialize JNDI context, tried 2 time or times totally, the interval of each time is 0ms.

      t3s://9.30.167.149:9002: Destination 9.30.167.149, 9002 unreachable.; nested exception is:

          javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination.; nested exception is:

          java.rmi.ConnectException: No available router to destination.

          at weblogic.management.remote.common.ClientProviderBase.makeConnection(ClientProviderBase.java:327)

          at weblogic.management.remote.common.ClientProviderBase.newJMXConnector(ClientProviderBase.java:135)

          at javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:382)

          at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:280)

          at WLSSLConnect.initConnection(PrintServerState.java:52)

          at WLSSLConnect.main(PrintServerState.java:92)

      Caused by: javax.naming.CommunicationException: Failed to initialize JNDI context, tried 2 time or times totally, the interval of each time is 0ms.

      t3s://9.30.167.149:9002: Destination 9.30.167.149, 9002 unreachable.; nested exception is:

          javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination.; nested exception is:

          java.rmi.ConnectException: No available router to destination. [Root exception is java.net.ConnectException: t3s://9.30.167.149:9002: Destination 9.30.167.149, 9002 unreachable.; nested exception is:

          javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination.; nested exception is:

          java.rmi.ConnectException: No available router to destination.]

          at weblogic.jndi.WLInitialContextFactoryDelegate.throwRetryException(WLInitialContextFactoryDelegate.java:467)

          at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:403)

          at weblogic.jndi.Environment.getContext(Environment.java:351)

          at weblogic.jndi.Environment.getContext(Environment.java:320)

          at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:119)

          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)

          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:324)

          at javax.naming.InitialContext.init(InitialContext.java:255)

          at javax.naming.InitialContext.<init>(InitialContext.java:227)

          at weblogic.management.remote.common.ClientProviderBase.makeConnection(ClientProviderBase.java:296)

          ... 5 more

       

      Setting in classpath - wlthint3client.jar

       

      Have set the following java options in eclipse -

      -Dweblogic.security.TrustKeyStore=DemoTrust

      -Dcom.ibm.jsse2.disableSSLv3=false

      -Dweblogic.security.SSL.trustedCAKeyStore="<oracle_home>\wlserver\\server\\lib\\cacerts"

      -Djavax.net.debug=ssl

      -Djdk.tls.client.protocols=TLSv1.2

      -Dweblogic.security.SSL.verbose=true

      -Dweblogic.security.SSL.enable.renegotiation=true

      -Dsun.security.ssl.allowUnsafeRenegotiation=true

      -Dweblogic.security.SSL.ignoreHostnameVerification=true

      -Dweblogic.security.SSL.enforceConstraints=off

      -Djava.protocol.handler.pkgs=weblogic.net

       

      Under servers->server_name->SSL (advanced)

      Checked Use server certs &

      Changed Hostname Verification to None.

       

      What do I need to verify here to resolve the SSLHandshake & CertPathBuildExceptions here?

      Please suggest/advice.