weblogic ssl handshake failure trust store issue

ssl weblogic handshake truststore
Sekhar picture Sekhar · Jul 5, 2013 · Viewed 28.4k times · Source

I am getting ssl handshake failure when i try to invoke https service call within weblogic. I have added the server certificate into weblogic trust store -"cacerts".

Command used to add the trust store in weblogic startup script : 

     JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore="/weblogic92/server/lib/cacerts" ${JAVA_OPTIONS}"

export JAVA_OPTIONS

Am i missing anything else - Any pointers to fix this issue ?

Tested the ssl connection within app server box using SSLPoke.java and it was successful.

   java -Djavax.net.ssl.trustStore=/weblogic92/server/lib/cacerts 
   -Djavax.net.ssl.trustStorePassword=changeit SSLPoke 192.16.2.6 8443

Weblogic server log trace: 

       javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1628)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:230)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:224)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1027)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:120)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:574)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:510)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:888)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1117)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:629)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)

Answer

Xargos picture Xargos · Jul 8, 2013

There are several other things you could try:

  1. Have you also tried JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.trustedCAKeyStore=/weblogic92/server/lib/cacerts"

  2. Try adding the certificates using the console (servers->server_name->keystores)

  3. You might also have to add following java options:

    1. -Dweblogic.security.SSL.verbose=true

    2. -Dweblogic.security.SSL.enable.renegotiation=true

    3. -Dsun.security.ssl.allowUnsafeRenegotiation=true

  4. In servers->server_name->SSL (advanced) check Use JSSE SSL.

  5. Check Use server certs.

  6. Change Hostname Verification to None

Related questions

weblogic.net.http.SOAPHttpsURLConnection cannot be cast to javax.net.ssl.HttpsURLConnection

I am getting "java.lang.ClassCastException" while trying to connect to a url using javax.net.ssl.HttpsURLConnection . I am using Weblogic Server 10.3.4. import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.…

Read More
StartSSL class 1 certificate not accepted by browser (Weblogic 10.0.1)

I have requested a class 1 certificate from StartSSL and installed it in Weblogic 10.0.1 (see screenshots). The browsers (Chrome & IE9 on Windows 7, IE8 on XPSP3) still give a certificate error (see screenshots). I think the StartSSL root certificate is available …

Read More
Cannot access HTTPS from Weblogic

I have a problem with Weblogic accessing an HTTPS server, I can access other HTTPS urls, like google or microsoft. The code that tries to connect to the url is: URL url = new URL("https://myserver.com"); HttpURLConnection connection = (HttpURLConnection) …

Read More