I am getting ssl handshake failure when i try to invoke https service call within weblogic. I have added the server certificate into weblogic trust store -"cacerts".
Command used to add the trust store in weblogic startup script :
JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore="/weblogic92/server/lib/cacerts" ${JAVA_OPTIONS}"
export JAVA_OPTIONS
Am i missing anything else - Any pointers to fix this issue ?
Tested the ssl connection within app server box using SSLPoke.java and it was successful.
java -Djavax.net.ssl.trustStore=/weblogic92/server/lib/cacerts
-Djavax.net.ssl.trustStorePassword=changeit SSLPoke 192.16.2.6 8443
Weblogic server log trace:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1628)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:230)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:224)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1027)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:120)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:574)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:510)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:888)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1117)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:629)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
There are several other things you could try:
Have you also tried JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.trustedCAKeyStore=/weblogic92/server/lib/cacerts"
Try adding the certificates using the console (servers->server_name->keystores)
You might also have to add following java options:
-Dweblogic.security.SSL.verbose=true
-Dweblogic.security.SSL.enable.renegotiation=true
-Dsun.security.ssl.allowUnsafeRenegotiation=true
In servers->server_name->SSL (advanced) check Use JSSE SSL.
Check Use server certs.
Change Hostname Verification to None