weblogic ssl handshake failure trust store issue

Sekhar picture Sekhar · Jul 5, 2013 · Viewed 28.4k times · Source

I am getting ssl handshake failure when i try to invoke https service call within weblogic. I have added the server certificate into weblogic trust store -"cacerts".

Command used to add the trust store in weblogic startup script :

     JAVA_OPTIONS="-Dweblogic.security.SSL.trustedCAKeyStore="/weblogic92/server/lib/cacerts" ${JAVA_OPTIONS}"

export JAVA_OPTIONS

Am i missing anything else - Any pointers to fix this issue ?

Tested the ssl connection within app server box using SSLPoke.java and it was successful.

   java -Djavax.net.ssl.trustStore=/weblogic92/server/lib/cacerts 
   -Djavax.net.ssl.trustStorePassword=changeit SSLPoke 192.16.2.6 8443

Weblogic server log trace:

       javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1628)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:230)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:224)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1027)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:120)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:574)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:510)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:888)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1117)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:629)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)

Answer

Xargos picture Xargos · Jul 8, 2013

There are several other things you could try:

  1. Have you also tried JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.trustedCAKeyStore=/weblogic92/server/lib/cacerts"

  2. Try adding the certificates using the console (servers->server_name->keystores)

  3. You might also have to add following java options:

    1. -Dweblogic.security.SSL.verbose=true

    2. -Dweblogic.security.SSL.enable.renegotiation=true

    3. -Dsun.security.ssl.allowUnsafeRenegotiation=true

  4. In servers->server_name->SSL (advanced) check Use JSSE SSL.

  5. Check Use server certs.

  6. Change Hostname Verification to None