========================================================================
Applies to:
Weblogic Server: 12.2.1.1
OSB: 12.2.1.1
========================================================================
Problem Summary:
Unable to invoke HTTPS external webservice from OSB because of General SSLEngine problem.
Error:
Caused By: com.bea.wli.sb.transports.TransportException: General SSLEngine problem
at com.bea.wli.sb.transports.TransportException.newInstance(TransportException.java:214)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOutboundMessageContext.java:527)
at com.bea.wli.sb.transports.http.wls.HttpTransportProvider.sendMessageAsync(HttpTransportProvider.java:238)
at sun.reflect.GeneratedMethodAccessor1632.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.wli.sb.transports.Util$1.invoke(Util.java:80)
at com.sun.proxy.$Proxy214.sendMessageAsync(Unknown Source)
After enabling DebugSecuritySSL flag able to get exact error in the logs,
The invocation resulted in an error: [Security:090497]HANDSHAKE_FAILURE alert received from <<3dnshost>> - <<ip>>. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings..
The invocation resulted in an error: [Security:090477]Certificate chain received from <<3dnshost>> - <<ip>> was not trusted causing SSL handshake failure..
========================================================================
Root Cause:
Rectly external webservice host system has changed CERTIFICATES and external webservice certificates(root and intermediate) doesn't exists in public key store of weblogic $JAVA_HOME/jre/lib/security/cacerts.
========================================================================
How to verify:
1. Use keytool command to verify certificates in weblogic public key store.
$JAVA_HOME/bin/keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
2. Provide password
========================================================================
Resolution:
1. Use https://<host>:<port>/<uri> to get external service root and intermediate certificates.
2. Open external webservice https://<host>:<port>/<uri> in IE browser.
3. Click on security report (lock icon) in url section
4. Click on view certificates.
5. Go to certificate tab => select root certificate and click view certificate.
6. Go to Details tab and click on Copy to file
7. Export cert wizard will open. Export cert as Base-64 encoded X.509 in .cer format.
8. Use unique name to save it.
9. Repeat step 5 to step 8 for intermediate certificate.
10. Once you have root and intermediate certificate, use keytool command to import certificates to cacert.
$JAVA_HOME/bin/keytool -import -trustcacerts -file /path/of/cert/<<name.cer>> -alias <<ALIAS NAME>> -keystore $JAVA_HOME/jre/lib/security/cacerts
11. Once import is done restart domain for changes to take effect and verify call.
Applies to:
Weblogic Server: 12.2.1.1
OSB: 12.2.1.1
========================================================================
Problem Summary:
Unable to invoke HTTPS external webservice from OSB because of General SSLEngine problem.
Error:
Caused By: com.bea.wli.sb.transports.TransportException: General SSLEngine problem
at com.bea.wli.sb.transports.TransportException.newInstance(TransportException.java:214)
at com.bea.wli.sb.transports.http.HttpOutboundMessageContext.send(HttpOutboundMessageContext.java:527)
at com.bea.wli.sb.transports.http.wls.HttpTransportProvider.sendMessageAsync(HttpTransportProvider.java:238)
at sun.reflect.GeneratedMethodAccessor1632.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.bea.wli.sb.transports.Util$1.invoke(Util.java:80)
at com.sun.proxy.$Proxy214.sendMessageAsync(Unknown Source)
After enabling DebugSecuritySSL flag able to get exact error in the logs,
The invocation resulted in an error: [Security:090497]HANDSHAKE_FAILURE alert received from <<3dnshost>> - <<ip>>. Check both sides of the SSL configuration for mismatches in supported ciphers, supported protocol versions, trusted CAs, and hostname verification settings..
The invocation resulted in an error: [Security:090477]Certificate chain received from <<3dnshost>> - <<ip>> was not trusted causing SSL handshake failure..
========================================================================
Root Cause:
Rectly external webservice host system has changed CERTIFICATES and external webservice certificates(root and intermediate) doesn't exists in public key store of weblogic $JAVA_HOME/jre/lib/security/cacerts.
========================================================================
How to verify:
1. Use keytool command to verify certificates in weblogic public key store.
$JAVA_HOME/bin/keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
2. Provide password
========================================================================
Resolution:
1. Use https://<host>:<port>/<uri> to get external service root and intermediate certificates.
2. Open external webservice https://<host>:<port>/<uri> in IE browser.
3. Click on security report (lock icon) in url section
4. Click on view certificates.
5. Go to certificate tab => select root certificate and click view certificate.
6. Go to Details tab and click on Copy to file
7. Export cert wizard will open. Export cert as Base-64 encoded X.509 in .cer format.
8. Use unique name to save it.
9. Repeat step 5 to step 8 for intermediate certificate.
10. Once you have root and intermediate certificate, use keytool command to import certificates to cacert.
$JAVA_HOME/bin/keytool -import -trustcacerts -file /path/of/cert/<<name.cer>> -alias <<ALIAS NAME>> -keystore $JAVA_HOME/jre/lib/security/cacerts
11. Once import is done restart domain for changes to take effect and verify call.
No comments:
Post a Comment