Hi,
I have created one SOA service for share transaction (WSAT Transaction) with .NET WCF Web service but in this moment as show below, SSL negotiation STOP and log message doesn´t show why.
Log Information:
####<Mar 21, 2017 9:01:17 AM WET> <Debug> <SecuritySSL> <svr-csp1dev.finantia.net> <soa_server1> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <da821a5a-d14c-43a2-9ddf-90d1ea3e260a-00000147> <1490086877384> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <weblogic user specified trustmanager validation status 0>
####<Mar 21, 2017 9:01:17 AM WET> <Debug> <SecuritySSL> <svr-csp1dev.finantia.net> <soa_server1> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <da821a5a-d14c-43a2-9ddf-90d1ea3e260a-00000147> <1490086877384> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <SSLTrustValidator returns: 0>
####<Mar 21, 2017 9:01:17 AM WET> <Debug> <SecuritySSL> <svr-csp1dev.finantia.net> <soa_server1> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <da821a5a-d14c-43a2-9ddf-90d1ea3e260a-00000147> <1490086877384> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <[Thread[ExecuteThread: '2' for queue: 'weblogic.socket.Muxer',5,Thread Group for Queue: 'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: No trust failure, validateErr=0.>
####<Mar 21, 2017 9:01:17 AM WET> <Debug> <SecuritySSL> <svr-csp1dev.finantia.net> <soa_server1> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <da821a5a-d14c-43a2-9ddf-90d1ea3e260a-00000147> <1490086877384> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <[Thread[ExecuteThread: '2' for queue: 'weblogic.socket.Muxer',5,Thread Group for Queue: 'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: Successfully completed post-handshake processing.>
####<Mar 21, 2017 9:01:17 AM WET> <Debug> <SecuritySSL> <svr-csp1dev.finantia.net> <soa_server1> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <da821a5a-d14c-43a2-9ddf-90d1ea3e260a-00000147> <1490086877385> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <[Thread[ExecuteThread: '2' for queue: 'weblogic.socket.Muxer',5,Thread Group for Queue: 'weblogic.socket.Muxer']]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 0 bytesProduced = 0.>
How I can enable more debug logs in SOA server? It's Possible?
Our SOA server, have this flags enable for debug:
-Djavax.net.debug=all -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.debug.DebugWSAT=true
Our .Net WCF service show this log information in MSDTC:
<Exception>
<ExceptionType>System.ServiceModel.Security.SecurityNegotiationException, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Could not establish trust relationship for the SSL/TLS secure channel with authority 'ipAddrress:port'.</Message>
<StackTrace>
at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Dispatcher.DuplexChannelBinder.EndRequest(IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.FinishSend(IAsyncResult result, Boolean completedSynchronously)
</StackTrace>
<ExceptionString>System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'ipAddrress:port'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
WCF Logs with coordinator context sended by SOA JTA to WCF:
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Information">
<TraceIdentifier>http://msdn.microsoft.com/pt-PT/library/System.ServiceModel.Channels.MessageReceived.aspx</TraceIdentifier>
<Description>Received a message over a channel.</Description>
<AppDomain>/LM/W3SVC/1/ROOT/SGP_WS-1-131345604739149530</AppDomain>
<Source>System.ServiceModel.Activation.HostedHttpContext+HostedHttpInput/16503569</Source>
<ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/MessageTransmitTraceRecord">
<MessageProperties>
<Encoder>application/soap+xml; charset=utf-8</Encoder>
<AllowOutputBatching>False</AllowOutputBatching>
<Via>http://machineName/dir/Service.svc</Via>
</MessageProperties>
<MessageHeaders>
<wsa:To xmlns:wsa="http://www.w3.org/2005/08/addressing">http://machineName/dir/Service.svc</wsa:To>
<wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing">urn:Test.Services.message/Service/testingOrders</wsa:Action>
<wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing">urn:ef6381fa-0e14-11e7-8f7c-0021f6e440d7</wsa:MessageID>
<wsa:RelatesTo xmlns:wsa="http://www.w3.org/2005/08/addressing">urn:ef6381fa-0e14-11e7-8f7c-0021f6e440d7</wsa:RelatesTo>
<wsa:ReplyTo xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
<wsa:ReferenceParameters>
<instra:tracking.ecid xmlns:instra="http://xmlns.oracle.com/sca/tracking/1.0">da821a5a-d14c-43a2-9ddf-90d1ea3e260a-00002585</instra:tracking.ecid>
<instra:tracking.conversationId xmlns:instra="http://xmlns.oracle.com/sca/tracking/1.0">urn:ef6381fa-0e14-11e7-8f7c-0021f6e440d7</instra:tracking.conversationId>
<instra:tracking.FlowEventId xmlns:instra="http://xmlns.oracle.com/sca/tracking/1.0">3742686</instra:tracking.FlowEventId>
<instra:tracking.FlowId xmlns:instra="http://xmlns.oracle.com/sca/tracking/1.0">1190083</instra:tracking.FlowId>
<instra:tracking.CorrelationFlowId xmlns:instra="http://xmlns.oracle.com/sca/tracking/1.0">0000Lfk6KceDsX^5xVWByW1Oo0^f00001_</instra:tracking.CorrelationFlowId>
<instra:tracking.quiescing.SCAEntityId xmlns:instra="http://xmlns.oracle.com/sca/tracking/1.0">670003</instra:tracking.quiescing.SCAEntityId>
</wsa:ReferenceParameters>
</wsa:ReplyTo>
<wsa:FaultTo xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:FaultTo>
<ns0:CoordinationContext xmlns:ns0="http://schemas.xmlsoap.org/ws/2004/10/wscoor" xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:ns2="http://schemas.xmlsoap.org/soap/envelope/" ns2:mustUnderstand="1">
<ns0:Identifier>urn:uuid:BEA1-3226C8D3E11DA3D10E36</ns0:Identifier>
<ns0:Expires>300000</ns0:Expires>
<ns0:CoordinationType>http://schemas.xmlsoap.org/ws/2004/10/wsat</ns0:CoordinationType>
<ns0:RegistrationService>
<ns1:Address>https://ipAddrress:port/wls-wsat/RegistrationPortTypeRPC</ns1:Address>
<ns1:ReferenceParameters>
<wls-wsat:txId xmlns:wls-wsat="http://weblogic.wsee.wstx.wsat/ws/2008/10/wsat">BEA1-3226C8D3E11DA3D10E36</wls-wsat:txId>
<wls-wsat:routing xmlns:wls-wsat="http://weblogic.wsee.wstx.wsat/ws/2008/10/wsat">soa_serv1</wls-wsat:routing>
</ns1:ReferenceParameters>
</ns0:RegistrationService>
</ns0:CoordinationContext>
</MessageHeaders>
</ExtendedData>
</TraceRecord>
We are using TLSv1 SSL protocol version for communication between MSDTC (Microsoft transaction coordinator) and JTA SOA (Transaction coordinator Weblogic).
The TLSv1 protocol version it's enable with the flag "-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1" in SOA start server.
For better understanding this service i explain the complete flow:
SOA service (SOAP service with WCF WSDL;MANDATORY with DEFAULT protocol version it's the configuration to share transaction with WCF web service) -> WCF service received the transaction -> transaction was send to MSDTC and start secure negotiation with JTA for registry WSAT transaction as participant (this step failed with error "The remote certificate is invalid according to the validation procedure.")
Regards,
André Janota