OSR 2way SSL client configuration in Weblogic
We've implemented 2way SSL in our Weblogic domains that host endpoints for use by OSB and OSR, using signed ( not self-signed! ) certificates. OSB works great and invokes the endpoints successfully over 2way SSL.
The problem is that OSR doesn't use the same security keystore / truststore as WebLogic. The Weblogic server hosting OSR is configured with the same keystore / truststore that the OSB server uses, and the OSR mgd server also has "Use Server Certs" enabled.
The OSR 10g server and the endpoint domain both use the same versions: Weblogic 10.3, using jrockit_160_05, both running on Linux 2.6.18-92.1.17.0.2.el5xen #1 SMP Tue Nov 18 04:11:19 EST 2008 i686 i686 i386 GNU/Linux on different hosts.
For one-way SSL, I imported ( with PStoreTool.sh ) the server certificate from the endpoints' domain into the registry's conf/pstore.xml & redeployed, and then OSR was able to trust the incoming server cert. That's been working great.
I'd like to have OSR submit the same certificate that OSB does so that OSR can act as a client in 2-way SSL. So I've used this:
# Get the server cert from the OSR WL server
sslTool.sh serverInfo url https://"OSR_HOST" certFile "OSR_HOST_FILE"
# Add it into extracted pstore
PStoreTool.sh new -alias "CN value" -keypassword ****t -config conf/pstore.xml -certFile "OSR_HOST_FILE"
# encrypt keypass
sslTool.sh encrypt --password *****
and added an entry in the registry.war's app/uddi/conf/security.xml of:
sslConnectionAlias>OSR_HOST</sslConnectionAlias>
sslConnectionPassword_coded>"output from sslTool encrypt"</sslConnectionPassword_coded>
But when trying to publish an https:// endpoint into OSR, I get an error in the OSR console of:
Invalid WSDL location! WSDLException: faultCode=INVALID_WSDL: Cannot get WSDL at 'https://...."'. Exception occured: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error.
The OSR server logs shows this
ERROR: com.idoox.wsdl.xml.WSDLReaderImpl - javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
ERROR: com.systinet.uddi.webui.WebUIRawService - Web Framework exception
EXCEPTION: com.systinet.uddi.webui.WebUIException: (18003) UDDI error occurred.
javax.servlet.ServletException: com.systinet.uddi.webui.WebUIException: (18003) UDDI error occurred.
In the weblogic endpoint domain, I get this error at the same time - after the OSR certificate has been presented:
<Sep 17, 2009 4:12:40 PM EDT> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateVerify>
<Sep 17, 2009 4:12:40 PM EDT> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA/ECB/NoPadding>
<Sep 17, 2009 4:12:40 PM EDT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 51
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ServerStateReceivedClientKeyExchange.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
For two-way SSL, what steps are needed? The documentation on PStoreTool only lists available commands, but not how they would be used to perform 2way ssl config.