1

In our application we need to call several Web Servervices based on URL's and trusted SSL certificates that are stored in database. Those certificates are self-signed but we cannot add them in the WebLogic truststore. This is 2-way SSL but our server refuses the remote certificate.

What is the right way to do this?

(The rest of the question describes what we already tried.)

In WebLogic 10g we used to do the following:

    WlsSSLAdapter adapter = new WlsSSLAdapter();
    try {
        // setup for client certificate
        adapter.setKeystore(…);
        adapter.setClientCert(…);
        // setup for accepting the remote certificate
        adapter.setTrustManager(new TrustManager() {
            @Override
            public boolean certificateCallback(X509Certificate[] paramArrayOfX509Certificate, int paramInt) {
                return paramArrayOfX509Certificate[0] == expectedCertificate;
            }
        });
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    ((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(weblogic.wsee.jaxrpc.WLStub.SSL_ADAPTER, adapter);

However in WebLogic 11g it appears that even if the TrustManager is called (which we checked by using a debugger), WebLogic refuses the certificate:

<validationCallback: validateErr = 16> 
<  cert[0] = Serial number: 9232073310112809071929676484517784211
    Issuer:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
    Subject:C=US, ST=MyState, L=MyTown, O=MyOrganization, OU=FOR TESTING ONLY, CN=mestoudi2
    Not Valid Before:Tue Nov 01 14:33:31 CET 2011
    Not Valid After:Sun Nov 02 14:33:31 CET 2031
    Signature Algorithm:MD5withRSA
    > 
<weblogic user specified trustmanager validation status 16> 
<Certificate chain received from mestoudi2 - 10.142.0.23 was not trusted causing SSL handshake failure.> 
<Validation error = 16> 
<Certificate chain is untrusted> 
<SSLTrustValidator returns: 16> 
<Trust status (16):  CERT_CHAIN_UNTRUSTED> 
<NEW ALERT with Severity: FATAL, Type: 42
    java.lang.Exception: New alert stack
      at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
      at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
      at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
…

I think the first difference occurs on the line weblogic user specified trustmanager validation status 16 where in WebLogic 10g the value was 0 instead of 16.

If we check "Use JSSE SSL" in the WebLogic administration console (which switches the implementation to com.sun.net.ssl instead of com.certicom.tls), the TrustManager is not called at all.

We also tried to configure the TrustManager by implementing a javax.net.ssl.X509TrustManager that we set on a weblogic.wsee.connection.transport.https.HttpsTransportInfo passed to the stub using

((weblogic.wsee.jaxrpc.StubImpl) servicePort)._setProperty(TRANSPORT_INFO, transportInfo);

But it is not called either – however it works for setting up a proxy for example. We are generating the stubs using the clientgen Ant task (weblogic.wsee.tools.anttasks.ClientGenTask).

Didier L
  • 18,905
  • 10
  • 61
  • 103
  • When you say you 'cannot add them to the WebLogic trust store', can you clarify if you're unable to do so due to an issue or if it's against company policy, etc. ? – Musannif Zahir Jul 05 '12 at 15:15
  • In fact the main reason for not adding them to the trust store is because we don't want to accept those certificates for other uses than those web service calls. Moreover the certificates might be changed at runtime and this would thus move the problem to modifying/reloading the trust store. Finally I think it would be against our customer's policy but I didn't check. – Didier L Jul 05 '12 at 16:19

0 Answers0