0

I am not able to get mbeans from Weblogic server using PKCS12 ssl certificate through Java client.

  • Server: Weblogic
  • Client: Java client/JConsole

Server side commands used to create self signed certificates: Created a certificate using the Weblogic CertGen utility, Weblogic CertGenCA.der and the Certificate Authority.

java utils.CertGen -certfile ServerCert -keyfile ServerKey -keyfilepass keypass

java utils.der2pem CertGenCA.der

type serverCert.pem CertGenCA.pem >> myCert.pem

Server Keystore created>>
java utils.ImportPrivateKey -keystore  SeverIdentity.jks -storepass storepass -storetype JKS \
    -keypass keypass -alias mykey -certfile myCert.pem -keyfile ServerKey.pem \
    -keyfilepass keypass

Server Truststore used>>
DemoTrust.jks (Default Weblogic truststore)

Client side commands used to create PKCS12 self signed certificate:

java utils.CertGen -certfile ClientCert -keyfile ClientKey -keyfilepass keypass

openssl pkcs12 -export -in ClientCert.pem -inkey ClientKey.pem -out client-pkcs-12-cert

Configurations done in Weblogic Admin Console:

Keystores: Custom Identity Custom Trust.
Custom Identity Keystore:  D:\certificate\latest\pkcs\SeverIdentity.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: storepass (same as –storepass value of ImportPrivateKey)
Confirm Custom Identity Keystore Passphrase: storepass
Custom Trust Keystore: D:\certificate\latest\pkcs\DemoTrust.jks
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase
Custom Trust Keystore Passphrase: DemoTrustKeyStorePassPhrase

Configurations done in setDomainEnv.cmd:

set JAVA_OPTIONS=%JAVA_OPTIONS% -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9191 \
    -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.authenticate=false \
    -Djavax.net.ssl.keyStore=D:\certificate\latest\pkcs\SeverIdentity.jks \
    -Djavax.net.ssl.keyStorePassword=keypass -Djavax.net.ssl.trustStore=D:\certificate\latest\pkcs\DemoTrust.jks \
    -Djavax.net.ssl.trustStorePassword=DemoTrustKeyStorePassPhrase -Djava.rmi.server.hostname=10.112.69.200

Reference : http://www.weblogic-tips.com/2010/05/20/two-way-ssl-on-weblogic-server/

Java client code:

public static void main22(String args[]) {

try {

    System.setProperty("javax.net.ssl.keyStore",
            "D://certificate//latest//client-pkcs-12-cert");
    System.setProperty("javax.net.ssl.keyStorePassword", "keypass");

    HashMap<String, Object> env = new HashMap<String, Object>();
    String truststore = "D://certificate//latest//client-pkcs-12-cert";
    char truststorepass[] = "keypass".toCharArray();
    KeyStore ks = KeyStore.getInstance("pkcs12");
    ks.load(new FileInputStream(truststore), truststorepass);

    TrustManagerFactory tmf = TrustManagerFactory
            .getInstance("SunX509");

    tmf.init(ks);
    SSLContext ctx = SSLContext.getInstance("TLSv1");
    ctx.init(null, tmf.getTrustManagers(), null);
    SSLSocketFactory ssf = ctx.getSocketFactory();

    env.put("jmx.remote.tls.socket.factory", ssf);

    JMXServiceURL address = new JMXServiceURL("rmi", "", 0,
            "/jndi/rmi://localhost:9191/jmxrmi");

    JMXConnector jmxc = JMXConnectorFactory.connect(address, env);
    MBeanServerConnection mbsc = jmxc.getMBeanServerConnection();
    Set<ObjectInstance> beans = mbsc.queryMBeans(null, null);

    for (ObjectInstance instance : beans) {
        MBeanInfo info = mbsc.getMBeanInfo(instance.getObjectName());
        System.out.println(info);
    }

    jmxc.close();
    } catch (Exception e) {
        e.printStackTrace();
        System.out.println("error :" + e.getMessage());
    }
}

I am able to get mbeans when JKS certificate is being used but when I use PKCS12 certificate it gives the following error while connecting through JMXConnectorFactory: Exception at line : JMXConnector jmxc = JMXConnectorFactory.connect(address, env);

Exceptions:

java.rmi.ConnectIOException: Exception creating connection to: 10.112.69.200; nested exception is: 
       java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
       at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:614)
       at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198)
       at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184)
       at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:110)
       at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
       at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2327)
       at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:277)
       at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
       at test.Test.main(Test.java:68)
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
       at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:179)
       at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:192)
       at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:105)
       at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:595)
       ... 8 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
       at java.security.Provider$Service.newInstance(Provider.java:1245)
       at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
       at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
       at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
       at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68)
       at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102)
       at javax.rmi.ssl.SslRMIClientSocketFactory.getDefaultClientSocketFactory(SslRMIClientSocketFactory.java:192)
       at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:102)
       at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:595)
       at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:198)
       at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184)
       at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322)
       at sun.rmi.transport.DGCImpl_Stub.dirty(Unknown Source)
       at sun.rmi.transport.DGCClient$EndpointEntry.makeDirtyCall(DGCClient.java:342)
       at sun.rmi.transport.DGCClient$EndpointEntry.registerRefs(DGCClient.java:285)
       at sun.rmi.transport.DGCClient.registerRefs(DGCClient.java:121)
       at sun.rmi.transport.ConnectionInputStream.registerRefs(ConnectionInputStream.java:80)
       at sun.rmi.transport.StreamRemoteCall.releaseInputStream(StreamRemoteCall.java:138)
       at sun.rmi.transport.StreamRemoteCall.done(StreamRemoteCall.java:292)
       at sun.rmi.server.UnicastRef.done(UnicastRef.java:431)
       at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
       at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:97)
       at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:185)
       at javax.naming.InitialContext.lookup(InitialContext.java:392)
       at javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1886)
       at javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1856)
       at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:255)
       ... 2 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
       at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
       at sun.security.util.DerValue.init(DerValue.java:347)
       at sun.security.util.DerValue.<init>(DerValue.java:303)
       at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1200)
       at java.security.KeyStore.load(KeyStore.java:1185)
       at com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:202)
       at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultTrustManager(DefaultSSLContextImpl.java:70)
       at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
       at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
       at java.lang.Class.newInstance0(Class.java:357)
       at java.lang.Class.newInstance(Class.java:310)
       at java.security.Provider$Service.newInstance(Provider.java:1221)
       ... 28 more
error :Exception creating connection to: 10.112.69.200; nested exception is: 
       java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
jww
  • 97,681
  • 90
  • 411
  • 885
user3588245
  • 9
  • 1
  • 3
  • "Client side commands used to create PKCS12 self signed certificate..." - that's going to be a bear to manage. It won't scale to 10,000 or 25,000 client... – jww May 07 '14 at 14:25
  • `java.security.NoSuchAlgorithmException` - Try adding `-Djavax.net.debug=ssl`, or at least `-Djavax.net.debug=ssl,keymanager` for more information. – jww May 07 '14 at 14:33
  • Also see [Java and SSL - java.security.NoSuchAlgorithmException](https://stackoverflow.com/questions/6365209/java-and-ssl-java-security-nosuchalgorithmexception). – jww May 07 '14 at 14:34
  • 1
    possible duplicate of [Facing issue while authenticating pkcs12 cer in weblogic](http://stackoverflow.com/questions/23384672/facing-issue-while-authenticating-pkcs12-cer-in-weblogic) – Display Name is missing May 07 '14 at 15:45
  • 1
    You asked this here as well, not sure which one you want answered but please don't ask the same question multiple times: http://stackoverflow.com/questions/23384672/facing-issue-while-authenticating-pkcs12-cer-in-weblogic And why not use the JKS file with the client if that works? We don't use p12 for clients, we use JKS only. – Display Name is missing May 07 '14 at 15:50

1 Answers1

2

Firstly, ... (EDIT: I've realised I had misread part of the error, my first point was most certainly at least partly incorrect.)

A quick search for your error message (java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. )points to this IBM support page, which suggests to use a JKS keystore instead of PKCS#12 (on the server side, which you're not doing) or that there are incorrect characters in the certificate.

Secondly, you have no chance to get client-certificate authentication working with this code, even once your server certificate problems are fixed.

String truststore = "D://certificate//latest//client-pkcs-12-cert";
char truststorepass[] = "keypass".toCharArray();
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream(truststore), truststorepass);

TrustManagerFactory tmf = TrustManagerFactory
        .getInstance("SunX509");

tmf.init(ks);
SSLContext ctx = SSLContext.getInstance("TLSv1");
ctx.init(null, tmf.getTrustManagers(), null);

The PKCS#12 file should contain both your client cert and its private key. It is meant to be used as a keystore, not a truststore. That is, although the entity is called keystore in both cases, you are meant to use it with the key manager, not the trust manager.

Here, you're using your PKCS#12 file to initialise the trust manager of your SSLContext. It's the key manager you should initialise instead.

In addition, if you're using your code with a JRE that isn't related to Sun/Oracle/OpenJDK, you should probably avoid to hard-code "SunX509", use TrustManagerFactory.getDefaultAlgorthim() instead (same for the KeyManagerFactory when you implement this stage).

Bruno
  • 119,590
  • 31
  • 270
  • 376