I have a WAR file deployed on WebLogic 12.1.2.0.0. Application calls a web service via HTTPS. Certificate is imported in DemoTrust.jks. All SSL related settings should be correct. And actually it works but after the server is restarted it does not work for about 15-20 minutes, after that it starts working again. During this period the following errors are printed in console:
<Warning> <Security> <BEA-090504> <Certificate chain received from xxx.xxxxxxxx.xxx.com -
167.107.80.230 failed hostname verification check. Certificate contained xxx.xxxxxxxx.xxx.com
but check expected xxx.xxxxxxxx.xxx.com>
After the warning I get:
javax.xml.ws.WebServiceException: javax.net.ssl.SSLKeyException: Hostname verification failed:
HostnameVerifier=weblogic.security.utils.SSLWLSHostnameVerifier,hostname=xxx.xxxxxxxx.xxx.com.
In the warning above contained and expected domains are identical.
Thank you for your help!
-E
If this is an issue with wildcards in the certificate name (e.g. weblogic default verifier doesn't think the certificate for *.salesforce.com covers cs86.salesforce.com), WebLogic actually provides a custom verifier to use: weblogic.security.utils.SSLWLSWildcardHostnameVerifier. This value should be entered in the SSL configuration for the server in Console -> Servers -> {Server Name} -> SSL -> Advanced -> Custom Hostname Verifier
admin console Servers -> server name -> Configuration SSL tab -> Advanced -> Change Hostname Verification dropdown to None
This worked for me.
set JAVA_OPTIONS=%JAVA_OPTIONS% -DUseSunHttpHandler=true helped me. Try to add this line to WebLogic setDomainEnv.(cmd|sh) file. The purpose of this parameter is to tell WebLogic to use Sun's HttpHandler and do not use WebLogic one.
The change I made on Console didn't help me(Console -> Servers -> {Server Name} -> SSL -> Advanced -> Custom Hostname Verifier or None)
After that edited JAVA_OPTIONS property on setDomainEnv file.
No verification, I know it's not a nice solution but it saved my day.
Added the following line
-Dweblogic.security.SSL.ignoreHostnameVerification=true
Related
I encounter this error which I put in brackets. I want to install the SSL certificate on my site which is hosted on a vps with webmin, when I did it the first time it worked my site had the SSL certificate with let's Encrypt but afterwards I wanted to start all over again so I deleted the server and all the files from my site then I created a new server with the same name as the old server but now when I try to request the ssl certificate at the level of my webmin it no longer works while the first time it worked well, I put the error that is displayed in parentheses ( Requesting a certificate for ertiden from Let's Encrypt ..
Request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
An unexpected error occurred:
Error creating new order :: Cannot issue for "ertiden": Domain name needs at least one dot
Please see the logfiles in /var/log/letsencrypt for more details.
DNS-based validation failed : Neither DNS zone or any of its sub-domains exist on this system )
i have put in /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/
2 files:
-trust.jks
-identity.jks
Then i have changed on Webblogic console, for Admin and managed servers,
the PATH to:
-Custom Identity Keystore
-Custom Trust Keystore
All looks good.
After weblogic restarts all servers are running, but
when i run this command on terminal ps -eaf|grep weblogic
i see this line:
-Djavax.net.ssl.trustStore=/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/DemoTrust.jks
As a result no one of my online interfaces are connecting.
I get the following error:
BEA-382513<con:reason>OSB Replace action failed updating variable "body": {err}FORG0005: expected exactly one item, got 0 items</con:reason>
Can someone help me to correct the path for my Servers so that it would look for trust.jks and not the DemoTrust.jks?
The way to fix this is by setting the flag on "SSL Listen Port Enabled"
thet can be found
Home >Summary of Environment >Summary of Servers >AdminServer -> Configuration/General.
After this we need to go to this view:
Home>Summary of Environment >Summary of Servers >AdminServer >Summary of Servers->Control
Select AdminServer and Click on Restart SSL.
To see if changes bin done we need to execute the command:
ps -eaf|grep weblogic
and look for
-Djavax.net.ssl.trustStore=/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/**trust.jks**
If the end has the trust key file,in my case i called it trust.jks, then the change was performed successfully.
I currently have a WildFly 9 cluster up and running with access to my application over port 8080, I would like to set up SSL and have access only on port 8443, but I cannot seem to find any documentation for where the security realm and https listener are placed in Domain mode.
I have the keystore and certificate all set up and was able to get https working in a demo using standalone mode, but I need to be able to do it in domain mode.
Can anyone help me out and share how they've accomplished this?
Solved it! It turns out for some reason JBoss was not registering my Security Realm and HTTPS listener. To do this you need to use bin/jbosscli and the commands:
RUN THE "CONNECT" COMMAND FIRST
/host=master/core-service=management/security-realm=SSLRealm/:add()
---where SSLRealm is the name of the realm
/host=master/core-service=management/security-realm=SSLRealm/server-identity=ssl/:add(keystore-path=Keystore.jks, keystore-relative-to=jboss.domain.config.dir, keystore-password=password)
---this assumes the keystore lives in the domain/configuration directory
Restart the server.
I then ran into issues figuring out the command to register the HTTPS listener, but I found the WildFly web console at serverURL:9990 has a way to do it too:
Once logged in to the webconsole
Configuration->Profiles->for each profile which is used->Undertow->HTTP->View
From there
HTTP Server->default-server->view
Finally
HTTPS Listener->ADD enter a name like: default-https, Security Realm: the name chosen for the security realm (for this example SSLRealm), Socket Binding: https and click save
Restart again
You should now have access at your serversURL:8443
To set it up on slave servers you should only need to copy the keystore to each slave servers domain/configuration and then add the security realm replacing /host=master/ with /host=slave/ in the command. And then restart the server.
Double check the Domain.xml file on the slave has the https listener you created originally in the webconsole (it should automatically be put into all of the clusters domain.xml files)
Found below error in logs after starting Weblogic. How to solve this issue?
Nothing i have deployed here, this is a new environment which i have installed recently.
Error message:
Apr 23, 2014 10:40:37 PM UTC Warning Security BEA-090482 BAD_CERTIFICATE alert was received from MT-DCS2-ADMIN.COM - 60.5.100.20. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.enter code here<
As the error says, you could try to enable debug mode to see the cause of the problem.
Try this: http://docs.oracle.com/cd/E23943_01/web.1111/e13707/ssl.htm#autoId12
-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
EDIT (first comment):
You must add these arguments to the start of your WebLogic. Depending on how you run your server, you'll have to edit your run script file.
The standard startup script is named startWebLogic.cmd if you're running Windows and startWebLogic.sh if you're running UNIX (WebLogic8). The contents of the Windows and UNIX startup scripts are similar. If you run Managed Servers > startManagedWebLogic.cmd/.sh. (I think so, I usually use Jboss).
Search in this file "JAVA_OPTIONS=" and add "-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true", then save the file (take care the line is not commented with # character, in this case you should remove the # also).
Then when you start your server (calling this script file) it will throw a full stacktrace showing more details about your SSL problem and point you on what it's wrong.
I would like to control when and where the admin service is accessible
How do I do one of the following (if possible)
Enable the admin console only from localhost (I know about disable-secure-admin, but still I don't want anyone to see the console login page when they add 4848 in the end)
I will use SSH tunnle to connect
Or, be able to use a certificate, so only certified clients will be able to even see the console
Or, be able on demand to start / stop the admin service when needed, not opening it to the outside world (e.g. start stop __asadmin virtual server)
Is any of the above possible?
Ok, I found it by guess-work
Solution to scenario #1
Make sure you have SSH tunnel on port 4848 first
Go to Configuration -> server-config -> Network Config -> Network Listeners -> admin-listener
Under the General tab, in the Address: field replace 0.0.0.0 to 127.0.0.1
Restart the server
Solution to scenario #3
I didn't find any command line way to enable / disable virtual servers, network listeners or protocols, but editing domain.xml shows that it's all there, just comment out and restart.
Use asadmin to update the The HTTP Network Listener named admin-listener.
asadmin enable-secure-admin-principal
"Instructs GlassFish Server, when secure admin is enabled, to accept admin requests from clients identified by the specified SSL certificate".
asadmin enable-secure-admin "enables secure admin (if it is not already enabled), optionally changing the alias used for DAS-to-instance admin messages or the alias used for instance-to-DAS admin messages". Also a good blog on the subject. This doesn't turn admin on/off, but enables/disables for remote access to the admin console without the complications of (1).