ssl handshake failure in weblogic

In below post we will check how to debug SSL handshake failures occurs during different situations.

In weblogic logs we were getting below certificate error while initiating any soap connection over SSL with self signed certificates.

####<May 2, 2012 1:58:47 PM EDT> <Error>
<identity01.23w.local> <WebApps> <ACTIVE
ExecuteThread: ‘0’ for queue: ‘weblogic.kernel.Default (self-tuning)’>
<<WLS Kernel>> <1367517527502> <BEA-000000> <Failed to build CertPath
java.security.cert.CertPathBuilderException: Security:090683The
CertificateRegistry could not build a certificate path for end certificate [
[

]. This indicates that either someone is trying to access the server
with an untrusted certificate or that the administrator has forgotton to
register the certificate in the CertificateRegistry.
at
weblogic.security.providers.pk.CertificateRegistryRuntimeImpl$JDKCertPathBuilder.selectEndCert(CertificateRegistryRuntimeImpl.java:266)
at
weblogic.security.providers.pk.CertificateRegistryRuntimeImpl$JDKCertPathBuilder.engineBuild(CertificateRegistryRuntimeImpl.java:225)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at
com.bea.common.security.internal.legacy.service.CertPathBuilderImpl$CertPathBuilderProviderImpl.build(CertPathBuilderImpl.java:67)
at
com.bea.common.security.internal.service.CertPathBuilderServiceImpl.build(CertPathBuilderServiceImpl.java:86)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy41.build(Unknown Source)
at
weblogic.security.service.WLSCertPathBuilderServiceWrapper.build(WLSCertPathBuilderServiceWrapper.java:62)

Few of the times while sending mails also failed with below error:

Caused by: javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from sxzzszone3.di.rsa.3.com – 10.20.212.214 was not trusted causing SSL handshake failure.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:124)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:191)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:411)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at oracle.bpel.services.workflow.task.notification.html.HTMLTagReader.initialize(HTMLTagReader.java:163)
at oracle.bpel.services.workflow.task.notification.html.GenericHTMLContentParser.parse(GenericHTMLContentParser.java:387)
at oracle.bpel.services.workflow.task.notification.TaskNotifications.parseHtmlContentForImages(TaskNotifications.java:1559)
at oracle.bpel.services.workflow.task.notification.TaskNotifications.getEmailPayload(TaskNotifications.java:1390)
at oracle.bpel.services.workflow.task.notification.TaskNotifications.getEmailNotificationContent(TaskNotifications.java:1057)
at oracle.bpel.services.workflow.task.notification.TaskNotifications.sendEmailNotification(TaskNotifications.java:1019)
at oracle.bpel.services.workflow.task.notification.TaskNotifications.sendPreferredNotification(TaskNotifications.java:2291)
at oracle.bpel.services.workflow.task.notification.TaskNotifications.sendNotificationToUser(TaskNotifications.java:2194)
at oracle.bpel.services.workflow.task.notification.TaskNotifications.sendTaskNotification(TaskNotifications.java:1943)
at oracle.bpel.services.workflow.task.notification.TaskNotifications.notifyForTaskInternal(TaskNotifications.java:707)
at oracle.bpel.services.workflow.task.notification.TaskNotifications.notifyForTask(TaskNotifications.java:520)
at oracle.bpel.services.workflow.task.notification.MDBTaskNotificationConsumer.deliverNotification(MDBTaskNotificationConsumer.java:349)
at oracle.bpel.services.workflow.task.notification.MDBTaskNotificationConsumer.onMessage(MDBTaskNotificationConsumer.java:213)
at sun.reflect.GeneratedMethodAccessor2034.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:103)
at oracle.security.jps.ee.ejb.JpsAbsInterceptor$1.run(JpsAbsInterceptor.java:113)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:454)
at oracle.security.jps.ee.ejb.JpsAbsInterceptor.runJaasMode(JpsAbsInterceptor.java:100)
at oracle.security.jps.ee.ejb.JpsAbsInterceptor.intercept(JpsAbsInterceptor.java:154)
at oracle.security.jps.ee.ejb.JpsInterceptor.intercept(JpsInterceptor.java:113)
at sun.reflect.GeneratedMethodAccessor1304.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:68)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy405.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:583)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:486)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:389)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3822)
… 5 more
Some times while testing the connection with LDAP we get below message:

SSLHandshakeException(sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)
We found out that these errors are due to the server certificate not being in certificate chain.
This error comes from the fact that server certificate is a “self signed” certificate and is not in a certificate chain.

This can be checked using openssl, which will provide a return code of “Verify return code: 18 (self signed certificate)”

For LDAP:

openssl s_client -connect localhost:9736
CONNECTED(00000004)
depth=0 /C=ca/ST=Navada/L=SF/O=SYSTH/OU=ldap/CN=server admin
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=ca/ST=Navada/L=SF/O=SYSTH=ldap/CN=server admin
verify return:1

Certificate chain
0 s:/C=ca/ST=Navada/L=SF/O=SYSTH/OU=ldap/CN=server admin
i:/C=ca/ST=Navada/L=SF/O=SYSTH/OU=ldap/CN=server admin

Server certificate
—–BEGIN CERTIFICATE—–
D8wDQYDVQQKEwZPcmFjkYXAxFTATBgNVBAMTDHNlcnZlciBhZG1pbjAeFw0xMjAx
MTYxNjEzNDlaFw0xMjA0MTUxNjEzNDlaMGYxCzAJBgNVBAYTAmNhMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMQswCQYDVQQHEwJTRjEPMA0GA1UEChMGT3JhY2xlMQ0wCwYD
VQQLEwRsZGFwMRUwEwYDVQQDEwxzZXJ2ZXIgYWRtaW4wggG4MIIBLAYHKoZIzjgE
ATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZRJmlFXUAiUftZ
PY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfGG/g7
V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCP
FSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wL
PQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64e
K7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7
/s9JKgOBhQACgYEAw+2EIpmwy0rqtHbNb6gxbEtW0hplXXQdHEQp24brde1jt1qv
LDz/c8KR+fVxqvTxAmurGt1qbrhjXcUxi1KdaLnLnLXTCoD+ZLQU+F6B/TNmfrxb
AJmHtmoZsFtNCBTC++FClXtconKyXjEWnKMw7fEb+gNY3eTUrcyIpa/YEbYwCwYH
KoZIzjgEAwUAAy8A==
—–END CERTIFICATE—–

SSL handshake has read 1594 bytes and written 312 bytes


Verify return code: 18 (self signed certificate)

Usually this can be solved by importing CA certificate or/and signed certificate reply in server keystore and clean bouncing the server once.

There are two steps which needs to be followed to fix.
1. import the certificate to key store if not self signed.
Or
2. import the certificate reply to key store if self signed

OR both if in communication channel one is self signed and one is CA signed.( Not recommended way to fix – causes instability)

import certificate
====================

keytool -importcert -alias ss-cert -keystore config/keystore.jks -storetype JKS -file server-cert.pem
Enter keystore password:
Owner: CN=CA Certificate, OU=OUD, O=SYSTH, L=NewLobe, ST=UK, C=GB
Issuer: CN=CA Certificate, OU=OUD, O=SYSTH, L=NewLobe, ST=UK, C=GB
Serial number: 96b69e65
Valid from: Wed Jan 04 15:51:37 MET 2013 until: Mon Sep 04 16:51:37 MET 2318
Certificate fingerprints:
MD5: D0:5B:C8:2A:3D:3B:0A:29:62:E3:27:99:4E:D4
SHA1: E4:C9:BB:B7:5B:49:C7:7E:BF:DC:DF:29:E7:74:A0:66:03
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore

import signed server certificate reply into server keystore
============================================================

keytool -importcert -trustcacerts -alias server-cert -keystore config/keystore.jks -storetype JKS -file server-cert.pem

Enter keystore password:
Certificate reply was installed in keystore

You can verify the certificates in the LDAP server keystore using following commands
keytool -list -keystore config/keystore.jks -storepass welcome12 -v

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: ca-cert
Creation date: Jan 18, 2012
Entry type: trustedCertEntry

Owner: CN=CA Certificate, OU=OUD, O=SYSTH, L=NewLobe, ST=UK, C=GB
Issuer: CN=CA Certificate, OU=OUD, O=SYSTH, L=NewLobe, ST=UK, C=GB
==================================================================

Now bounce the server and check for the issue.

If the issue still persists add below two parameters to the startup script so that the debug messages can be logged which will simplify the issue resolution.

-Djavax.net.debug=ssl:handshake -Djavax.net.ssl.trustStore=<keystore_file_location>

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

1 Response

  1. Carmine says:

    Do you mind if I quote a few of your posts as
    long as I provide credit and sources back to your website?

    My website is in the very same area of interest as yours and
    my visitors would certainly benefit from a lot of the information
    you provide here. Please let me know if this alright with you.

    Many thanks!

Leave a Reply