Troubleshot for SSL issue for Weblogic server
来源:互联网 发布:淘宝公益宝贝好处 编辑:程序博客网 时间:2024/05/19 17:56
1> Signature verification failed because RSA key public exponent [3] is too small
RSA Keys with Public Exponent results in faulty signature verification on WLS. Having so low exponent is considered as security vulnerability; hence keys with low exponents are not supported by WLS. However if we need to bypass this behavior, we can use the following flag
-Dweblogic.security.SSL.allowSmallRSAExponent=true
2> java.security.InvalidKeyException: Illegal key size or default parameters
This exception is encountered while using strong encryption such as AES256. We can overcome this by downloading the unrestricted jurisdiction policy files from the JVM vendor site and place it under jre/lib/security folder.
3> NEW ALERT with Severity: FATAL, Type: 70
We get this alert when the the party communication with Weblogic Server is using a different version of SSL. We need to check the Handshake Message for the version of SSL used.
Using this flag to specify the version of SSL at WLS can be helpful.
-Dweblogic.security.SSL.protocolVersion=SSL3
NEW ALERT=with Severity: FATAL, Type: 42
This alert means that the certificate presented to WLS is not trusted. It can be resolved by importing the certificate into the trust store of Weblogic Server.
4> HANDSHAKE_FAILURE alert received from localhost – 127.0.0.1.
Most of the time its because of HOST NAME VERIFICATION.
Ignore Host Name Verification by setting this flag for Admin & Managed Server
-Dweblogic.security.SSL.ignoreHostnameVerification=true
And this in the startNodeManager.cmd
-Dweblogic.nodemanager.sslHostNameVerificationEnabled=false
Sometime when the root certificate does not meet the basic constraint, i.e. even when the issuer and the owner is the same, the criticality is not true
ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:0
]
To allow WLS to accept such certificates we need to pass on this flag
-Dweblogic.security.SSL.enforceConstraints=off
5> java.security.cert.CertificateParsingException: PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11
The root problem is the Certicom SSL does not support SHA256 algorithm, which is required with the trusted certificates of “ttelesecglobalrootclass2ca” and “ttelesecglobalrootclass3ca”
A fix is included in JDK 1.6.0_13 wherein WLS just ignores these certificates.
6> Trust failure (68): CERT_CHAIN_INCOMPLETE
We encounter this issue when the Weblogic Server is not able to verify the chain of certificates presented to it. From the debug message we can check the certificates and check their order in the chain. We can also check the trust store for the root and intermediate certificates on the signing authority of the certificates.
We can use this to validate the certificate chain using
java utils.ValidateCertChain -jks alias storefilename [storePass]
7> java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
We need to specify the trustore as a JAVA OPTION
-Djavax.net.ssl.trustStore=samplecacerts
Or specify it as a System Property in the code
System.setProperty(“javax.net.ssl.trustStore”,”samplecacerts”);
System.setProperty(“javax.net.ssl.trustStorePassword”,”changeit”);
8> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Pass the keystore in the java options.
-Dssl.debug=true -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=faisal_trust.jks -Djavax.net.ssl.keyStore=faisal.jks -Djavax.net.ssl.keyStorePassword=password -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.ignoreHostnameVerification=true -Djava.protocol.handler.pkgs=weblogic.net
9> java.security.InvalidKeyException: Illegal key size
Try adding the following jvm option. This will make Weblogic Server FIPS 140-2 compliant.
-Dweblogic.security.SSL.nojce=true
- Troubleshot for SSL issue for Weblogic server
- Developing Web Application for Weblogic Server
- Spotlight® for BEA WebLogic Server
- BEA WebLogic Server 8 for Dummies
- Developing Web Applications for WebLogic Server
- ISSUE for GRE
- Exception & Issue for Selenium
- 在Weblogic中使用定时器(commonj Timer for weblogic server)
- path and issue for angowx
- Cordova Plugin Issue for IOS
- xorg-server-1.12.1 for android done--xorg-server-1.12.1-issue.txt
- BPM Server for Weblogic建立引擎的过程
- weblogic server with Jrockit. Good for better performance
- Setup https server with a self SSL certificate for testing.
- weblogic for linux安装
- weblogic for linux安装
- weblogic for linux安装
- weblogic for linux安装
- 关于ORA-02069错误[序列原因解决方案]
- 重写UIView-让我们随心所欲的定制属于自己的UI控件
- jQuery Dialog 弹出层对话框插件
- 2013/12/11 Jquery UI插件 sortable库
- Flex页面切换之mx:ViewStack
- Troubleshot for SSL issue for Weblogic server
- cisco netflow设备支持情况
- App自动化之使用Ant编译项目多渠道打包
- JavaScript 字符串(String)对象
- Linked List Cycle
- 剑指OFFER之二叉树篇
- linux修改时区不需要重启的方法
- linux下mv命令使用方法
- iOS笔记:判断相机是否被授权,应用是否能够打开相机