stackoom
  简体   繁体   中英

Weblogic breaks CXF certificate authentication when using proxy

 原文  2013-09-26 16:26:44       java/ web-services/ ssl/ weblogic/ cxf

Question

I've got a CXF client configured in code. It uses certificate authentication to the WS server and proxy settings(which is without authentication). Everything works perfectly fine from the unit test and on Tomcat, but breaks when deployed on Weblogic. It goes through the proxy, but doesn't authenticate with the certificate. The strange thing is, that if I'm not going throught the proxy, the certificate authentication works. What can be the problem?

The code I'm using for initializing the client: 

 JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
factory.setEndpointName(SERVICE_NAME);
factory.setAddress("Address of the WS server");
factory.setServiceClass(MyService.class);
this.port = (MyService) factory.create();

Client client = ClientProxy.getClient(port);
HTTPConduit conduit = (HTTPConduit) client.getConduit();

//proxy settings
HTTPClientPolicy policy = new HTTPClientPolicy();
policy.setProxyServer("IP OF THE PROXY");
policy.setProxyServerPort("PORT OF THE PROXY");
conduit.setClient(policy);        

//TLS
KeyStore keyStore = KeyStore.getInstance(ARCHIVE_FILE_FORMAT);
keyFile = getKeyFileUrl().openStream();
keyStore.load(keyFile, getPassword().toCharArray());
KeyManager[] myKeyManagers = getKeyManagers(keyStore, getPassword());
TLSClientParameters tlsCP = new TLSClientParameters();
tlsCP.setKeyManagers(myKeyManagers);
tlsCP.setDisableCNCheck(true);
FiltersType cipherSuiteFilter = new FiltersType();
cipherSuiteFilter.getInclude().add(SSL_RSA_WITH_3_DES_EDE_CBC_SHA);
cipherSuiteFilter.getExclude().add(DH_ANON);
tlsCP.setCipherSuitesFilter(cipherSuiteFilter);
conduit.setTlsClientParameters(tlsCP);

When I enabled SSL debugging, I'm getting tyhese messages in the log file: 

####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133523> <BEA-000000> <weblogic user specified trustmanager validation status 0> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133523> <BEA-000000> <SSLTrustValidator returns: 0> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133523> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: No trust failure, validateErr=0.> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133524> <BEA-000000> <Performing hostname validation checks: www.cfmu.eurocontrol.int> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133524> <BEA-000000> <Proxying through 85.125.226.9> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133525> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Successfully completed post-handshake processing.> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133526> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 230 bytesProduced = 261.> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133528> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 1729 bytesProduced = 1786.> 
####<Oct 2, 2013 4:08:53 PM UTC> <Debug> <SecuritySSL> <lmdesetup-jab> <fwf-acg> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1380730133627> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 733 bytesProduced = 705.>

What does status=OK mean? Do I have ssl connection? Then why the server sends the response as if not using certificate.

I have tried different versions of CXF(including latest 2.7.7) and different versions of weblogic.

2 answers

solution1
 1 ACCPTED  2013-10-02 23:05:05

As I read the Oracle documentation, it seems Weblogic Server rejects any certificates in a certificate chain that do not have the basic constraint extension defined as CA. You can use the command line argument: 

-Dweblogic.security.SSL.enforceConstraints=option

Where option can be 'strong' or 'true', strict, or off. Look at the documentation: 

http://docs.oracle.com/cd/E11035_01/wls100/secmanage/ssl.html#wp1194346

Have you set this flag? 

What worked:

Start your weblogic server. Go to 'Servers' under 'Environment'. Click on the server name. Under the 'General' tab, set the ClientCertProxyEnabled flag to true.

solution2
 0  2013-11-13 20:06:35

i've had the same kind of problem a while ago (CXF, mutual SSL authentication, proxy server,weblogic) , i patched the CXF client to apply a (temporary) workaround ( http://pastebin.com/VfKA7MRC ) , because it's a bug in the weblogic code since 10.3 in the method weblogic.net.https.HttpsClient.openServer() when using a proxy . Maybe the problem is already fixed now i didn't look into it for 1,5 year

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CXF client NTLM authentication on weblogic Client Certificate using Weblogic Apache CXF + Spring: Simple Certificate Authentication CXF Webservice client breaks when providing wsdl Supporting authentication when using Java proxy class Why do I get a bad_certificate error when using spring and CXF WebLogic deploy exception using @WebParam in SpringBoot CXF application WebLogic ClientInstanceInvocationHandler to cxf ClientProxy Weblogic server CXF error CXF + SSL + WebLogic 9.10
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM