stackoom
  简体   繁体   中英

how to enable trust for chain certs in weblogic or java

 原文  2013-12-07 18:36:20       java/ ssl/ weblogic-10.x

Question

I have an Oracle service Bus domain running on weblogic 10.3.6 with 2 managed servers in cluster. We have a proxy service deployed on this domain which goes to an external Business service for validating address. This Business Service is listening on SSL port and SSL cert has EntrustCACert>IntermidateCert1>IntermidateCert2>ServerCert

Issue: Getting below error during connectivity testing -

General runtime error: [Security:090548]The certificate chain received from ws2.site1.com - 197.109.80.xxx contained a V3 CA certificate which was missing the basic constraints.

Solutions i have tried:

1) added JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.enforceConstraints=off " in the startup script and it resolve the issue. But i was told this is not the prefered way and use trust keystore to implement.

2)to implement trust, I copied all the 4 certs in following reverse order EntrustCACert>IntermidateCert1>IntermidateCert2>ServerCert in one file named DSperian.pem and imported in Jrockit cacerts file( /apps/Oracle/jrockit-jdk1.6.0_31-R28.2.3-4.1.0/jre/lib/security/cacerts ) using below command but getting the same above error. keytool -import -alias DSperian -trustcacerts -file DSperian.pem -keystore cacerts

Question: Please let me know if im doing the right way to import cert to create trust. so my OSB domain will blindly trust the Business service ( web-service) and ignore the "basic constraints" error. Do i need to utilize weblogic specific trust keystore file but this OSB weblogic is running on non-ssl port ? are there any other options available ? Asking Business-service to update their cert to include "basic constraints" is not an option.

1 answers

solution1
 1  2013-12-07 23:10:18

There is actually a problem with your certificate.

Security certificates have a set of constraints that allow them to perform certain functions (or restrict them to certain functions).

Have a look at each of the certificates and ensure that they have constraints assigned to them that are suitable for the task.

To get more details on the error enable SSL debugging in your web logic server add the following to your server startup script 

-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

More information in Configure SSL in WebLogic server

Use the following command to validate your keystone 

java utils.ValidateCertChain -jks my key mykeystore

Then, whoever provided the root certificate needs to fix up your issues.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I access java trust store certs How to Enable Java Persistence 2.0 for Weblogic 10.3.6 CXF RESTful Client - How to do trust all certs? SSL Exception on Java: Path does not chain with any of the trust anchors How to provide certs to Java SOAP Client? Strategy to put trusted certs into the trust store? How to trust a certificate authority in Java? How to enable the JMX of cluster servers on Weblogic?(not the Weblogic AdminServer itself) How to enable Weblogic 12.1.2 JPA 2.1 How to edit Weblogic startup scripts to enable the JMX?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM