TAGS :Viewed: 2 - Published at: a few seconds ago

[ Weblogic REST Client with Jersey HTTPS: Handshake failure ]

Setup: WL 9.2 + Jersey 1.1.5.1 on WL's Jrockit. Picked Jersey 1.1.5.1 because newer versions require Java 6, I believe. Weblogic EJB acts as REST Client and keeps getting this error:

ClientHandlerException: javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain received from svcpoint.restprovider.com - xx.xxx.xxx.xx was not trusted causing SSL handshake failure.

As this just a POC implementation, Weblogic is setup with various flags to ignore cert verification just to make this error go away:

-Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enforceConstraints=off  -Dweblogic.webservice.client.ssl.strictcertchecking=false

Also, the Jersey config setup includes this bit:

SSLContext ctx = SSLContext.getInstance("SSL");
HTTPSProperties prop = new HTTPSProperties(
new HostnameVerifier () {
    public boolean verify(String hostname, SSLSession session) {
        System.out.println("\n\nFAKE_Verifier: " + hostname+"\n\n");
        return true;
    }
}, ctx);
config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, prop);

Finally, the sole WL server, technically the admin srv, was configured in the admin console SSL.Advanced settings to not use Hostname Verification.

Now, I'm pretty sure my fake validator setup for Jersey is not actually involved, as I see this error from SSL debug:

<SecuritySSL> <000000> <weblogic user specified trustmanager validation status 16> 
<Security> <BEA-090477> <Certificate chain received from svcpoint.restprovider.com - xx.xxx.xxx.xx was not trusted causing SSL handshake failure.> 
<SecuritySSL> <000000> <Validation error = 16> 
<SecuritySSL> <000000> <Certificate chain is untrusted> 
<SecuritySSL> <000000> <SSLTrustValidator returns: 16> 
<SecuritySSL> <000000> <Trust status (16):  CERT_CHAIN_UNTRUSTED> 
<SecuritySSL> <000000> <NEW ALERT with Severity: FATAL, Type: 42
  java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)

I've googled and looked at other similar issues here on SO, but I'm probably missing something. Also, from what I can judge the cert seems valid, showing it's for CN=*.restprovider.com, expiring in Nov 2011.

Answer 1


The certificate is untrusted. I think the best solution would be adding it to the Weblogic's trust store using the keytool:

keytool -importcert -trustcacerts ...

You can also do it in code:

   TrustManagerFactory trustManagerFactory = TrustManagerFactory
                .getInstance("SunX509");
   trustManagerFactory.init(trustStore);
   trustManagers = trustManagerFactory.getTrustManagers();
   SSLContext context = SSLContext.getInstance("TLS");
   context.init(keyManagers, trustManagers, new SecureRandom());
   HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());

trustStore - is a keystore containing the certificate