2008-11-11

How to configure WebLogic to use SSL with Apache ?

We will start this example from the very beginning.

We'll create a certificate, a keystore and will perform all the different steps needed to get us started (using Keytool & OpenSSL)

Then we'll configure WebLogic to use that keystore.

Once a browser is able to access WebLogic, we will configure Apache to use SSL with WebLogic.

 

1 - Create a CSR & a keystore

In order to create these components, the tool used is Keytool from Sun. You have it in any JVM install :

For me it's : %BEA_HOME%\jdk160_05\bin\keytool.exe

For this example, as I'm lazy sometimes, I'm going to use Keytool UI, which is a graphical version of keytool, as its name tells.

First, let's create a sample and empty JKS. (JKS stands for Java KeyStore)

 

image 

 

In this example, the password used is "weblogic".

 

Then just create a CSR (Certificate Signing Request)

Specify the previously created JKS and the algorithm to use :

 

image

 

Fill in the different fields, as you would with Keytool :

 

image

 

The creation should result in a small popup :

 

image

 

Viewing the content of the keystore

 

image

 

I used the following for the private key :

  • alias : privatekey
  • password : weblogic

 

2 - Configure WebLogic to use the previously created keystore

That's the easy part :)

Start your server and check that you have SSL enabled.

 

image

 

Then just change the identity of the server to point towards our keystore.

 

image

 

Here are the different options proposed. In our example, the option that best fits our need is "Custom identity & Java Standard Trust".

"Custom Identity" means we're using our own keystore and "Java Standard Trust" means we use the truststore from the JDK.

(%BEA_HOME%\jdk160_05\jre\lib\security\cacerts)

A truststore is a keystore containing all the trusted certificates.

You may print the truststore, just to see what's inside :

 

image

 

You can see that Verisign, Thawte and many other CA (Certificate Authorities) are listed.

 

image

 

image

 

We only have to specify the keystore we created, the type which is JKS and the password.

As for the Trust, just type the default password, which is "changeit".

 

A quick look in the WLS console shows :

 

<10 nov. 2008 23 h 47 CET> <Error> <WebLogicServer> <BEA-000297>
<Inconsistent security configuration, weblogic.management.configuration.ConfigurationException:
Cannot retrieve identity certificate and private key on server AdminServer, because the keystore entry alias is not specified.>

<10 nov. 2008 23 h 47 CET> <Error> <Server> <BEA-002618>
<An invalid attempt was made to configure a channel for unconfigured protocol "Cannot retrieve identity certificate
and private key on server AdminServer, because the keystore entry alias is not specified.".>

 

It's because we didn't supply the private key alias.

 

image

 

Just type the alias (privatekey) and the password (weblogic) and save.

This time, WLS seems to be happier :

 

<10 nov. 2008 23 h 52 CET> <Notice> <Security> <BEA-090171>
<Loading the identity certificate and private key stored under the alias privateKey from the JKS keystore
file D:\BEA_ROOT\user_projects\domains\essex\ssl\blog\mbutton.jks.>

<10 nov. 2008 23 h 52 CET> <Notice> <Security> <BEA-090169>
<Loading trusted certificates from the jks keystore file D:\BEA_ROOT\WLS_10.3\JDK160~1\jre\lib\security\cacerts.>

<10 nov. 2008 23 h 52 CET> <Notice> <Server> <BEA-002613>
<Channel "DefaultSecure" is now listening on 192.168.1.4:7002 for protocols iiops, t3s,
CLUSTER-BROADCAST-SECURE, ldaps, https.>

<10 nov. 2008 23 h 52 CET> <Notice> <Server> <BEA-002613>
<Channel "DefaultSecure[1]" is now listening on 127.0.0.1:7002 for protocols iiops, t3s,
CLUSTER-BROADCAST-SECURE, ldaps, https.>

 

Let's try to access the console using the secure port (7002).

A popup shows up :

 

image

 

Just some warning message saying that the certificate has been emitted by someone I don't trust

and that the certificate name doesn't match the site name.

 

image

 

It works.

 

3 - Display the certificate presented by WebLogic

 

To display the certificate, we've got two possibilities :

Click the lock in the browser window and use the built-in functionality to display the certificates.

 

image

 

Or use OpenSSL, which is the method I prefer.

 

 

C:\Documents and Settings\mbutton>openssl s_client  -connect localhost:7002
Loading 'screen' into random state - done
CONNECTED(00000728)
depth=0 /emailAddress=mbutton@bea.com/C=FR/ST=Hauts-de-seine/L=Courbevoie/O=Oracle-BEA/OU=Consulting/CN=fr.mbutton.blog
verify error:num=18:self signed certificate
verify return:1
depth=0 /emailAddress=mbutton@bea.com/C=FR/ST=Hauts-de-seine/L=Courbevoie/O=Oracle-BEA/OU=Consulting/CN=fr.mbutton.blog
verify return:1
---
Certificate chain
0 s:/emailAddress=mbutton@bea.com/C=FR/ST=Hauts-de-seine/L=Courbevoie/O=Oracle-BEA/OU=Consulting/CN=fr.mbutton.blog
   i:/emailAddress=mbutton@bea.com/C=FR/ST=Hauts-de-seine/L=Courbevoie/O=Oracle-BEA/OU=Consulting/CN=fr.mbutton.blog
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICtzCCAiCgAwIBAgIESRixbTANBgkqhkiG9w0BAQUFADCBnzEeMBwGCSqGSIb3
DQEJARYPbWJ1dHRvbkBiZWEuY29tMQswCQYDVQQGEwJGUjEXMBUGA1UECAwOSGF1
dHMtZGUtc2VpbmUxEzARBgNVBAcMCkNvdXJiZXZvaWUxEzARBgNVBAoMCk9yYWNs
ZS1CRUExEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD2ZyLm1idXR0b24u
YmxvZzAeFw0wODExMTAyMjEwNTNaFw0xMTExMTAyMjEwNTNaMIGfMR4wHAYJKoZI
hvcNAQkBFg9tYnV0dG9uQGJlYS5jb20xCzAJBgNVBAYTAkZSMRcwFQYDVQQIDA5I
YXV0cy1kZS1zZWluZTETMBEGA1UEBwwKQ291cmJldm9pZTETMBEGA1UECgwKT3Jh
Y2xlLUJFQTETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPZnIubWJ1dHRv
bi5ibG9nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCE4Eu/kWbTfjFQNWzm
YEGLEO8Mp7SY9R2d4MpZTCAPdS7DSjY1AsJMlTDxomsWAKdU/UaQuf0quyuO4oiM
7IxFMTHXEZ1TgXMUgHGgNYnkQIivcbskUFJuPUoYHW6mR9rlIkkVSkTPUVWaGvzt
gubEQhUvc1ndt8bpQRmnnOkZgQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEEpAwNF
Fa21wGzoBk7WzQkHuWKfY3D2mCuON+u9GWHxrQoDG+u6i4LyY/5DK9IMrs5tzq7u
9htJAryKJVMpHH05Nb0Bq9ZENylHLb8nIeAZP6A8w1WVb4xfRC1KAz7HLcA3xlBw
9+RanPitwglr9GX6teINf8te3m7hVS1wC3Hg
-----END CERTIFICATE-----

subject=/emailAddress=mbutton@bea.com/C=FR/ST=Hauts-de-seine/L=Courbevoie/O=Oracle-BEA/OU=Consulting/CN=fr.mbutton.blog
issuer=/emailAddress=mbutton@bea.com/C=FR/ST=Hauts-de-seine/L=Courbevoie/O=Oracle-BEA/OU=Consulting/CN=fr.mbutton.blog
---
No client certificate CA names sent
---
SSL handshake has read 829 bytes and written 306 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 48076FBB49156AD46E8B1DE5C6761319
    Session-ID-ctx:
    Master-Key: 0FE8F6A1A4A498FBE9832D7BE2FD999C2DA9C697F1311F6DE39A461293AD643E12DB8089828082581352D8FD5FF8E310
    Key-Arg   : None
    Start Time: 1226358012
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

 

The section in red represents the certificate presented by the server.

ASCII delimited by "-----BEGIN CERTIFICATE-----" & "-----END CERTIFICATE-----" means it's a PEM.

We need to isolate it. Then just copy it in a file and name it "server.pem" for instance.

 

4 - Configure Apache SSL to access WebLogic

 

First, copy the apache plugin in the apache modules directory.

%BEA_ROOT%\wlserver_10.3\server\plugin\win\32\mod_wl_22.so

towards %APACHE_HOME%\modules

In your httpd.conf, add the following lines to have a clean and separate configuration for WebLogic.

 

############## WLS 10 Proxy Plugin
<IfModule !mod_weblogic.c>
    LoadModule weblogic_module modules/mod_wl_22.so
</IfModule>

<IfModule mod_weblogic.c>
  # Config file for WebLogic Server that defines the parameters
  Include conf/weblogic.conf
</IfModule>

 

These few lines include the file weblogic.conf.

This file looks like :

 

<IfModule mod_weblogic.c>

    <Location  /console>
            SetHandler weblogic-handler
            WebLogicHost localhost
            WebLogicPort 7002

    # SSL
    SecureProxy ON
    WLProxySSL ON
    RequireSSLHostMatch false
    TrustedCAFile D:\BEA_ROOT\user_projects\domains\essex\ssl\blog\server.pem
    EnforceBasicConstraints false

    # DEBUG
    WLLogFile D:\BEA_ROOT\user_projects\domains\essex\ssl\blog\wlproxy.log
    Debug ALL
    DebugConfigInfo ON
    </Location>
</IfModule>

 

As you may have noticed, the "TrustedCAFile" is the full path towards our server certificate (the one we got from OpenSSL !)

For more information about configuring WebLogic plugin, http://edocs.bea.com/wls/docs100/plugins/apache.html

 

Then accessing the console through the following URL : http://localhost/console shows in the wlproxy.log :

 

Tue Nov 11 00:08:43 2008 <502412263585231>
================New Request: [GET /console HTTP/1.1] =================
Tue Nov 11 00:08:43 2008 <502412263585231> INFO: SSL is configured
Tue Nov 11 00:08:43 2008 <502412263585231> SSL Main Context not set. Calling InitSSL
Tue Nov 11 00:08:43 2008 <502412263585231> INFO: SSL configured successfully
Tue Nov 11 00:08:43 2008 <502412263585231> Using Uri /console
Tue Nov 11 00:08:43 2008 <502412263585231> After trimming path: '/console'
Tue Nov 11 00:08:43 2008 <502412263585231> The final request string is '/console'
Tue Nov 11 00:08:43 2008 <502412263585231> Host extracted from serverlist is [localhost]
Tue Nov 11 00:08:43 2008 <502412263585231> Initializing lastIndex=0 for a list of length=1
Tue Nov 11 00:08:43 2008 <502412263585231> getListNode: created a new server node: id='localhost:7002' server_name='localhost', port='80'
Tue Nov 11 00:08:43 2008 <502412263585231> attempt #0 out of a max of 5
Tue Nov 11 00:08:43 2008 <502412263585231> Trying a pooled connection for '127.0.0.1/7002/7002'
Tue Nov 11 00:08:43 2008 <502412263585231> getPooledConn: No more connections in the pool for Host[127.0.0.1] Port[7002] SecurePort[7002]
Tue Nov 11 00:08:43 2008 <502412263585231> general list: trying connect to '127.0.0.1'/7002/7002 at line 2619 for '/console'
Tue Nov 11 00:08:43 2008 <502412263585231> New SSL URL: match = 0 oid = 22
Tue Nov 11 00:08:43 2008 <502412263585231> Connect returns -1, and error no set to 10035, msg 'Unknown error'
Tue Nov 11 00:08:43 2008 <502412263585231> EINPROGRESS in connect() - selecting
Tue Nov 11 00:08:43 2008 <502412263585231> Setting peerID for new SSL connection
Tue Nov 11 00:08:43 2008 <502412263585231> 7f00 0001 5a1b 0000                          ....Z...
Tue Nov 11 00:08:43 2008 <502412263585231> Local Port of the socket is 1782
Tue Nov 11 00:08:43 2008 <502412263585231> Remote Host 127.0.0.1 Remote Port 7002
Tue Nov 11 00:08:43 2008 <502412263585231> general list: created a new connection to '127.0.0.1'/7002 for '/console', Local port:1782
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from clnt:[Accept]=[image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ...

Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from clnt:[Accept-Language]=[fr]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from clnt:[Accept-Encoding]=[gzip, deflate]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from clnt:[User-Agent]=[Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ...

Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from clnt:[Host]=[localhost]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from clnt:[Connection]=[Keep-Alive]
Tue Nov 11 00:08:43 2008 <502412263585231> URL::sendHeaders(): meth='GET' file='/console' protocol='HTTP/1.1'
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[Accept]=[image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ...

Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[Accept-Language]=[fr]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[Accept-Encoding]=[gzip, deflate]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[User-Agent]=[Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ...

Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[Host]=[localhost]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[Connection]=[Keep-Alive]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[WL-Proxy-SSL]=[true]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[WL-Proxy-Client-IP]=[127.0.0.1]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[Proxy-Client-IP]=[127.0.0.1]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[X-Forwarded-For]=[127.0.0.1]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[X-WebLogic-KeepAliveSecs]=[30]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
Tue Nov 11 00:08:43 2008 <502412263585231> INFO: Certificate validation succeeded
Tue Nov 11 00:08:43 2008 <502412263585231> INFO: Negotiated to cipher: 3
Tue Nov 11 00:08:43 2008 <502412263585231> SSLWrite sent 782
Tue Nov 11 00:08:43 2008 <502412263585231> SSLWrite completed, sent 782
Tue Nov 11 00:08:43 2008 <502412263585231> Reader::fill() SSLRead success, read: 202
Tue Nov 11 00:08:43 2008 <502412263585231> URL::parseHeaders: CompleteStatusLine set to [HTTP/1.1 302 Moved Temporarily]
Tue Nov 11 00:08:43 2008 <502412263585231> URL::parseHeaders: StatusLine set to [302 Moved Temporarily]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from WLS:[Date]=[Mon, 10 Nov 2008 23:08:43 GMT]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from WLS:[Transfer-Encoding]=[chunked]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from WLS:[Location]=[https://localhost/console/]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from WLS:[X-WebLogic-JVMID]=[-353258681]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs from WLS:[X-Powered-By]=[Servlet/2.5 JSP/2.1]
Tue Nov 11 00:08:43 2008 <502412263585231> parsed all headers OK
Tue Nov 11 00:08:43 2008 <502412263585231> sendResponse() : r->status = '302'
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to client (reset):[Date]=[Mon, 10 Nov 2008 23:08:43 GMT]
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to client (reset):[Location]=[https://localhost/console/]
Tue Nov 11 00:08:43 2008 <502412263585231> for 127.0.0.1/7002/7002, updated JVMID: -353258681
Tue Nov 11 00:08:43 2008 <502412263585231> Hdrs to client (reset):[X-Powered-By]=[Servlet/2.5 JSP/2.1]
Tue Nov 11 00:08:43 2008 <502412263585231> Reader::fill() SSLRead success, read: 255
Tue Nov 11 00:08:43 2008 <502412263585231> Reader::fill() SSLRead success, read: 8
Tue Nov 11 00:08:43 2008 <502412263585231> canRecycle: conn=1 status=302 isKA=1 clen=-1 isCTE=1
Tue Nov 11 00:08:43 2008 <502412263585231> closeConn: pooling for '127.0.0.1/7002'
Tue Nov 11 00:08:43 2008 <502412263585231> request [/console] processed sucessfully..................

 

And if we set a bad certificate name, restart Apache, an access to the same URL shows :

 

 

Tue Nov 11 00:09:59 2008 <340812263585991>
================New Request: [GET /console HTTP/1.1] =================
Tue Nov 11 00:09:59 2008 <340812263585991> INFO: SSL is configured
Tue Nov 11 00:09:59 2008 <340812263585991> SSL Main Context not set. Calling InitSSL
Tue Nov 11 00:09:59 2008 <340812263585991> ERROR: SSL initialization failed

 

So this it ...

Hope it was clear and useful. Anyway, here are just the main lines. Don't go in production with such a configuration :)

(even if it's not worst than using WebLogic DemoTrust & DemoCertificates ...)

 

 

Mots clés Technorati : ,,,,,

19 comments:

Anonymous said...

Thanks! It is really helpful.

Anonymous said...

Nice job, but was does this error mean?

Connect returns -1, and error no set to 10035, msg 'Unknown error'

Anonymous said...

Hi Max,

In WLSProxy log i can see the below :-

Using Uri /console
Tue Nov 11 00:08:43 2008 <502412263585231> After trimming path: '/console'
Tue Nov 11 00:08:43 2008 <502412263585231> The final request string is '/console'

Can u tel me what exactly that message indicates????

Maxence Button said...

Hi, the Path Trim is useful when you want to alter the original URL before hitting the server.

More details :
http://e-docs.bea.com/wls/docs81/plugins/plugin_params.html#1157965

Hurry up, by the end of the month, this link won't be valid anymore and you'll have to search on OTN :)

Anonymous said...

Hi Max,

I know abt the functionality of pathtrim...but here in the httpd.conf we are not mentioning the pathtrim parameter.So i am confused how the Pathtrim will owrk here ???

IfModule mod_weblogic.c
Location /console
SetHandler weblogic-handler
WebLogicHost localhost
WebLogicPort 7002

Also it will be great if u could tel me the flow of the request how it works when we hit the URL http://localhost/console here with respect to pathtrim.....

Maxence Button said...

The trim function seems to be called on each request, even if you did not configure it.

That's why you can observe that message in your log : it's called but does nothing.

Anonymous said...

Thx a lot for your clarification MAX.....

RENJAN

Anonymous said...

hello...

I was testing the steps u mentioned...

After all the configuration whne we try to access the console http://localhost/console it is not giving me the console page(page cannot be displayed) ..but it is logging ssl successful in wlsproxy.log.

Any suggestions....

Regards,
Tony
Is the wa

Alex said...

Tony,

If you are not planning to proxy by path, you don't need the location tag. You only need to use a MatchExpression. See http://download.oracle.com/docs/cd/E13222_01/wls/docs92/plugins/apache.html

Here's what I've used and it works for me. Its a slight variation of what Max has:

?IfModule mod_weblogic.c?
WebLogicHost WL_Server
WebLogicPort 7002
MatchExpression *

# SSL
SecureProxy ON
WLProxySSL ON
RequireSSLHostMatch false
TrustedCAFile C:\PROGRA~1\APACHE~1\Apache2.2\WL_Server_TrustedCA.pem
EnforceBasicConstraints false
?IfModule?


Notice that I don't have the Location tag. Instead I have everything inside the IfModule tags (BTW, I had to replace the XML tags with "?" because blogger does not allow those tags). Also instead of a PathTrim, I use MatchExpression.

Max, correct me if I'm wrong

Ananth said...

Max,

I have weird problem. I have two instances(non-clustered) in two domains(port 7001 and 7003). I would like to configure Apache plugin to forward to both applications.

For eg,
Domain 1 has app1 on 7001
Domain 2 has App2 on 7003

In the browser, when i hit

http://localhost/app1 it should go to domain 1(port 7001)

If I hit, http://localhost/app2 it should go to domain 2(port 7003)

But unfortunately, httpd.conf allows only one weblogic host to configure.

Do you have any idea if i can configure two instances which is running in different port?

Maxence Button said...

@Alex : yes there are several possibilities as for the Apache configuration.

Yours is correct but note it will use SSL for each and every call, no matter what the path is.

Dtermining a specified path allows to configure a different behavior for every path (= every application).

Depends on your needs but it could be worth it.

Maxence Button said...

@Ananth : so you tried a configuration like that ?

**********************************

>IfModule mod_weblogic.c<

>Location /app1<
SetHandler weblogic-handler
WebLogicHost localhost
WebLogicPort 7001

# DEBUG
WLLogFile wlproxy.log
Debug ALL
DebugConfigInfo ON
>/Location<

>Location /App2<
SetHandler weblogic-handler
WebLogicHost localhost
WebLogicPort 7003

# DEBUG
WLLogFile wlproxy.log
Debug ALL
DebugConfigInfo ON
>/Location<

>/IfModule<

**********************************

Well, to be honest, I don't see any reason why it wouldn't work. In order to give you a proper answer, could you post a lil part of your httpd.conf ? (or send it to my email@)

Regards.

Unknown said...

Hi, I am having some issue when I installed and configured SSL on weblogic 10.3.2. The problem is when I installed it appears that it is installed properly as I can see it installed using keytool command but when i started weblogic to work in SSL mode I am getting this error:

in keystore /.keystore on server AdminServer>


any clues as to why am I getting these?

Unknown said...

I am also facing the same issues faced by Tony, I tried whatever Alex has mentioned. Still I am getting page cannot be displayed page

Francis said...

Hi Max,

Can this be apply on Weblogic 8.1? I'm tried to configure the weblogic 8.1 with apache web server 2.0.64 right now but got some problems. My proxy log shows that:

INFO: SSL is configured
SSL Main Context not set. Calling InitSSL
INFO: Initializing SSL library
Loaded 1 trusted CA's
INFO: Successfully initialized SSL
INFO: SSL configured successfully
Using Uri /secureWebAuth/
After trimming path: '/secureWebAuth/'
The final request string is '/secureWebAuth/'
Host extracted from serverlist is [10.122.50.48]
Initializing lastIndex=0 for a list of length=1
getListNode: created a new server node: id='10.122.50.48:7002' server_name='winxp-sgg2', port='443'
general list: trying connect to '10.122.50.48'/7002/7002 at line 2696 for '/secureWebAuth/'
New SSL URL: match = 0 oid = 22
Connect returns -1, and error no set to 10035, msg 'Unknown error'
EINPROGRESS in connect() - selecting
Setting peerID for new SSL connection
0a7a 3230 5a1b 0000 .z20Z...
Local Port of the socket is 1601
Remote Host 10.122.50.48 Remote Port 7002
general list: created a new connection to '10.122.50.48'/7002 for '/secureWebAuth/', Local port:1601
Hdrs from clnt:[Host]=[winxp-sgg2]
Hdrs from clnt:[Connection]=[keep-alive]
Hdrs from clnt:[Cache-Control]=[max-age=0]
Hdrs from clnt:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1]
Hdrs from clnt:[Accept]=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Hdrs from clnt:[Accept-Encoding]=[gzip,deflate,sdch]
Hdrs from clnt:[Accept-Language]=[en-US,en;q=0.8]
Hdrs from clnt:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3]
Hdrs from clnt:[Cookie]=[JSESSIONID=hMQYTx8Gd821vfdvF4z5cqtQVRXyMCCDG7yphrCzKpCpnX3GyCg1!1355456249]
URL::sendHeaders(): meth='GET' file='/secureWebAuth/' protocol='HTTP/1.1'
Hdrs to WLS:[Host]=[winxp-sgg2]
Hdrs to WLS:[Cache-Control]=[max-age=0]
Hdrs to WLS:[User-Agent]=[Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1]
Hdrs to WLS:[Accept]=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Hdrs to WLS:[Accept-Encoding]=[gzip,deflate,sdch]
Hdrs to WLS:[Accept-Language]=[en-US,en;q=0.8]
Hdrs to WLS:[Accept-Charset]=[ISO-8859-1,utf-8;q=0.7,*;q=0.3]
Hdrs to WLS:[Cookie]=[JSESSIONID=hMQYTx8Gd821vfdvF4z5cqtQVRXyMCCDG7yphrCzKpCpnX3GyCg1!1355456249]
Hdrs to WLS:[Connection]=[Keep-Alive]
Hdrs to WLS:[WL-Proxy-SSL]=[true]
Hdrs to WLS:[WL-Proxy-Client-IP]=[10.122.50.218]
Hdrs to WLS:[Proxy-Client-IP]=[10.122.50.218]
Hdrs to WLS:[X-Forwarded-For]=[10.122.50.218]
Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
INFO: No session match found
INFO: No CA was trusted, validation failed
INFO: DeleteSessionCallback
ERROR: SSLWrite failed
SEND failed (ret=-1) at 789 of file ../nsapi/URL.cpp
*******Exception type [WRITE_ERROR_TO_SERVER] raised at line 790 of ../nsapi/URL.cpp
Marking 10.122.50.48:7002 as bad
got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 790 of ../nsapi/URL.cpp]: at line 3078
INFO: Closing SSL context
INFO: Error after SSLClose, socket may already have been closed by peer
Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()


What should i do to fix this problem?

Unknown said...

Thank you Max...Has been trying 2 way ssl ihs7-wl10350 quite some time(embarrassed to say how much)..This worrkkked like charm...first attempt!!!
Thanks a lot!!

regards,
ranjith...

Unknown said...

anyone know about this error??
I'm using Thawte Trial Version and I'm hitting the below issue

Hdrs to WLS:[X-WebLogic-Request-ClusterInfo]=[true]
Mon Jul 6 20:02:40 2015 <1587814361841601> INFO: SSL certificate chain validation failed: -6986
Mon Jul 6 20:02:40 2015 <1587814361841601> trusted certs = 1
Mon Jul 6 20:02:40 2015 <1587814361841601> dumping cert chain
Mon Jul 6 20:02:40 2015 <1587814361841601> commonName is thawte Trial Secure Server Root CA
Mon Jul 6 20:02:40 2015 <1587814361841601> commonName is thawte Trial Secure Server CA - G2
Mon Jul 6 20:02:40 2015 <1587814361841601> commonName is testcomp
Mon Jul 6 20:02:40 2015 <1587814361841601> ERROR: SSLWrite failed
Mon Jul 6 20:02:40 2015 <1587814361841601> SEND failed (ret=-1) at 805 of file ../nsapi/URL.cpp
Mon Jul 6 20:02:40 2015 <1587814361841601> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 806 of ../nsapi/URL.cpp
Mon Jul 6 20:02:40 2015 <1587814361841601> Marking 172.16.3.120:7061 as bad
Mon Jul 6 20:02:40 2015 <1587814361841601> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 806 of ../nsapi/URL.cpp]: at line 3152
Mon Jul 6 20:02:40 2015 <1587814361841601> INFO: Closing SSL context
Mon Jul 6 20:02:40 2015 <1587814361841601> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()

middlewareinfo said...

Elaine,

I am also getting the same error, did you resolve the problem? Please let me know how to fx this.

Thank You

ARVIND said...

can you tell me, from where you get server.pem file used in httpd.conf