I have an application consuming 2 way SSL enabled webservice and my application is deployed in Tomcat server. I've added truststore/keystore and below variables were set in setenv.sh. This seteenv.sh file was copied to /usr/local/tomcat/bin/.
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStore=/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/keystore.jks -Djavax.net.ssl.keyStorePassword=password -Djavax.net.debug=ssl"
Application is able to establish 2 way SSL connection successfully. Since logs looked clumsy, I tried removing the option -Djavax.net.debug=ssl from setenv.sh file. But once I removed this option, 2 way SSL connection isn't established and SSLHandshakeFailure exception was thrown. On adding Djavax.net.debug=ssl, connection is established. I'm unable to understand this behaviour.
Can anyone please explain how removing the debug option disables the SSL connection itself?
Related
To access external endpoints I have to go through proxy server. I have been trying to configure the http and https proxy in my glassfish 4.1 server but have had no success. I've tried adding the following sets of Java Options in my domain.xml - manually and through UI. But am still getting "Network is unreachable; nested exception is java.net.SocketException:
Network is unreachable" error.
<jvm-options>-Djava.http.proxyHost=proxy.domain.com</jvm-options>
<jvm-options>-Djava.http.proxyPort=3128</jvm-options>
<jvm-options>-Djava.https.proxyHost=proxy.domain.com</jvm-options>
<jvm-options>-Djava.https.proxyPort=3128</jvm-options>
**********************************************************************
<jvm-options>-Dhttp.proxyHost=proxy.domain.com</jvm-options>
<jvm-options>-Dhttp.proxyPort=3128</jvm-options>
<jvm-options>-Dhttps.proxyHost=proxy.domain.com</jvm-options>
<jvm-options>-Dhttps.proxyPort=3128</jvm-options>
When I check the process (ps -ef | grep java) I can see the Java Options have been applied. I also need to implement http.nonProxyHosts ( something like -Dhttp.nonProxyHosts= *.mydomain.com|localhost ) since some are internal endpoints and need to escape the proxy. But that's the second battle. Any help on this would be very much appreciated.
https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html
Is there any way to disable the use of TLS v1.1 (and v1) for all SSL configured listeners in Glassfish 4.1? I've tried to set the JVM property
-Ddeployment.security.TLSvX.Y=false
as recommended by this Oracle blog post (https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls) but the protocols are still being used in the https negotiations.
Ok, i've found how to do it by messing around with Glassfish command interface.
Run the following commands:
asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls-enabled=false
asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls11-enabled=false
And this will leave only TLSv1.2 enabled. This commands are run against the default HTTPS listener (port 8181), so remember to run against any other secure HTTP listener if you need to.
I have been having problems with getting my websocket secure (wss://) connection to work.
I recently had to switch servers and got a new SSL certificate, on my previous server wss:// connection use to work fine. On new server I generated a new keystore using instruction provided by the CA, I gave the keystore the same name and password as it had on previous server as well I placed the keystore in the same directory which the code refers to. I did all that so I don't have to change the code.
I am using the exact same .JAR file from previous server, now every time I run my application i get following error message in the console
WebSocket connection to 'wss://example.com:8080/' failed: Error in
connection establishment: net::ERR_CONNECTION_REFUSED
Websockets work fine when I turn off SSL and run it on the same port, I also made sure keystore was created properly and it was. I can't figure out what may the problem be, I would really appreciate help and guidance.
This sounds like a network issue rather than a jetty/SSL issue. Is port 8080 open? Try to run the command "telnet hostname 8080". If you get a connection refused error then the port is not open.
I have a weblogic folder, From this - How can i find the adminurl that I can use with the below command
java weblogic.Deployer –adminurl t3://server:7001 –username system –password weblogic –listapps
I tried looking into setupinfo.txt, portlist.ini - but somehow this did not help/work. How can get this working?
I get errors/exceptions like these (after few attempts)
The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object
Unable to connect to 'http://server:7001': Destination unreachable; java.net.ConnectException: Tried all: 1 addresses, but could not connect over HTTPS to server: localhost port: 7102; No available router to destination
based on setupinfo.txt, I am able to login to the web console - but I need to know how to get this command working with adminurl !!!
Thanks,
Got it, thanks Alex.
Steps
Find startscript.xml under your weblogic domain , search this file for "ADMIN_URL"
The same can be done by web console UI ..... Admin Console Login to AdminConsole->Server->Configuration->ListenPort (enable and note down the port)
Bingo.
Background:
I am working on a project that involves the client to authenticate itself (via client certificate). We are trying to launch a third party app which first authenticates the client cert and then launches its app.
We are using Java and SSL hanshake, and our client server is Weblogic 10.x. The client certificate is in PKCS12 format (cannot change this)
This is the piece of code for presenting the certificate:
System.setProperty("javax.net.ssl.keyStore","MyPath/cert.pfx");
System.setProperty("javax.net.ssl.keyStorePassword","MyPwd");
System.setProperty("javax.net.ssl.keyStoreType","PKCS12");
url.openConnection();
Now all this works pretty well from a standalone. The problem starts when we put this on weblogic. Sometimes it works, sometimes 'Client certificate not present' (http 403.7) is returned. I have tried various combinations (including configuring custome keystore on weblogic console) but nothing seems to work. Any idea why would weblogic altogether ignore the SSL settings (it doesnt throw an error even if I set keystore to a non-existent file)? System.setProperty for SSL just appears useless on weblogic!
In Weblogic 12c you also need add the parameter -DUseSunHttpHandler=true in order to tell the weblogic server to use the Sun Http Handlers instead of its own. Therefore you need the following Java VM parameters:
-Djavax.net.ssl.keyStore=MyPath/cert.pfx
-Djavax.net.ssl.keyStoreType=PKCS12
-Djavax.net.ssl.keyStorePassword=MyPwd
-DUseSunHttpHandler=true
Finally found the solution! Weblogic seems to over-ride the keystore configurations if it is done through Java as above. The thing that worked for me was to configure the SSL settings on JVM level, at web-logic start-up.
To make it work, I just added these Java options in the start-script for weblogic:
-Djavax.net.ssl.keyStore=MyPath/cert.pfx
-Djavax.net.ssl.keyStoreType=MyPwd
-Djavax.net.ssl.keyStorePassword=PKCS12
Restarted web-logic and SSL has been working great since then :)