Sunday, January 18, 2015

FATAL Alert: BAD_CERTIFICATE - A corrupt or unuseable certificate was received

I am trying to invoke a third part web-service (https) through the Oracle Service Bus/Weblogic Server. However whenever I try to use a business service to connect I get the following error message:

The invocation resulted in an error: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received..


WL doesn't like wild card certs.

If you submit your request to "someserver.thirdparty.com" and you get back the above, you'll get the error.

You can 


* Disable host name verification ( never a pleasant thought )
* Write your own custom hostname verification
* Ask them to get a cert specific to their host ( with a CN of "someserver.mdsol.com, for instance ).
 


* Or apply the following method as part of Oracle given solution for WLS 10.3.6. or 10.3.5 and below  

In WLS releases before WLS 11.1.1.5 (WLS 10.3.5), WebLogic Server's hostname verification code did not support wildcard certificates. Thus as per a product enhancement, we have created a separate hostname verification code, which allows wildcard certificates.

Thus in order to have this functionality on WLS 10.3.5 and below, we have Patch 10215257 for WLS 10.3.0, 10.3.4, and 10.3.5.
NOTE: This wildcard implementation is embedded in the binaries of WLS 10.3.6 and 12.1.1.0, thus there is no requirement for a patch on those versions and higher.

Once we apply the apprropriate patch we need to do the following:

Add the server start-up parameter (in the java_options):
-Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier,/div>
Navigate to Admin Console -> server_name -> SSL -> Advanced. Check the checkbox Use JSSE.

This has to be done on all the servers where we are planning to use the wild card certificate. If you are using WLS 10.3.6+ or WLS 12.1.1.0+, do the following:

Enable "Use JSSE."
Navigate to Admin console -> server_name -> SSL -> Advanced ->. Check the checkbox Use JSSE.
Select the value "weblogic.security.utils.SSLWLSWildcardHostnameVerifier" from the dropdown list of "Hostname verfication" parameters.

Note:

Weblogic server by default implements certicom SSL. In release WLS 10.3.4 the JSSE is implemented and certcom deprecated. As mentioned above.

But wth previous version i.e. 10.3 which hasn't got this option available in the console, we can implement the following parameters to enable Sun SSL implementation instead of certicom:

-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
-DUseSunHttpHandler=true
-Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)

***If the trust authority of weblogic default certificate and provider's certificate is same then you don't need to import its certificate in your trust store.

3 comments:

  1. How I can do it ?

    * Disable host name verification ( never a pleasant thought )
    * Write your own custom hostname verification
    * Ask them to get a cert specific to their host ( with a CN of "someserver.mdsol.com, for instance ).


    thankyou

    ReplyDelete
    Replies
    1. These you can find easily on Oracle documentation. These are well-known methods and can be configured through weblogic

      Delete