When configuring 2-way SSL between 2 WebLogic domains, ‘ServerDomain’ and ‘ClientDomain’ the SSL handshake is not successful.
Enable the following debug flags to server start-up JAVA_OPTIONS on both ‘ServerDomain’ and ‘ClientDomain’
-Djavax.net.debug=all -Dssl.debug=true -Dweblogic.debug.DebugSecuritySSL=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.log.StdoutSeverity=Debug -Dweblogic.log.LogSeverity=Debug
With the above debug in place, when we reproducing 2-way SSL call shows error on ‘ServerDomain’ side :ExecuteThread: ‘1’ for queue: ‘weblogic.socket.Muxer’, READ: TLSv1.2 Handshake, length = 77
*** Certificate chain
***
ExecuteThread: ‘1’ for queue: ‘weblogic.socket.Muxer’, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-11, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
ExecuteThread: ‘1’ for queue: ‘weblogic.socket.Muxer’, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
ExecuteThread: ‘1’ for queue: ‘weblogic.socket.Muxer’, WRITE: TLSv1.2 Alert, length = 2
ExecuteThread: ‘1’ for queue: ‘weblogic.socket.Muxer’, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
ExecuteThread: ‘1’ for queue: ‘weblogic.socket.Muxer’, called closeOutbound()
ExecuteThread: ‘1’ for queue: ‘weblogic.socket.Muxer’, closeOutboundInternal()
Logs show configured correct identity keystores and cacert loaded during server start up on both ‘ServerDomain’ and ‘ClientDomain’.
But, during 2-way SSL Handshake, above error show that the ‘ClientDomain’ is not sending its Identity certificate.
CAUSE
Verifying the ‘ClientDomain’ configuration further, the Console: Server: Configuration: SSL tab did not have ‘Use Server Certs’ checked
The attribute ‘Use Server Certs’ Sets whether the client should use the server certificates/key as the client identity when initiating an outbound connection over https.
Fix
Check ‘Use Server Certs ‘ in the ‘ClientDomain’ from Admin Console – Servers: Configuration: SSL