weblogic 2-Way SSL HandShake Fails

2 way SSL communication between 2 applications are failing . It happened after enabling Server side “Client Certs requested and Enforced”

Weblogic configured with 2-way SSL as seen in theĀ <DOMAIN>/config/config.xml file:

<ssl>

<client-certificate-enforced>true</client-certificate-enforced>
<two-way-ssl-enabled>true</two-way-ssl-enabled>

</ssl>

According to this configuration, the client must present a valid certificate, otherwise, the handshake fails.
However, both WLS instances are located in the same machine and configured with the same identity and trusted keystore files.

There is no apparent reason to fail, so to understand the SSL interactions between client and server, enabling SSL debug flags is required.

For this example, SSL debug flags were enabled on client end, represented by the WLS AdminServer. These lines were added at the end of the bin/setDomainEnv.sh file:

if [ “${SERVER_NAME}” != “AdminServer” ] ; then
JAVA_OPTIONS=”${JAVA_OPTIONS} -Dweblogic.security.SSL.enableJSSE=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.log.StdoutSeverity=Debug -Dssl.debug=true -Djavax.net.debug=ssl”
export JAVA_OPTIONS
fi

The AdminServer was restarted and the issue was replicated collecting from the log files, the following sequence:<Notice> <WebLogicServer> <BEA-000365> <Server state changed to RUNNING.>
*** ClientHello, TLSv1.2
*** ServerHello, TLSv1.2
*** Certificate chain
chain [0] = [
Subject: CN=<FQDNHERE>, OU=IT, O=FICTIONALCOMPANY, L=Havant, ST=Hampshire, C=UK
Issuer: CN=<FQDNHERE>, OU=IT, O=FICTIONALCOMPANY, L=Havant, ST=Hampshire, C=UK
***
Found trusted certificate:
Subject: CN=<FQDNHERE>, OU=IT, O=FICTIONALCOMPANY, L=Havant, ST=Hampshire, C=UK
Issuer: CN=<FQDNHERE>, OU=IT, O=FICTIONALCOMPANY, L=Havant, ST=Hampshire, C=UK
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA
Cert Authorities:

<CN=<FQDNHERE>, OU=IT, O=FICTIONALCOMPANY, L=Havant, ST=Hampshire, C=UK>
*** ServerHelloDone
Warning: no suitable certificate found – continuing without client authentication
*** Certificate chain
*** Finished
[ACTIVE] ExecuteThread: ’26’ for queue: ‘weblogic.kernel.Default (self-tuning)’, RECV TLSv1.2 ALERT: fatal, handshake_failure

 Somehow the client wasn't presenting its certificate, hence handshake failed.

concluding that 2-way SSL handshake fails if the channel is not outbound enabled, and server default channels are not outbound enabled.

Enable outbound connections for the servers requiring 2-way SSL using a WLST script:

connect(<USER>, <PASSWORD>, <URL>)
edit()
cd ("Servers/SERVER_NAME_HERE")
cmo.setOutboundEnabled(true)
cmo.setOutboundPrivateKeyEnabled(true)
save()
activate()

Restart the client and verify 2-way ssl handshake .

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *