The log indicates the certificates the WLS server is using are failing the
basic constraints check. I believe
older demo certificates will not pass this check.

Look at the contents of the certificate, the updated demo certificates that
pass the check have a
CN with "constraints" added in and BasicConstraints.
subjectDN: E = security@bea.com, CN = Demo Certificate Authority
Constraints, OU = Security, O = BEA WebLogic, L = San Francisco, S =
California, C = US
BasicConstraints: Subject Type=CA, Path Length Constraint=1

If your demo certificates are missing the "Constraints" in the common name,
it is likely an older demo
cert that doesn't have BasicConstraints set properly. You should look for
the updated demo certificates.
They should be with the kit/patch that the IIS plugin came with (ie: the one
that does this checking).

The IIS plugin configuration can be set to turn off the checking, but the
check is protecting against attacks
where an end entity cert from a trusted CA is being used to sign other end
entity certs, so it opens up
a security hole by disabling the check.

I believe the setting to disable the check in the IIS plugin is:
EnforceBasicConstraints=OFF

Tony

"Danny Newman" wrote in message
news:3f2658f9$1@newsgroups.bea.com...
>
> I am trying to establish SSL communication between IIS and WLS using SSL.

WLS works
> OK in SSL and the proxy works fine wthout SSL. Its just the SSL through

teh proxy
> that is problematic.
> I am using the demo certs and bits to prove that it works, could this be

the problem?
> The relevant bit of my iisproxy.ini looks like:
> WebLogicPort=17002
> SecureProxy=ON
> TrustedCAFile=C:\WINNT\system32\trusted.crt
> WLProxySSL=ON
> clientCertProxy=true
> Debug=ON
>
> and wlproxy.log shows:
> Tue Jul 29 11:27:31 2003 ========================== New Request

==========================
> Tue Jul 29 11:27:31 2003 SSL must be used
> Tue Jul 29 11:27:31 2003 Initializing SSL
> Tue Jul 29 11:27:31 2003 INFO: Initializing SSL library
> Tue Jul 29 11:27:31 2003 ERROR: Failed to load trusted CA

file(C:\WINNT\system32\trusted.pem).
> err = -6992 loaded = 0
> Tue Jul 29 11:27:31 2003 ERROR: SSL initialization failed
> Tue Jul 29 11:27:31 2003 timer thread starting
> Tue Jul 29 11:29:28 2003 ========================== New Request

==========================
> Tue Jul 29 11:29:28 2003 SSL must be used
> Tue Jul 29 11:29:28 2003 Initializing SSL
> Tue Jul 29 11:29:28 2003 INFO: Initializing SSL library
> Tue Jul 29 11:29:28 2003 Loaded 1 trusted CA's
> Tue Jul 29 11:29:28 2003 timer thread starting
> Tue Jul 29 11:29:28 2003 INFO: Successfully initialized SSL
> Tue Jul 29 11:29:28 2003 SSL configured successfully
> Tue Jul 29 11:29:28 2003 Request URI = [/BMWDefault/UserList.do]
> Tue Jul 29 11:29:28 2003 attempt #0 out of a max of 10
> Tue Jul 29 11:29:28 2003 general list: trying connect to

'SSUK094'/17002/17002
> at line 1012 for '/BMWDefault/UserList.do'
> Tue Jul 29 11:29:28 2003 New SSL URL: match = 1 oid = 22
> Tue Jul 29 11:29:28 2003 WLS info in sendRequest: SSUK094:17002 recycled?

0
> Tue Jul 29 11:29:28 2003 INFO: sysSend 52
> Tue Jul 29 11:29:29 2003 INFO: CA certificate missing basicConstraints,

validation
> failed
> Tue Jul 29 11:29:29 2003 ERROR: SSLWrite failed
> Tue Jul 29 11:29:29 2003 SEND failed (ret=-1) at 638 of file

.../nsapi/URL.cpp
> Tue Jul 29 11:29:29 2003 *******Exception type [WRITE_ERROR_TO_SERVER]

raised
> at line 639 of ../nsapi/URL.cpp
> Tue Jul 29 11:29:29 2003 Marking SSUK094:17002 as bad
> Tue Jul 29 11:29:29 2003 Exception occurred for backend host

'SSUK094/17002' while
> sending request : 'WRITE_ERROR_TO_SERVER [os error=0, line 639 of

.../nsapi/URL.cpp]:
> 'Tue Jul 29 11:29:29 2003 got exception in sendRequest phase:

WRITE_ERROR_TO_SERVER
> [os error=0, line 639 of ../nsapi/URL.cpp]: at line 776
> Tue Jul 29 11:29:29 2003 INFO: Closing SSL context
> Tue Jul 29 11:29:29 2003 INFO: sysSend 14
> Tue Jul 29 11:29:29 2003 INFO: Error after SSLClose, socket may already

have been
> closed by peer
> Tue Jul 29 11:29:29 2003 failing over after sendRequest exception
>
> Please help, I'm starting to feel stupid