Apache SSL to WebLogic SSL - Weblogic

This is a discussion on Apache SSL to WebLogic SSL - Weblogic ; Hello, I can not connect Apache(2.0.48) SSL to WebLogic SSL 6.1. I get error in log file: CA certificate missing basicConstraints, validation failed. 1, Can I use default TrustedCAFile and where I can find it? 2. Where to put TrustedCAFile ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Apache SSL to WebLogic SSL

  1. Apache SSL to WebLogic SSL


    Hello,
    I can not connect Apache(2.0.48) SSL to WebLogic SSL 6.1.
    I get error in log file:
    CA certificate missing basicConstraints, validation failed.

    1, Can I use default TrustedCAFile and where I can find it?

    2. Where to put TrustedCAFile specified in Apache httpd.conf (TrustedCAFile "full
    file path")?
    On Apache Server or WebLogic Server?

    3. Do I need 3(three) different TrustedCAFiles?
    One for Apache, One for WebLogic and one for WL plug-in for Apache.

    4. Do I need additional configuration for WebLogic Server?

    I have following configuration:
    LoadModule weblogic_module modules/mod_wl128_20.so

    WebLogicHost x.x.x.228
    WebLogicPort 7999
    MatchExpression *.gif
    MatchExpression *.jsp
    MatchExpression *.zip
    Debug ALL
    DebugConfigInfo ON
    WLLogFile /usr/local/apache/logs/wlproxy.log

    SecureProxy ON
    TrustedCAFile /export/home/bea/wlserver6.1/config/myDomain/trusted.crt
    WLProxySSL ON
    RequireSSLHostMatch false



    SetHandler weblogic-handler
    PathTrim /



    Thanks,
    Oleg.

  2. Re: Apache SSL to WebLogic SSL


    Is this the case of an SSL client on Apache connecting to the SSL server on Weblogic?
    Does it connect over 1-way SSL? In this case only the client does the validation
    of the server's identity certificate. So, only Apache side trust needs to be configured
    for this connection.
    The client trust configuration depends on the identity certificate you'll be using
    on the server. The set of trusted CA certificates must include the certificate
    of the CA that issued the server's identity certificate.

    The error you are getting is probably caused by Apache validating and rejecting
    a CA certificate you are using. According to RFC 2459 CA certificates must include
    the basic constraints extention that must appear as critical.

    Pavel.

    "Oleg" wrote:
    >
    >Hello,
    >I can not connect Apache(2.0.48) SSL to WebLogic SSL 6.1.
    >I get error in log file:
    >CA certificate missing basicConstraints, validation failed.
    >
    >1, Can I use default TrustedCAFile and where I can find it?
    >
    >2. Where to put TrustedCAFile specified in Apache httpd.conf (TrustedCAFile
    >"full
    >file path")?
    >On Apache Server or WebLogic Server?
    >
    >3. Do I need 3(three) different TrustedCAFiles?
    >One for Apache, One for WebLogic and one for WL plug-in for Apache.
    >
    >
    >4. Do I need additional configuration for WebLogic Server?
    >
    >I have following configuration:
    > LoadModule weblogic_module modules/mod_wl128_20.so
    >
    > WebLogicHost x.x.x.228
    > WebLogicPort 7999
    > MatchExpression *.gif
    > MatchExpression *.jsp
    > MatchExpression *.zip
    > Debug ALL
    > DebugConfigInfo ON
    > WLLogFile /usr/local/apache/logs/wlproxy.log
    >
    > SecureProxy ON
    > TrustedCAFile /export/home/bea/wlserver6.1/config/myDomain/trusted.crt
    > WLProxySSL ON
    > RequireSSLHostMatch false
    >

    >
    >
    > SetHandler weblogic-handler
    > PathTrim /
    >

    >
    >
    >Thanks,
    >Oleg.



  3. Re: Apache SSL to WebLogic SSL


    Hello Pavel,
    Thank you for respond.
    We have SSL client on Apache connecting to the SSL server on Weblogic. 1-way SSL.
    1.How to generate and install ca.pem for WL6.1 sp5? I can't find help for WL6.1.
    We want to use TrustedCAFile generated by WL Server.
    2. How to set FULL directory path for TrustedCAFile specified in Apache httpd.conf,
    if Apache and WL reside on different machines?

    Thanks,
    Oleg.

    "Pavel" wrote:
    >
    >Is this the case of an SSL client on Apache connecting to the SSL server
    >on Weblogic?
    >Does it connect over 1-way SSL? In this case only the client does the
    >validation
    >of the server's identity certificate. So, only Apache side trust needs
    >to be configured
    >for this connection.
    >The client trust configuration depends on the identity certificate you'll
    >be using
    >on the server. The set of trusted CA certificates must include the certificate
    >of the CA that issued the server's identity certificate.
    >
    >The error you are getting is probably caused by Apache validating and
    >rejecting
    >a CA certificate you are using. According to RFC 2459 CA certificates
    >must include
    >the basic constraints extention that must appear as critical.
    >
    >Pavel.
    >
    >"Oleg" wrote:
    >>
    >>Hello,
    >>I can not connect Apache(2.0.48) SSL to WebLogic SSL 6.1.
    >>I get error in log file:
    >>CA certificate missing basicConstraints, validation failed.
    >>
    >>1, Can I use default TrustedCAFile and where I can find it?
    >>
    >>2. Where to put TrustedCAFile specified in Apache httpd.conf (TrustedCAFile
    >>"full
    >>file path")?
    >>On Apache Server or WebLogic Server?
    >>
    >>3. Do I need 3(three) different TrustedCAFiles?
    >>One for Apache, One for WebLogic and one for WL plug-in for Apache.

    >
    >>
    >>
    >>4. Do I need additional configuration for WebLogic Server?
    >>
    >>I have following configuration:
    >> LoadModule weblogic_module modules/mod_wl128_20.so
    >>
    >> WebLogicHost x.x.x.228
    >> WebLogicPort 7999
    >> MatchExpression *.gif
    >> MatchExpression *.jsp
    >> MatchExpression *.zip
    >> Debug ALL
    >> DebugConfigInfo ON
    >> WLLogFile /usr/local/apache/logs/wlproxy.log
    >>
    >> SecureProxy ON
    >> TrustedCAFile /export/home/bea/wlserver6.1/config/myDomain/trusted.crt
    >> WLProxySSL ON
    >> RequireSSLHostMatch false
    >>

    >>
    >>
    >> SetHandler weblogic-handler
    >> PathTrim /
    >>

    >>
    >>
    >>Thanks,
    >>Oleg.

    >



  4. Re: Apache SSL to WebLogic SSL


    If you are using the demo certificates for the server identity (should not be used
    in production mode), then you need to configure Apache to trust the Demo CA. Its
    certificate is shipped with the server in: ca.pem, or trusted.crt file. You can
    copy the certificate file to another machine.
    Here is the link to 6.1 documentation:
    http://e-docs.bea.com/wls/docs61/adm...c.html#1082139
    Note this page is talking about patch CR090101_610sp4 that added basic constrains
    extention to the certificates. It sounds like you do not have it.

    Pavel.


    "Oleg" wrote:
    >
    >Hello Pavel,
    >Thank you for respond.
    >We have SSL client on Apache connecting to the SSL server on Weblogic.
    >1-way SSL.
    >1.How to generate and install ca.pem for WL6.1 sp5? I can't find help
    >for WL6.1.
    >We want to use TrustedCAFile generated by WL Server.
    >2. How to set FULL directory path for TrustedCAFile specified in Apache
    >httpd.conf,
    >if Apache and WL reside on different machines?
    >
    >Thanks,
    >Oleg.
    >
    >"Pavel" wrote:
    >>
    >>Is this the case of an SSL client on Apache connecting to the SSL server
    >>on Weblogic?
    >>Does it connect over 1-way SSL? In this case only the client does the
    >>validation
    >>of the server's identity certificate. So, only Apache side trust needs
    >>to be configured
    >>for this connection.
    >>The client trust configuration depends on the identity certificate you'll
    >>be using
    >>on the server. The set of trusted CA certificates must include the certificate
    >>of the CA that issued the server's identity certificate.
    >>
    >>The error you are getting is probably caused by Apache validating and
    >>rejecting
    >>a CA certificate you are using. According to RFC 2459 CA certificates
    >>must include
    >>the basic constraints extention that must appear as critical.
    >>
    >>Pavel.
    >>
    >>"Oleg" wrote:
    >>>
    >>>Hello,
    >>>I can not connect Apache(2.0.48) SSL to WebLogic SSL 6.1.
    >>>I get error in log file:
    >>>CA certificate missing basicConstraints, validation failed.
    >>>
    >>>1, Can I use default TrustedCAFile and where I can find it?
    >>>
    >>>2. Where to put TrustedCAFile specified in Apache httpd.conf (TrustedCAFile
    >>>"full
    >>>file path")?
    >>>On Apache Server or WebLogic Server?
    >>>
    >>>3. Do I need 3(three) different TrustedCAFiles?
    >>>One for Apache, One for WebLogic and one for WL plug-in for Apache.

    >>
    >>>
    >>>
    >>>4. Do I need additional configuration for WebLogic Server?
    >>>
    >>>I have following configuration:
    >>> LoadModule weblogic_module modules/mod_wl128_20.so
    >>>
    >>> WebLogicHost x.x.x.228
    >>> WebLogicPort 7999
    >>> MatchExpression *.gif
    >>> MatchExpression *.jsp
    >>> MatchExpression *.zip
    >>> Debug ALL
    >>> DebugConfigInfo ON
    >>> WLLogFile /usr/local/apache/logs/wlproxy.log
    >>>
    >>> SecureProxy ON
    >>> TrustedCAFile /export/home/bea/wlserver6.1/config/myDomain/trusted.crt
    >>> WLProxySSL ON
    >>> RequireSSLHostMatch false
    >>>

    >>>
    >>>
    >>> SetHandler weblogic-handler
    >>> PathTrim /
    >>>

    >>>
    >>>
    >>>Thanks,
    >>>Oleg.

    >>

    >



  5. Re: Apache SSL to WebLogic SSL and why people move out from WebLogic


    Hello,
    That was problem for nothing.
    Just set basicConstrains OFF

    "Pavel" wrote:
    >
    >If you are using the demo certificates for the server identity (should
    >not be used
    >in production mode), then you need to configure Apache to trust the Demo
    >CA. Its
    >certificate is shipped with the server in: ca.pem, or trusted.crt file.
    >You can
    >copy the certificate file to another machine.
    >Here is the link to 6.1 documentation:
    >http://e-docs.bea.com/wls/docs61/adm...c.html#1082139
    >Note this page is talking about patch CR090101_610sp4 that added basic
    >constrains
    >extention to the certificates. It sounds like you do not have it.
    >
    >Pavel.
    >
    >
    >"Oleg" wrote:
    >>
    >>Hello Pavel,
    >>Thank you for respond.
    >>We have SSL client on Apache connecting to the SSL server on Weblogic.
    >>1-way SSL.
    >>1.How to generate and install ca.pem for WL6.1 sp5? I can't find help
    >>for WL6.1.
    >>We want to use TrustedCAFile generated by WL Server.
    >>2. How to set FULL directory path for TrustedCAFile specified in Apache
    >>httpd.conf,
    >>if Apache and WL reside on different machines?
    >>
    >>Thanks,
    >>Oleg.
    >>
    >>"Pavel" wrote:
    >>>
    >>>Is this the case of an SSL client on Apache connecting to the SSL server
    >>>on Weblogic?
    >>>Does it connect over 1-way SSL? In this case only the client does the
    >>>validation
    >>>of the server's identity certificate. So, only Apache side trust needs
    >>>to be configured
    >>>for this connection.
    >>>The client trust configuration depends on the identity certificate

    >you'll
    >>>be using
    >>>on the server. The set of trusted CA certificates must include the

    >certificate
    >>>of the CA that issued the server's identity certificate.
    >>>
    >>>The error you are getting is probably caused by Apache validating and
    >>>rejecting
    >>>a CA certificate you are using. According to RFC 2459 CA certificates
    >>>must include
    >>>the basic constraints extention that must appear as critical.
    >>>
    >>>Pavel.
    >>>
    >>>"Oleg" wrote:
    >>>>
    >>>>Hello,
    >>>>I can not connect Apache(2.0.48) SSL to WebLogic SSL 6.1.
    >>>>I get error in log file:
    >>>>CA certificate missing basicConstraints, validation failed.
    >>>>
    >>>>1, Can I use default TrustedCAFile and where I can find it?
    >>>>
    >>>>2. Where to put TrustedCAFile specified in Apache httpd.conf (TrustedCAFile
    >>>>"full
    >>>>file path")?
    >>>>On Apache Server or WebLogic Server?
    >>>>
    >>>>3. Do I need 3(three) different TrustedCAFiles?
    >>>>One for Apache, One for WebLogic and one for WL plug-in for Apache.
    >>>
    >>>>
    >>>>
    >>>>4. Do I need additional configuration for WebLogic Server?
    >>>>
    >>>>I have following configuration:
    >>>> LoadModule weblogic_module modules/mod_wl128_20.so
    >>>>
    >>>> WebLogicHost x.x.x.228
    >>>> WebLogicPort 7999
    >>>> MatchExpression *.gif
    >>>> MatchExpression *.jsp
    >>>> MatchExpression *.zip
    >>>> Debug ALL
    >>>> DebugConfigInfo ON
    >>>> WLLogFile /usr/local/apache/logs/wlproxy.log
    >>>>
    >>>> SecureProxy ON
    >>>> TrustedCAFile /export/home/bea/wlserver6.1/config/myDomain/trusted.crt
    >>>> WLProxySSL ON
    >>>> RequireSSLHostMatch false
    >>>>

    >>>>
    >>>>
    >>>> SetHandler weblogic-handler
    >>>> PathTrim /
    >>>>

    >>>>
    >>>>
    >>>>Thanks,
    >>>>Oleg.
    >>>

    >>

    >



  6. Re: Apache SSL to WebLogic SSL and why people move out from WebLogic


    Except that by turning basic constraints check off you are opening up a security
    hole.
    See this page for desription: http://computercops.biz/article1269.html

    Pavel.

    "Oleg" wrote:
    >
    >Hello,
    >That was problem for nothing.
    >Just set basicConstrains OFF
    >
    >"Pavel" wrote:
    >>
    >>If you are using the demo certificates for the server identity (should
    >>not be used
    >>in production mode), then you need to configure Apache to trust the

    >Demo
    >>CA. Its
    >>certificate is shipped with the server in: ca.pem, or trusted.crt file.
    >>You can
    >>copy the certificate file to another machine.
    >>Here is the link to 6.1 documentation:
    >>http://e-docs.bea.com/wls/docs61/adm...c.html#1082139
    >>Note this page is talking about patch CR090101_610sp4 that added basic
    >>constrains
    >>extention to the certificates. It sounds like you do not have it.
    >>
    >>Pavel.
    >>
    >>
    >>"Oleg" wrote:
    >>>
    >>>Hello Pavel,
    >>>Thank you for respond.
    >>>We have SSL client on Apache connecting to the SSL server on Weblogic.
    >>>1-way SSL.
    >>>1.How to generate and install ca.pem for WL6.1 sp5? I can't find help
    >>>for WL6.1.
    >>>We want to use TrustedCAFile generated by WL Server.
    >>>2. How to set FULL directory path for TrustedCAFile specified in Apache
    >>>httpd.conf,
    >>>if Apache and WL reside on different machines?
    >>>
    >>>Thanks,
    >>>Oleg.
    >>>
    >>>"Pavel" wrote:
    >>>>
    >>>>Is this the case of an SSL client on Apache connecting to the SSL

    >server
    >>>>on Weblogic?
    >>>>Does it connect over 1-way SSL? In this case only the client does

    >the
    >>>>validation
    >>>>of the server's identity certificate. So, only Apache side trust needs
    >>>>to be configured
    >>>>for this connection.
    >>>>The client trust configuration depends on the identity certificate

    >>you'll
    >>>>be using
    >>>>on the server. The set of trusted CA certificates must include the

    >>certificate
    >>>>of the CA that issued the server's identity certificate.
    >>>>
    >>>>The error you are getting is probably caused by Apache validating

    >and
    >>>>rejecting
    >>>>a CA certificate you are using. According to RFC 2459 CA certificates
    >>>>must include
    >>>>the basic constraints extention that must appear as critical.
    >>>>
    >>>>Pavel.
    >>>>
    >>>>"Oleg" wrote:
    >>>>>
    >>>>>Hello,
    >>>>>I can not connect Apache(2.0.48) SSL to WebLogic SSL 6.1.
    >>>>>I get error in log file:
    >>>>>CA certificate missing basicConstraints, validation failed.
    >>>>>
    >>>>>1, Can I use default TrustedCAFile and where I can find it?
    >>>>>
    >>>>>2. Where to put TrustedCAFile specified in Apache httpd.conf (TrustedCAFile
    >>>>>"full
    >>>>>file path")?
    >>>>>On Apache Server or WebLogic Server?
    >>>>>
    >>>>>3. Do I need 3(three) different TrustedCAFiles?
    >>>>>One for Apache, One for WebLogic and one for WL plug-in for Apache.
    >>>>
    >>>>>
    >>>>>
    >>>>>4. Do I need additional configuration for WebLogic Server?
    >>>>>
    >>>>>I have following configuration:
    >>>>> LoadModule weblogic_module modules/mod_wl128_20.so
    >>>>>
    >>>>> WebLogicHost x.x.x.228
    >>>>> WebLogicPort 7999
    >>>>> MatchExpression *.gif
    >>>>> MatchExpression *.jsp
    >>>>> MatchExpression *.zip
    >>>>> Debug ALL
    >>>>> DebugConfigInfo ON
    >>>>> WLLogFile /usr/local/apache/logs/wlproxy.log
    >>>>>
    >>>>> SecureProxy ON
    >>>>> TrustedCAFile /export/home/bea/wlserver6.1/config/myDomain/trusted.crt
    >>>>> WLProxySSL ON
    >>>>> RequireSSLHostMatch false
    >>>>>

    >>>>>
    >>>>>
    >>>>> SetHandler weblogic-handler
    >>>>> PathTrim /
    >>>>>

    >>>>>
    >>>>>
    >>>>>Thanks,
    >>>>>Oleg.
    >>>>
    >>>

    >>

    >



  7. Re: Apache SSL to WebLogic SSL


    Hi Pavel,
    problem was between WebLogic plug-in and WebLogic server,
    and not with MS browser to Apache, and not with Apache to WebLogic plug-in.
    At least, you should provide meaningful message (in log file or somewhere else).
    We can't spend time for nothing, like setSomething OFF or open ticket with BEA.

    Oleg.




    "Pavel" wrote:
    >
    >Except that by turning basic constraints check off you are opening up
    >a security
    >hole.
    >See this page for desription: http://computercops.biz/article1269.html
    >
    >Pavel.
    >
    >"Oleg" wrote:
    >>
    >>Hello,
    >>That was problem for nothing.
    >>Just set basicConstrains OFF
    >>
    >>"Pavel" wrote:
    >>>
    >>>If you are using the demo certificates for the server identity (should
    >>>not be used
    >>>in production mode), then you need to configure Apache to trust the

    >>Demo
    >>>CA. Its
    >>>certificate is shipped with the server in: ca.pem, or trusted.crt file.
    >>>You can
    >>>copy the certificate file to another machine.
    >>>Here is the link to 6.1 documentation:
    >>>http://e-docs.bea.com/wls/docs61/adm...c.html#1082139
    >>>Note this page is talking about patch CR090101_610sp4 that added basic
    >>>constrains
    >>>extention to the certificates. It sounds like you do not have it.
    >>>
    >>>Pavel.
    >>>
    >>>
    >>>"Oleg" wrote:
    >>>>
    >>>>Hello Pavel,
    >>>>Thank you for respond.
    >>>>We have SSL client on Apache connecting to the SSL server on Weblogic.
    >>>>1-way SSL.
    >>>>1.How to generate and install ca.pem for WL6.1 sp5? I can't find help
    >>>>for WL6.1.
    >>>>We want to use TrustedCAFile generated by WL Server.
    >>>>2. How to set FULL directory path for TrustedCAFile specified in Apache
    >>>>httpd.conf,
    >>>>if Apache and WL reside on different machines?
    >>>>
    >>>>Thanks,
    >>>>Oleg.
    >>>>
    >>>>"Pavel" wrote:
    >>>>>
    >>>>>Is this the case of an SSL client on Apache connecting to the SSL

    >>server
    >>>>>on Weblogic?
    >>>>>Does it connect over 1-way SSL? In this case only the client does

    >>the
    >>>>>validation
    >>>>>of the server's identity certificate. So, only Apache side trust

    >needs
    >>>>>to be configured
    >>>>>for this connection.
    >>>>>The client trust configuration depends on the identity certificate
    >>>you'll
    >>>>>be using
    >>>>>on the server. The set of trusted CA certificates must include the
    >>>certificate
    >>>>>of the CA that issued the server's identity certificate.
    >>>>>
    >>>>>The error you are getting is probably caused by Apache validating

    >>and
    >>>>>rejecting
    >>>>>a CA certificate you are using. According to RFC 2459 CA certificates
    >>>>>must include
    >>>>>the basic constraints extention that must appear as critical.
    >>>>>
    >>>>>Pavel.
    >>>>>
    >>>>>"Oleg" wrote:
    >>>>>>
    >>>>>>Hello,
    >>>>>>I can not connect Apache(2.0.48) SSL to WebLogic SSL 6.1.
    >>>>>>I get error in log file:
    >>>>>>CA certificate missing basicConstraints, validation failed.
    >>>>>>
    >>>>>>1, Can I use default TrustedCAFile and where I can find it?
    >>>>>>
    >>>>>>2. Where to put TrustedCAFile specified in Apache httpd.conf (TrustedCAFile
    >>>>>>"full
    >>>>>>file path")?
    >>>>>>On Apache Server or WebLogic Server?
    >>>>>>
    >>>>>>3. Do I need 3(three) different TrustedCAFiles?
    >>>>>>One for Apache, One for WebLogic and one for WL plug-in for Apache.
    >>>>>
    >>>>>>
    >>>>>>
    >>>>>>4. Do I need additional configuration for WebLogic Server?
    >>>>>>
    >>>>>>I have following configuration:
    >>>>>> LoadModule weblogic_module modules/mod_wl128_20.so
    >>>>>>
    >>>>>> WebLogicHost x.x.x.228
    >>>>>> WebLogicPort 7999
    >>>>>> MatchExpression *.gif
    >>>>>> MatchExpression *.jsp
    >>>>>> MatchExpression *.zip
    >>>>>> Debug ALL
    >>>>>> DebugConfigInfo ON
    >>>>>> WLLogFile /usr/local/apache/logs/wlproxy.log
    >>>>>>
    >>>>>> SecureProxy ON
    >>>>>> TrustedCAFile /export/home/bea/wlserver6.1/config/myDomain/trusted.crt
    >>>>>> WLProxySSL ON
    >>>>>> RequireSSLHostMatch false
    >>>>>>

    >>>>>>
    >>>>>>
    >>>>>> SetHandler weblogic-handler
    >>>>>> PathTrim /
    >>>>>>

    >>>>>>
    >>>>>>
    >>>>>>Thanks,
    >>>>>>Oleg.
    >>>>>
    >>>>
    >>>

    >>

    >



+ Reply to Thread