Re: 2 way SSL - Cert Chain incomplete error - Weblogic

This is a discussion on Re: 2 way SSL - Cert Chain incomplete error - Weblogic ; I'm having the same problem with SP2. I don't think the server that is acting as the client is actually sending a certificate chain. I think when creating the InitialContext, you need to set some of the properties like WLContext.SSL_CLIENT_CERTIFICATE. ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: 2 way SSL - Cert Chain incomplete error

  1. Re: 2 way SSL - Cert Chain incomplete error

    I'm having the same problem with SP2. I don't think the server that is acting as the client is actually sending a certificate chain. I think when creating the InitialContext, you need to set some of the properties like WLContext.SSL_CLIENT_CERTIFICATE. The only example I can find uses the Environment.setSSLClientCertificate method to open the certificate files as PEMInputStreams and set them that way. But according to the Javadoc for the weblogic.jndi.WLContext class, you can set the SSL_CLIENT_CERTIFICATE property to the string "SERVER", and it will send the server certificate from the server acting as the client, to the server acting as the server. But it doesn't work. Does anyone have an example of that functionality?

    Eric Guerber

  2. Re: 2 way SSL - Cert Chain incomplete error

    SSL clients running on server share server's trust configuration by default, but not the identity. Applications are responsible for setting the identity when necessary. weblogic.jndi.Environment has setSSLClientCertificate(),setSSLClientKeyPassword( ), or loadLocalIdentity() methods for that.

    Pavel.

  3. Re: 2 way SSL - Cert Chain incomplete error

    Thanks for replying, Pavel. What I'm really interested in is if there is an easy way to make an SSL client on a server share the identity configuration. I was interested by the following line in the javadoc for the SSL_CLIENT_CERTIFICATE field in the weblogic.jndi.WLContext interface: "Specifies an RSA private key and a chain of certificates for client authentication. In a server, it can be set to the special string SERVER to refer to the server's private key and certificate chain." I hoped that would allow the client to use the server's identity, but I haven't been able to get it to work.

    Eric

  4. Re: 2 way SSL - Cert Chain incomplete error

    Looks like there is an error in the javadoc. This property is expected to point to an array of InputStreams in the properties Hashtable passed to weblogic.jndi.Environment. As far as I can tell Environment is the only class that interprets it, and WLS 700/810 provides no SSL API for sharing Server's identity. To do this you'd need to get the private key and certificate from the server's identity keystore, and pass them to the appropriate method when configuring your ssl client context.

    Pavel.

+ Reply to Thread