Hi,

I try to establish a connection from a class inside of WL to another
https-Site, so my class is working as a httpclient.
I exported the Server certificate from the remote host to a key-Store.
This keystore is used when configuring the SSL-Socket. When I run the
code as a standalone app in the SUN JVM everything is working fine.
But, when I execute the same source from within the container I get
the following errors:

================
nested exception is: javax.ejb.TransactionRolledbackLocalException:
EJB Exception: ; nested exception is:
de.westlotto.portal.component.newsletter.error.New sletterSystemException:
Fehler beim Verbinden mit dem Newsletter-System!; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain
received from secure.ecircle-ag.com - 195.140.186.104 was not trusted
causing SSL handshake failure.
javax.ejb.TransactionRolledbackLocalException: EJB Exception: ; nested
exception is: de.westlotto.portal.component.newsletter.error.New sletterSystemException:
Fehler beim Verbinden mit dem Newsletter-System!; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain
received from secure.ecircle-ag.com - 195.140.186.104 was not trusted
causing SSL handshake failure.
de.westlotto.portal.component.newsletter.error.New sletterSystemException:
Fehler beim Verbinden mit dem Newsletter-System!; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain
received from secure.ecircle-ag.com - 195.140.186.104 was not trusted
causing SSL handshake failure.
javax.net.ssl.SSLKeyException: [Security:090477]Certificate chain
received from secure.ecircle-ag.com - 195.140.186.104 was not trusted
causing SSL handshake failure.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.f ireException(Lcom.certicom.tls.interfaceimpl.Alert EventV(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.f ireAlertSent(Lcom.certicom.tls.record.alert.AlertLcom.certicom.tls.interfaceimpl.AlertEvent;(Unknow n
Source)
at com.certicom.tls.record.handshake.HandshakeHandler .fireAlert(Lcom.certicom.tls.record.alert.AlertV(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler .fireAlert(II)V(Unknown
Source)
at com.certicom.tls.record.handshake.ClientStateRecei vedServerHello.handle(Lcom.certicom.tls.record.han dshake.HandshakeMessageV(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler .handleHandshakeMessage(Lcom.certicom.tls.record.h andshake.HandshakeMessageV(Unknown
Source)
at com.certicom.tls.record.handshake.HandshakeHandler .handleHandshakeMessages([BILcom.certicom.tls.interfaceimpl.ProtocolVersionV(Unknown
Source)
at com.certicom.tls.record.ReadHandler.interpretConte nt([BIILcom.certicom.tls.interfaceimpl.ProtocolVersionV(Unknown
Source)
at com.certicom.tls.record.ReadHandler.readRecord()I( Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHands hakeComplete()V(Unknown
Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.c ompleteHandshake()V(Unknown
Source)
at com.certicom.tls.record.WriteHandler.write([BII)V(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer()V(Buffer edOutputStream.java:66)
at java.io.BufferedOutputStream.flush()V(BufferedOutp utStream.java:124)
at java.io.FilterOutputStream.flush()V(FilterOutputSt ream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests( )V(HttpURLConnection.java:101)
at weblogic.net.http.HttpURLConnection.getInputStream ()Ljava.io.InputStream;(HttpURLConnection.java:298 )
at weblogic.net.http.SOAPHttpsURLConnection.getInputS tream()Ljava.io.InputStream;(SOAPHttpsURLConnectio n.java:29)
at java.net.URL.openStream()Ljava.io.InputStream;(URL .java:913)
at de.westlotto.portal.component.newsletter.adapter.E CMRequestHandler.sendRequest(Ljava.util.MapV(ECMRequestHandler.java:185)
at
..
..
..
=====================

I enabled the some SSL debug params for the weblogic server and got
the following output:
=====================
####<03.02.2005 10.40 Uhr UTC>
<> <> the private key stored under the alias DemoIdentity from the jks
keystore file D:\bea\weblogic81\server\lib\DemoIdentity.jks.>
####<03.02.2005 10.40 Uhr UTC>
<> <> the identity certificate stored under the alias DemoIdentity from the
jks keystore file D:\bea\weblogic81\server\lib\DemoIdentity.jks.>
####<03.02.2005 10.40 Uhr UTC>
<> <>
with a full strength (domestic) license.>
####<03.02.2005 10.40 Uhr UTC>
<> <> trusted certificates from the jks keystore file
D:\bea\weblogic81\server\lib\DemoTrust.jks.>
####<03.02.2005 10.40 Uhr UTC>
<> <> trusted certificates from the jks keystore file
D:\bea\JROCKI~1\jre\lib\security\cacerts.>
..
..
..
####<03.02.2005 10.45 Uhr UTC>
'weblogic.kernel.Default'> <>
D:\bea\weblogic81\server\lib\DemoTrust.jks.>
####<03.02.2005 10.45 Uhr UTC>
'weblogic.kernel.Default'> <>
D:\bea\JROCKI~1\jre\lib\security\cacerts.>
####<03.02.2005 10.45 Uhr UTC>
'weblogic.kernel.Default'> <>
195.140.186.104 was not trusted causing SSL handshake failure.>
####<03.02.2005 10.45 Uhr UTC>
'weblogic.kernel.Default'> <>
195.140.186.104 was not trusted causing SSL handshake failure.>
####<03.02.2005 10.45 Uhr UTC>
'weblogic.kernel.Default'> <>
195.140.186.104 was not trusted causing SSL handshake failure.>
=====================

Since I explicitely load my personal keystore to retrieve the
certificate for validation I'm wondering why only the default jks
files appear in the second logfile. I expected to see something like
"loading certificates from eCircle.keystore file ..."

The code I wrote for establishing the connection should _not_ rely on
proprietaery BEA classes. It looks like the following:
=====================
/**
* Initialize KeyStore to retrieve Server-Certificate to accept for
* SSL connection
*/
private SSLSocketFactory getSSLSocketFactory() throws
KeyStoreException,
NoSuchAlgorithmException, IOException, CertificateException,
UnrecoverableKeyException, KeyManagementException {

SSLSocketFactory sslSocketFactory = null;
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
InputStream inputStream = new FileInputStream(keyStoreLocation);
keyStore.load(inputStream, keyStorePassword.toCharArray());
if (inputStream != null) {
inputStream.close();
}

logger.debug("certificate = " + certificateName + " found: " +
keyStore.isCertificateEntry(certificateName));
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(algorithm);
trustManagerFactory.init(keyStore);
TrustManager[] trustManagers =
trustManagerFactory.getTrustManagers();

KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(algorithm);
keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(keyManagers, trustManagers, null);
sslSocketFactory = sslContext.getSocketFactory();

return sslSocketFactory;
}

/**
* calls the method above to retrieve an initialized SSLSocketFactory
with our
* certificates
*/
public void sendRequest(Map requestParams) throws IOException,
NoSuchAlgorithmException, KeyManagementException,
CertificateException, UnrecoverableKeyException,
KeyStoreException {
URL url = null;
HttpURLConnection httpsUrl = null;
String encodedUrl = getEncodedUrl(requestParams);
BufferedReader reader = null;

try {
url = new URL(encodedUrl);
SSLSocketFactory sslSocketFactory = getSSLSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sslS ocketFactory);
// gibt eine https Connection raus, SSL konfiguriert wurde
httpsUrl = (HttpURLConnection) url.openConnection();

System.out.println("After getting the connection ");
if (httpsUrl == null || url == null) {
logger.error("Error while establishing connection to " +
baseUrl);
}

httpsUrl.setUseCaches(false);
httpsUrl.setDoInput(true);
httpsUrl.setDoOutput(true);
httpsUrl.setRequestMethod(REQUEST_METHOD);
httpsUrl.setRequestProperty("accept",
REQUEST_PROPERTY_ACCEPT);
httpsUrl.setRequestProperty("content-type",
REQUEST_PROPERTY_CONTENT_TYPE);

System.out.println("Connecting to " + httpsUrl.toString() + "
" +
"with RequestMethod = " +
httpsUrl.getRequestMethod());

reader = new BufferedReader(new
InputStreamReader(url.openStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = reader.readLine()) != null) {
response.append(inputLine);
logger.info("Return : " + inputLine);
}

lastResponse = response.toString();
reader.close();
httpsUrl.disconnect();

} finally {
// todo:
}
}

=====================

I _can_ see that the keystore file is also being loaded on the server
but it doesn't have the desired effect. Has it something to do that I
set SSLSocketFactory on HttpsUrlConnection? I cannot cast to a
HttpsUrlConnection because url.openConnection() returns a
SoapHttpsUrlConnection - something special from BEA :-(
In fact I only want to encrypt the connection, so validating the
certificate is not a really a requirement.
Has anyone an idea what went wrong? I guess it's merely a
configuration than a coding issue ...

I use WL 8.1 SP3 on WinXP SP2

TIA

Frank
frank_ratzlow@nojunk.hotmail.com