At the end of my rope. Cannot get Weblogic to Weblogic SSL working - weblogic.developer.interest.webservices.general(Archived)

I have a webservice running on Server B. I can call this webservice from the command line with the code shown below. I used clientgen to generate the Service and Stub stuff.
======================================================
          System.setProperty("javax.net.ssl.keyStore", pathToKeystore+"ipetet.prod.jks");
               System.setProperty("javax.net.ssl.keyStorePassword", "password");
               
               System.setProperty("javax.net.ssl.trustStore", pathToKeystore+"ipetet.prod.jks");
               System.setProperty("javax.net.ssl.trustStorePassword", "password");
               
service = new IPETETWSHandler_Impl(webserviceURL);
               
port = service.getIPETETWSHandlerPort();
=========================================================
Again, this works GREAT when I go from the command line to any of our servers running the webservice, or if I go from Weblogic Server A (running a JSP which calls the webservice) with the client-cert-enforced set to FALSE on server B.
However, once I turn on client-cert-enforced, my command line client is still fine, YET my JSP running on Weblogic server A gets all these "incomplete certificate" errors on the server side.
I've tried everything I can think of. I can't find anything on the Weblogic site or in the examples provided with WLS9.2 that address my particular problems, as I'm using 2 Way SSL with a webservice call and I'm not using Workshop, just Weblogic Server (loooong story). I see a lot of stuff about setting up Contexts and URL connections with HTTPS, but I need something that will help me with my clientgen built Service and Port classes.
Any help would be appreciated. I've been a developer/architect for over 20 years and this is as stuck as I've ever been. There's a ton of data on the Weblogic server side once you turn up all the debug, but none of it seems to really tell you what's wrong... 

Did you got solution? Can you please reply me if you got solution.
Thanks!

Related

Proxy (fiddler) between weblogic portal and outside world

I want to attach fiddler to the http requests made by portal to the outside world (clipper portlets). I am able to see the traffic on my local computer between browser client and weblogic portal (localhost) but not the http requests made by weblogic portal to the outside webhost.
Is there a setting in the server admin or somewhere to add fiddler as a proxy so that I can see the HTTP requests. I need to see the header, cookies, html etc to try and diagnosis why a piece works by going directly to the form without going through clipper but going through the portal and clipper results in errors. 
Hello,
I'm not aware of any way to insert a proxy specifically for the clipper portlets, but you can set the JVM to use a proxy for all outgoing HTTP requests by adding the following settings at JVM startup:
-DproxySet=true
-DproxyHost=<your-proxy-host-name>
-DproxyPort=<your-proxy-port>
-Dhttp.nonProxyHosts=<non-proxied-host-list>
The non-proxied host list is a pipe ("|") separated list of host names that you do not wish to go through the proxy (if any), such as:
localhost|*.example.com|127.0.0.1
Kevin 
Where do I find the JVM file? 
These are server (JVM) starting arguments. The script that starts up WebLogic Server should honor the JAVA_OPTIONS environment variable, so from the command line you would just do something like:
set JAVA_OPTIONS="-DproxySet=true -DproxyHost=<your-proxy-host-name> -DproxyPort=<your-proxy-port> -Dhttp.nonProxyHosts=<non-proxied-host-list>"
and then start up your WLS server the same way you normally do. If you are running the server through an IDE such as Workshop, there should be a separate place for configuring these options for server startup inside the IDE.
Kevin 
I have tried many different versions of the string in my StartWebLogic.cmd file but non-seem to work.
some versions as follows:
set JAVA_OPTIONS="-DproxySet=true -DproxyHost=127.0.0.1 -DproxyPort=8888 ContentPortalWeb"
set JAVA_OPTIONS="-DproxySet=true -DproxyHost=127.0.0.1 -DproxyPort=7001 ContentPortalWeb"
set JAVA_OPTIONS="-DproxySet=true -DproxyHost=127.0.0.1 -DproxyPort=7002 ContentPortalWeb"
http://localhost:7001/ContentPortalWeb/
But no matter what I do I can not see the traffic that Weblogic Sends out to the remote service when it calls a remote portlet (clipper specificly). We are trying to figure out how cookies are sent out as well as other questions. 
Hi
where is your fiddler running(only the 8888 option is correct , did you verify in your startup logs that your parameters are passed to weblogic correctly)?
is it capturing data say when you set firefox to your fiddler? is your remote portlet also running locally?
Ive had problems when i use fiddler outside Internet explorer, you may try using webscarab
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
as before proxyPort is where webscarab is listening.
regards
deepak 
Hello,
How are you starting / running your WebLogic server? Are you running it from an IDE, from the command line, or some other way?
Are you certain that the JAVA_OPTIONS are getting honored? The "ContentPortalWeb" in your sample options is an invalid JVM option, so I suspect that however you are starting up WLS is not picking up the JAVA_OPTIONS environment variable, or you would be seeing errors / warnings from the JVM.
Kevin

Example fails through http proxy

Hi
We have developed a product using bea weblogic webservices where a java swing
client cummunicates with server this wors fine only for direct request, but for
request through firewall
say any proxy ( winproxy or wingate ) this application fails.
Later we tried to execute the example examples.webservices.basic.statelessSession
through proxy by setting
weblogic.webservice.transport.http.proxy.host
weblogic.webservice.transport.http.proxy.port
javax.xml.rpc.security.auth.username
javax.xml.rpc.security.auth.password
for Authorization purpose
weblogic.webservice.client.proxyusername
weblogic.webservice.client.proxypassword
as per advice from bea support and EVEN THIS EXAMPLE FAILS THROUGH PROXY ( WIN
PROXY OF WIN GATE ) giving same exception as given in our application case.
So please suggest any tips to resolve this isue since now a days many application
needs to act behind a proxy server.
Did you ever find an answer? I am having the same problem.
thanks, 
Depends on what version of WLS you are using, the issue has already been fixed in CR175471 and CR096013.
For http, try the following
-Dweblogic.webservice.verbose=true
-Dweblogic.webservice.binding.verbose=true
-Dhttp.proxyHost=PROXY_SERVER
-Dhttp.proxyPort=PROXY_PORT
-Dweblogic.webservice.transport.http.proxy.host=PROXY_SERVER
-Dweblogic.webservice.transport.http.proxy.port=PROXY_PORT
(optional) -Dweblogic.webservice.transport.http.full-url=true
For proxy auth,
-Dweblogic.net.proxyAuthenticatorClassName=YOUR_ProxyAuthentication_CLASS 
I am using WLS 8.1.4.
I have setted up all required parameters and build my own ProxyAuthenticator class.
I am still receiveing a 407 error code.
From outside proxy everithnig goes ok and the strangest thing is that apparently no MyProxyAuthenticator is created for I cannot see a System.out.print I wrote in the init() method!!!
Thanks in advance ... 
Hi All
Did anyone get this to work? I am still getting an error when the client tries to communicate through a http proxy via ProxyAuthenticator class. If anyone has made it to work, please post the sample code.
Thanks and Regards

TIP: making pageflow work with proxies

Here's a time saving tip for anyone configuring proxy plugins for WebLogic 8.1
applications that use pageflow...
If you develop a pageflow application independent of a web server layer, you have
probably configured your domain to listen on port 7001. If you then, at some point,
want to configure a web server proxy you'll need to make sure that all URLs generated
by WebLogic now reference the hostname and listen port of the web server instead
of the app server. For non-pageflow applications this is a snap because WLS builds
dynamic URLs based on info from the HttpServletRequest. However, without any additional
work, you will probably be faced with a grizzly truth - that all URLs but those
that involve pageflow (such as those that invoke actions) are generated correctly.
To prevent WebLogic (actually, I think it's Workshop) from building errant pageflow
URLs using "localhost" and/or "7001", be sure to modify the entries WEB-INF\url-template-config.xml
to match your web server's hostname and port. Using {url:domain} and {url:port}
instead of hard coded values will ensure that you can access your app directly
using http://localhost:7001/myApp AND via proxy using something like http://proxy.company.com/myApp.
This step is, as yet, unpublished in edocs. I hope it will help some of you out
by being posted here. If I have saved one fist from penetrating a wall my time
has been well spent.
I think I may be running into this issue. I've got a simple JPF that simply forwards
to index.jsp. I can access it via http://ipaddress:7001/TestWeb/Test.jpf. However,
when I try to use http://ipaddress/TestWeb/Test.jpf, I get an error from WebLogic
(so I know the plugin is forwarding the request) that either I'm trying to hit
the wrong server (not the case), or there is a problem with the URL. Same occurs
if I try to hit the jsp directly. I've now included a url-template-config.xml
in my application. Is there something else I need to do or will this xml file
automatically be recognized by the application?
I'm using the netscape plugin using Sun One 6.
"MNelson" <mnelson#wellfound.com> wrote:
>
Here's a time saving tip for anyone configuring proxy plugins for WebLogic
8.1
applications that use pageflow...
If you develop a pageflow application independent of a web server layer,
you have
probably configured your domain to listen on port 7001. If you then,
at some point,
want to configure a web server proxy you'll need to make sure that all
URLs generated
by WebLogic now reference the hostname and listen port of the web server
instead
of the app server. For non-pageflow applications this is a snap because
WLS builds
dynamic URLs based on info from the HttpServletRequest. However, without
any additional
work, you will probably be faced with a grizzly truth - that all URLs
but those
that involve pageflow (such as those that invoke actions) are generated
correctly.
To prevent WebLogic (actually, I think it's Workshop) from building errant
pageflow
URLs using "localhost" and/or "7001", be sure to modify the entries WEB-INF\url-template-config.xml
to match your web server's hostname and port. Using {url:domain} and
{url:port}
instead of hard coded values will ensure that you can access your app
directly
using http://localhost:7001/myApp AND via proxy using something like
http://proxy.company.com/myApp.
This step is, as yet, unpublished in edocs. I hope it will help some
of you out
by being posted here. If I have saved one fist from penetrating a wall
my time
has been well spent. 
This was resolved when I deployed our actual portal application which contained
a valid url-template-config.xml file. Thanks for the info, it saved some time
and aggravation.
"Jim Maycott" <jim.maycott#ness-usa.com> wrote:
>
I think I may be running into this issue. I've got a simple JPF that
simply forwards
to index.jsp. I can access it via http://ipaddress:7001/TestWeb/Test.jpf.
However,
when I try to use http://ipaddress/TestWeb/Test.jpf, I get an error from
WebLogic
(so I know the plugin is forwarding the request) that either I'm trying
to hit
the wrong server (not the case), or there is a problem with the URL.
Same occurs
if I try to hit the jsp directly. I've now included a url-template-config.xml
in my application. Is there something else I need to do or will this
xml file
automatically be recognized by the application?
I'm using the netscape plugin using Sun One 6.
"MNelson" <mnelson#wellfound.com> wrote:
Here's a time saving tip for anyone configuring proxy plugins for WebLogic
8.1
applications that use pageflow...
If you develop a pageflow application independent of a web server layer,
you have
probably configured your domain to listen on port 7001. If you then,
at some point,
want to configure a web server proxy you'll need to make sure that all
URLs generated
by WebLogic now reference the hostname and listen port of the web server
instead
of the app server. For non-pageflow applications this is a snap because
WLS builds
dynamic URLs based on info from the HttpServletRequest. However, without
any additional
work, you will probably be faced with a grizzly truth - that all URLs
but those
that involve pageflow (such as those that invoke actions) are generated
correctly.
To prevent WebLogic (actually, I think it's Workshop) from buildingerrant
pageflow
URLs using "localhost" and/or "7001", be sure to modify the entriesWEB-INF\url-template-config.xml
to match your web server's hostname and port. Using {url:domain} and
{url:port}
instead of hard coded values will ensure that you can access your app
directly
using http://localhost:7001/myApp AND via proxy using something like
http://proxy.company.com/myApp.
This step is, as yet, unpublished in edocs. I hope it will help some
of you out
by being posted here. If I have saved one fist from penetrating a wall
my time
has been well spent.

HTTP Tunnelling and authenticating with certificates - a major challenge

Our java client needs to access the stateful session EJB running on the WebLogic
server (6.1Sp2) which is runnign behind a firewall. We plan to use tunnelling
to go throught he firewall.
But we have another issue. We are using IPlanet Web server sitting before the
App server. The Webserver challenges all traffic with a certificate. A user must
present a certificate before it can go pass the Web Server. The application server
is sitting behidn the forewall. Nothing can connect to it directly. Everything
must go through the WebServer and authenticate istself first (using certificate).
Now this works well for all our Web based applications (such as Servlet/JSP based
application) because the Netscape browser presents the certificate and authenticates
itself.
However it does not work for full java application clients. Java application clients
uses new InitialContext (env) to get the initial context and then gets handle
to the EJB Session Server remote object and starts calling methods on it.
But as the URL we cannot provide the application server address during initial
context because the client cannot reach the server inside firewall.
Somehow we need to go through the Web Server. And there is no solution to this
problem.
Or at least we have not found any solution. Seems like a pretty common task to
perform. But we do not know how.
the client must go through Web Server but WebServer blocks any connection that
does not present a ceritificate. But we cannot find any way to pass the Certificate
inside the initialContext.
What we really want is to somehow pass the certificate inside initiaContext and
want the WebServer to look inside the initialContext and get the certificate and
be happy with it and forward the request to application server inside the firewall.
Any suggestion will be greatly appreciated.
Thanks
Hello Ashique,
The following link describes how to use SSL/Certificates with clients over RMI/IIOP
and WebLogic. Hopefully it will provide more clues on how to solve your particular
problem.
http://edocs.bea.com/wls/docs70/rmi_iiop/rmiiiop3.html#1065962
Best regards,
Ryan LeCompte
ryanlecompte#louisiana.edu
http://www.louisiana.edu/~rml7669
Take a look at the following
"Ashique" <atanveer#hns.com> wrote:
>
Our java client needs to access the stateful session EJB running on the
WebLogic
server (6.1Sp2) which is runnign behind a firewall. We plan to use tunnelling
to go throught he firewall.
But we have another issue. We are using IPlanet Web server sitting before
the
App server. The Webserver challenges all traffic with a certificate.
A user must
present a certificate before it can go pass the Web Server. The application
server
is sitting behidn the forewall. Nothing can connect to it directly. Everything
must go through the WebServer and authenticate istself first (using certificate).
Now this works well for all our Web based applications (such as Servlet/JSP
based
application) because the Netscape browser presents the certificate and
authenticates
itself.
However it does not work for full java application clients. Java application
clients
uses new InitialContext (env) to get the initial context and then gets
handle
to the EJB Session Server remote object and starts calling methods on
it.
But as the URL we cannot provide the application server address during
initial
context because the client cannot reach the server inside firewall.
Somehow we need to go through the Web Server. And there is no solution
to this
problem.
Or at least we have not found any solution. Seems like a pretty common
task to
perform. But we do not know how.
the client must go through Web Server but WebServer blocks any connection
that
does not present a ceritificate. But we cannot find any way to pass the
Certificate
inside the initialContext.
What we really want is to somehow pass the certificate inside initiaContext
and
want the WebServer to look inside the initialContext and get the certificate
and
be happy with it and forward the request to application server inside
the firewall.
Any suggestion will be greatly appreciated.
Thanks

Weblogic as an Apache SSL client

Hi there ... :-)
I was wondering if someone could help me with a problem I have with WebLogic Version7
I have written a method which uses Apache Axis to call a web service method
on a secure server:
-------------------------------------------------------
public String putOrder(String orderXML) throws Exception {
System.setProperty("javax.net.ssl.trustStore",
"C://jakarta-tomcat-4.1.29/bin/client.keystore");
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol";);
Service service = new Service();
Call serviceCall = (Call) service.createCall();
serviceCall.setTargetEndpointAddress(new URL("https://localhost:8443/webservice";));
// Now set up the call
serviceCall.setOperationName(new QName("http://soapinterop.org/";,
"processXML");
String result = (String) serviceCall.invoke(new Object[]{orderXML});
return result;
}
-------------------------------------------------------
I have created a client key, which lives in the 'server.keystore'
under my Tomcat directory and put the server key in client.keystore.
Run the program, and it works fine.
The problem is, that I now have to get the method running under Weblogic, and
thats
where the trouble kind of starts.
I wouyld like to use the same key files, and just transfer it to the WebLogic
server, but I'm
not too sure where to begin. Everything I've tried so far leads to the same exception
being thrown:
java.io.IOException: Write Channel Closed, possible SSL handshaking or trust failure
I'm obviously going about the import in the wrong way; possibly because all the
examples I seem to come
across, assume that WebLogic is the server, when in this case, it's actua;lly
the client. Is there a document somewhere that can show how to import a certificate/key
into Weblogic so that it can call another
secure server as a client?
Hi,
I too have similar issues accessing a secure .NET web service on IIS. And found Axis web service client call working in Tomcat but not on Weblogic 7.1.
Appreciate any one share if succeed calling a secure web service using Axis-Weblogic.

Categories

Resources