WebLogic Server 10.3.3: With JSSE and Certificate Requested but Not Enforced, Seeing Authentication Errors

(Doc ID 1304272.1)

Last updated on NOVEMBER 05, 2016

Applies to:

Oracle WebLogic Server - Version 10.3.3 to 10.3.3
Information in this document applies to any platform.

Symptoms

The customer scenario is that they have two types of users: A and B. Users of type A have SSL certificates which are registered with WebLogic Server, and they are authenticated by presenting those certificates to WLS. If there is no such certificate offered to WLS, the user is deemed to be of type B, and they are offered a form for form-based authentication. Users of type A do not have usernames and passwords for form-based authentication, just as users of type B do not have SSL certificates in place.

This is configured by setting up client certificates to be "requested but not enforced." That is, the authentication system requests a cert, but does not deny authentication if it does not receive one in return: in that case, the authentication moves on to the form-based authentication as spelled out above.

This works correctly in most versions of WebLogic Server. However, in WLS 10.3.3, the following error occurs:

<Mar 15, 2011 9:32:38 AM EDT> <Debug> <SecuritySSL> <BEA-000000> <Exception processing certificates: peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
  at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
  at weblogic.servlet.internal.VirtualConnection.initSSLAttributes(VirtualConnection.java:176)
  at weblogic.servlet.internal.VirtualConnection.init(VirtualConnection.java:78)
  at weblogic.servlet.internal.ServletRequestImpl.initFromRequestParser(ServletRequestImpl.java:270)
  at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(MuxableSocketHTTP.java:280)
  at weblogic.socket.JSSEFilterImpl.dispatch(JSSEFilterImpl.java:243)
  at weblogic.socket.MuxableSocketDiscriminator.dispatch(MuxableSocketDiscriminator.java:185)
  at weblogic.socket.JSSEFilterImpl.dispatch(JSSEFilterImpl.java:243)
  at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:950)
  at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:898)
  at weblogic.socket.EPollSocketMuxer.dataReceived(EPollSocketMuxer.java:215)
  at weblogic.socket.EPollSocketMuxer.processSockets(EPollSocketMuxer.java:177)
  at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)
  at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:43)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
>

It appears that instead of requesting the cert and then moving on to form-based authentication if the cert is not provided, WLS is not requesting the client cert at all. This behavior only occurs when using JSSE, not Certicom. It was not present prior to WLS 10.3.3 (which didn't support JSSE), and it is not present in WLS 10.3.4.

Changes

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms