TUX 10.0 - [WTC-SSL] Tuxedo Fails To Verify Certs From WTC (Doc ID 778223.1)

Last updated on DECEMBER 05, 2016

Applies to:

Oracle Tuxedo - Version 10.0 and later
Information in this document applies to any platform.
***Checked for relevance on 27-05-2013***

Goal

DESCRIPTION:

Tuxedo fails to verify certificates from WTC.

There has two scenarios in which the problem will happen:

1. Two-way SSL

If 2-way SSL is configured in Tuxedo side, Tuxedo will verify the certs sent by WTC.   In this case the verification will fail.

2. One-way SSL (only happens when Tuxedo initiates the SSL connection)

In this scenario, Tuxedo acts as a SSL client, so if Tuxedo initiates a connection,  it will still verify the certs from WebLogic.

Tuxedo ULOG outputs:

180938.bjsol10!GWTDOMAIN.17177.5.0: LIBTUX_CAT:6690: ERROR: SSL certificate chain not present in SSL Handshake
180938.bjsol10!GWTDOMAIN.17177.5.0: LIBGWT_CAT:1696: ERROR: SSL encryption parameter negotiation error.



After enabling SSL debugging for WLS and starting a request from WTC to Tuxedo two-way SSL, the WLS outputs:


<Oct 16, 2007 6:09:37 PM CST> <Info> <Server> <BEA-002605> <Adding address: iii.ppp.5.138 to licensed client list>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 32093323>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.findContext(sock): 13725128>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 55>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <27109920 SSL3/TLS MAC>

<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <27109920 received HANDSHAKE>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE:ServerHello>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated:false>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <27109920 SSL3/TLS MAC>

<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <27109920 received HANDSHAKE>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: Certificate>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain:
Serial number: 15890996754290228403
Issuer:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=level01,
EMAIL=level01@bea.com, ?=level01
Subject:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=tuxedo,
EMAIL=tuxedo@bea.com, ?=tuxedo
Not Valid Before:Sat Sep 29 17:25:15 CST 2007
Not Valid After:Tue Sep 26 17:25:15 CST 2017
Signature Algorithm:SHA1withRSA
>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain:
Serial number: 17768922937225279721
Issuer:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=wtcCA,
EMAIL=wtcCA@bea.com, ?=wtcCA
Subject:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=level01,
EMAIL=level01@bea.com, ?=level01
Not Valid Before:Sat Sep 29 17:25:13 CST 2007
Not Valid After:Tue Sep 26 17:25:13 CST 2017
Signature Algorithm:SHA1withRSA
>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 2 in the chain:
Serial number: 16402091727595977877
Issuer:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=wtcCA,
EMAIL=wtcCA@bea.com, ?=wtcCA
Subject:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=wtcCA,
EMAIL=wtcCA@bea.com, ?=wtcCA
Not Valid Before:Sat Sep 29 17:25:11 CST 2007
Not Valid After:Tue Sep 26 17:25:11 CST 2017
Signature Algorithm:SHA1withRSA
>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <validationCallback: validateErr = 0>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> < cert[0] = Serial
number: 15890996754290228403
Issuer:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=level01,
EMAIL=level01@bea.com, ?=level01
Subject:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=tuxedo,
EMAIL=tuxedo@bea.com, ?=tuxedo
Not Valid Before:Sat Sep 29 17:25:15 CST 2007
Not Valid After:Tue Sep 26 17:25:15 CST 2017
Signature Algorithm:SHA1withRSA
>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> < cert[1] = Serial
number: 17768922937225279721
Issuer:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=wtcCA,
EMAIL=wtcCA@bea.com, ?=wtcCA
Subject:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=level01,
EMAIL=level01@bea.com, ?=level01
Not Valid Before:Sat Sep 29 17:25:13 CST 2007
Not Valid After:Tue Sep 26 17:25:13 CST 2017
Signature Algorithm:SHA1withRSA
>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> < cert[2] = Serial
number: 16402091727595977877
Issuer:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=wtcCA,
EMAIL=wtcCA@bea.com, ?=wtcCA
Subject:C=US, ST=New Hampshire, L=Nashua, O=BEA Systems, Inc., OU=BEA Systems Enterprise Engineering, CN=wtcCA,
EMAIL=wtcCA@bea.com, ?=wtcCA
Not Valid Before:Sat Sep 29 17:25:11 CST 2007
Not Valid After:Tue Sep 26 17:25:11 CST 2017
Signature Algorithm:SHA1withRSA
>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <weblogic user specified trustmanager validation status 0>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <SSLTrustValidator returns: 0>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Trust status (0): NONE>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Performing hostname validation checks: bjsol10>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <27109920 SSL3/TLS MAC>

<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <27109920 received HANDSHAKE>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: CertificateRequest>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <27109920 SSL3/TLS MAC>

<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <27109920 received HANDSHAKE>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ServerHelloDone>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Returning no identity
certificates, because certificate request message contains no CA names.>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 7>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HmacSHA1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.6 for algorithm RSA>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 134>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <write CHANGE_CIPHER_SPEC,offset = 0, length = 1>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm HMACMD5>
<Oct 16, 2007 6:09:38 PM CST> <Debug> <SecuritySSL> <BEA-000000> <Exception during handshake, stack trace follows
java.net.SocketException: Broken pipe
at java.net.SocketOutputStream.socketWrite0(Native Method)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
at com.certicom.io.OutputSSLIOStream.write(Unknown Source)
at com.certicom.tls.record.WriteHandler.flushOutput(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.flush(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedCertificate.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
at weblogic.wtc.jatmi.dsession.do_connect(Unknown Source)
at weblogic.wtc.jatmi.dsession.tpinit(Unknown Source)
at weblogic.wtc.gwt.TDMRemoteTDomain.getTsession(Unknown Source)
at weblogic.wtc.gwt.WlsRouteService.selectTargetRoutes(Unknown Source)
at com.bea.core.jatmi.internal.TCRouteManager.selectTargetRoutes(TCRouteManager.java:72)
at weblogic.wtc.gwt.TuxedoConnection.getProviderRoute(TuxedoConnection.java:202)
at weblogic.wtc.gwt.TuxedoConnection.tpcall(TuxedoConnection.java:1203)
at app.Hello.doPost(Unknown Source)
at app.Hello.doGet(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3439)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2163)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2069)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1463)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)



Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms