My Oracle Support Banner

E-WL: SSL Certificate Chain Validation Failed when Starting Reverse Proxy Server using WebLogic Plug-In (Doc ID 649174.1)

Last updated on OCTOBER 24, 2013

Applies to:

PeopleSoft Enterprise PT PeopleTools - Version 8.44 to 8.53 [Release 8.4]
Information in this document applies to any platform.
SPECIFIC TO: Reverse Proxy Servers using a WebLogic Plug-In

This document was previously published as Customer Connection Solution 201018168



***Checked for relevance on 24-Oct-2013***


Symptoms

SSL certificate chain validation fails when trying to setup SSL on Reverse Proxy Server (RPS) to proxy requests to WebLogic in the backend, even though the TrustedCAFile in the RPS configuration file is pointing to the correct root CA of the server certificate installed on WebLogic. When enabling debug logging for the WebLogic plug-in, you may see a message like this.

Wed Jun 21 15:38:38 2006 Hdrs to WLS:[Accept-Encoding]=[gzip, deflate]
Wed Jun 21 15:38:38 2006 Hdrs to WLS:[Proxy-Client-IP]=[111.2.333.60]
Wed Jun 21 15:38:38 2006 Hdrs to WLS:[X-Forwarded-For]=[111.2.333.60]
Wed Jun 21 15:38:38 2006 Hdrs to WLS:[X-WebLogic-Force-Cookie]=[true]
Wed Jun 21 15:38:38 2006 Hdrs to WLS:[WL-Proxy-SSL]=[true]
Wed Jun 21 15:38:38 2006 INFO: sysSend 52
Wed Jun 21 15:38:38 2006 INFO: Certificate validation succeeded
Wed Jun 21 15:38:38 2006 INFO: sysSend 204
Wed Jun 21 15:38:38 2006 INFO: sysSend 76
Wed Jun 21 15:38:38 2006 INFO: SSL certificate chain validation failed: -6986
Wed Jun 21 15:38:38 2006     trusted certs = 1
Wed Jun 21 15:38:38 2006      dumping cert chain
Wed Jun 21 15:38:38 2006         Failed to get CommonName from subjectDN
Wed Jun 21 15:38:38 2006         Failed to get CommonName from subjectDN
Wed Jun 21 15:38:38 2006         commonName is myserver.peoplesoft.com
Wed Jun 21 15:38:38 2006 ERROR: SSLWrite failed
Wed Jun 21 15:38:38 2006 SEND failed (ret=-1) at 558 of file ../nsapi/URL.cpp
Wed Jun 21 15:38:38 2006 Marking myserver.peoplesoft.com:9443 as bad
Wed Jun 21 15:38:38 2006 Exception occurred for backend host 'myserver.peoplesoft.com/9443' while sending request : 'WRITE_ERROR [os error=0,  line 559 of ../nsapi/URL.cpp]: 'Wed Jun 21 15:38:38 2006 got exception in sendRequest phase: WRITE_ERROR [os error=0,  line 559 of ../nsapi/URL.cpp]:  at line 710
Wed Jun 21 15:38:38 2006 INFO: Closing SSL context
Wed Jun 21 15:38:38 2006 INFO: sysSend 46
Wed Jun 21 15:38:38 2006 INFO: Error after SSLClose, socket may already have been closed by peer
Wed Jun 21 15:38:38 2006 failing over after sendRequest exception
Wed Jun 21 15:38:38 2006 URL deleted!
Wed Jun 21 15:38:38 2006 request [/psp/mypiasite/?cmd=login] did NOT process successfully ..................

Or you may see this message:

INFO: SSL certificate chain validation failed: 3015
Wed May 9 12:04:06 2012 <859613365794463> trusted certs = 1
Wed May 9 12:04:06 2012 <859613365794463> dumping cert chain
Wed May 9 12:04:06 2012 <859613365794463> commonName is myserver.mycompany.com
Wed May 9 12:04:06 2012 <859613365793321> WARN: DeleteSessionCallback: No match found!!
Wed May 9 12:04:06 2012 <859613365794463> ERROR: SSLWrite failed
Wed May 9 12:04:06 2012 <859613365794463> SEND failed (ret=-1) at 793 of file ../nsapi/URL.cpp
Wed May 9 12:04:06 2012 <859613365794463> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 794 of ../nsapi/URL.cpp
Wed May 9 12:04:06 2012 <859613365794463> Marking 11.222.333.444:443 as bad
Wed May 9 12:04:06 2012 <859613365794463> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 794 of ../





Example of the RPS configuration file (eg iisproxy.ini):

WebLogicHost=myserver.peoplesoft.com
WebLogicPort=9443
SecureProxy=ON
TrustedCAFile=C:\MY_PS_HOME\\webserv\<DOMAIN>\rootCA.cer  <-------------- root CA of WebLogic's server certificate
DebugConfigInfo=ON
Debug=ALL
WLLogFile=C:\RPS.LOG
#
#To proxy all IIS directed requests to WebLogic set "WlForwardPath=/"
#To selectively proxy only PeopleSoft requests to
#WebLogic set "WlForwardPath="to #the list of PeopleSoft sites to proxy.
#For example, to proxy requests for only 'peoplesoft8' and 'crm'
#set WlForwardPath to the following:
WlForwardPath=/
#If you have specified an AuthTokenDomain during your PIA installation,
#you must set the cookieName for your reverse proxy.
#<value of WebLogic.httpd.session.cookie.name= in weblogic.properties>
CookieName=


 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.