SSL issues by Soap Client from within Weblogic Server

Hi,

Happy Chinese New Year!

Every problem that took me more than 2 days to find the solution deserves a writeup! This time it was a known issue when starts a SOAP request from a Webservice client from within Weblogic server, over HTTPS.  The problem I had was that we use a wildcard certificate for the receiving host, something like *.tonyyan.com, but the hostname is something like server1.tonyyan.com. WLS by default will fail the hostname verification process, hence fails the SSL handshake. There is a very nice link  http://jandrewthompson.blogspot.com/2010/04/weblogic-and-wildcard-ssl-certificates.html where it is described how to impl. and use a custom hostname verifier. However, I liked to use it just for my own client instead of changing verifier at the WLS server level. Thus, I used this code to by pass hostname verification all together (warning, this should not be used in PROD env, where some better and strict logic should be used to control wild card certificate against its hostname. Or, you could be vulnerable to man-in-middle attack).

//BindingProvider
BindingProvider bp = (BindingProvider)port;

// hostname issue – allow any hostname vs. its certificate
Map<String, Object> ctxt = bp.getRequestContext();

HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName,SSLSession session) {
logger.info(“HostnameVerifier without validation.  urlHostName is ” + urlHostName);
return true;
}
};
ctxt.put(“com.sun.xml.ws.transport.http.client.hostname.verifier”, hv);
ctxt.put(“com.sun.xml.ws.transport.https.client.hostname.verifier”, hv);
ctxt.put(“com.sun.xml.internal.ws.client.hostname.verifier”, hv);

With this code, it still didn’t work for me. It turns out that I forgot to put the server certificate in WLS’ truststore, based on this order of usage of certificates.

http://docs.oracle.com/cd/E11035_01/wls100/secmanage/identity_trust.html#wp1183754

After I put in the server certificate in DemoTrust.jks, things start to work great.

-TY

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s