Thursday, July 25, 2019

Calling SSL or https Web Service using WebLogic : javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

When trying to call an external web service Using PeopleSoft Integration broker, it is giving the following message

<Jul 23, 2019 6:47:30 PM EDT> <Notice> <Stdout> <BEA-000000> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)', RECV TLSv1.2 ALERT:  fatal, bad_certificate>

in Integration Broker Gateway Server, You will see

HttpTargetConnector:ExternalSystemContactException Received fatal alert: bad_certificate
Message Set : 158, Message ID : 10721 IOException: The host couldn't be resolved.
To further debug, use the following options in setEnv,sh

JAVA_OPTIONS_LINUX="-server -Xms1024m -Xmx1024m -Dtuxedo.jolt.LLEDeprecationWarnLevel=NONE -Djavax.net.debug=all -XX:MaxPermSize=256m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"

or
-Djavax.net.debug=ssl:handshake:verbose

Review this document

[Java SE] Training - How to Process javax.net.debug Diagnostic Output (Doc ID 2170565.1)

egrep -i "\* ClientHello|\* ServerHello|\* Certificate chain|\* CertificateRequest|\* ServerHelloDone|\* ClientKeyExchange|\* ServerKeyExchange|\* CertificateVerify|Change Cipher Spec|\* Finished|fatal|exception"  outputfile
egrep -v "^[0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z]:" outputfile
Resolution
This issue is caused by an expired SSL Certificate (PrivateKeyEntry) entry in pskey keystore located at

$PS_CFG_HOME/webserv/peoplesoft/piaconfig/keystore

To list the entries

cd $PS_CFG_HOME/webserv/peoplesoft/piaconfig/keystore
ls -lrt
keytool -list -keystore pskey -storepass xxx -alias xxx -v
or to list every thing
keytool -list -keystore pskey -storepass xxx -v > output.txt

Review the output for expired entry.

This can also happen, if you have a PrivateKeyEntry that is signed by a Root CA which is not present in the target Web Service Provider keystore.

Solution: Delete the expired or invalid PrivateKeyentry and restart the webserver

keytool -delete -keystore pskey -storepass xxx -alias xxx

This has resolved the issue.

Other issue is that if you do not have RootCA of the target Web Service provider SSL Certificate in your keystore then you will need to import it in your keystore.

errorLog

javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
 at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1972)
 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1089)
 at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1325)
 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1352)
 at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1336)
 at psft.pt8.pshttp.https.HttpsClient.doConnect(HttpsClient.java:246)
 at sun.net.NetworkClient.openServer(NetworkClient.java:136)
 at psft.pt8.pshttp.https.HttpClient.openServer(HttpClient.java:543)
 at psft.pt8.pshttp.https.HttpClient.<init>(HttpClient.java:364)
 at psft.pt8.pshttp.https.HttpsClient.<init>(HttpsClient.java:76)
 at psft.pt8.pshttp.https.HttpsClient.newClient(HttpsClient.java:132)
 at psft.pt8.pshttp.https.HttpsClient.newClient(HttpsClient.java:100)
 at psft.pt8.pshttp.https.HttpsURLConnection.connect(HttpsURLConnection.java:468)
 at psft.pt8.pshttp.PSHttp.getResponseCode(PSHttp.java:423)
 at com.peoplesoft.pt.integrationgateway.targetconnector.HttpTargetConnector.send(HttpTargetConnector.java:858)
 at com.peoplesoft.pt.integrationgateway.service.BasicConnectorInvocator.execute(BasicConnectorInvocator.java:131)
 at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.invokeService(GatewayManager.java:148)
 at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.connect(GatewayManager.java:192)
 at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.doPost(PeopleSoftListeningConnector.java:186)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:751)
 at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.service(PeopleSoftListeningConnector.java:87)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
 at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)
 at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)
 at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)
 at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)
 at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
 at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:84)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3456)
 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3422)
 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:323)
 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
 at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
 at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2280)
 at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2196)
 at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
 at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1632)
 at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:256)
 at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)
 at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)


PIA_stderr

com.peoplesoft.pt.integrationgateway.common.ExternalSystemContactException: HttpTargetConnector:ExternalSystemContactException Received fatal alert: bad_certificate
 at com.peoplesoft.pt.integrationgateway.targetconnector.HttpTargetConnector.send(HttpTargetConnector.java:1296)
 at com.peoplesoft.pt.integrationgateway.service.BasicConnectorInvocator.execute(BasicConnectorInvocator.java:131)
 at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.invokeService(GatewayManager.java:148)
 at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.connect(GatewayManager.java:192)
 at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.doPost(PeopleSoftListeningConnector.java:186)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:751)
 at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.service(PeopleSoftListeningConnector.java:87)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
 at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)
 at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)
 at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)
 at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)
 at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
 at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:84)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3456)
 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3422)
 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:323)
 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
 at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
 at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2280)
 at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2196)
 at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
 at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1632)
 at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:256)
 at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)
 at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)

No comments: