We have a Production Server. In that there is a domain, which has 1 Admin Server and 1 Managed Server.
The managed Server is configured on a particular port and an application has been deployed on to it. and that application works fine.
The admin server isnt configured for any port. and is not running. But the managed server is running fine.
Also, I am unable to open the admin console because the admin server is not running.
when i say startWebLogic.cmd, it asks me for a username and password and when i give weblogic and weblogic it says authentication denied.
and when i see the user_projectsdomainsmydomainAdminServerSecurity
There is no boot.properties file
so, when i define a boot.properties file with a username and password and use startWebLogic.cmd, it says, authentication denied and gives a error, saying that the values in boot.properties are invalid.
I have a simple security question. We plan to use a simple servlet with form-based authentication (j_security_check). The authentication is performed via the regular WLS LDAP authentication provider. The LDAP has a password expiration policy.
What is the simplest way to detect that user’s password is expired and redirect the user to the password change page?
We are getting in this error when trying to login into an application. The env is development, weblogic 9.2.3.0 and in windows
“The Server is not able to service this request: [Server:002621]Connection rejected, the server license allows connections from only 5 unique IP addresses.”
The env is weblogic 9.2 in dev env in windows server 2k3.
We are planning to authenticate an Application in a server XXX using LDAP. Default password in directory server for user “weblogic” is “changeit”. But, we have observed that, weblogic is trying to pick password from boot.properties in an encrypted way. How to solve our issue? What are the settings that need to be changed?
i did the above steps according to the link you have provided. I have created a user with name as weblogic rather than a group like TestGroup you have created in the link.
Then i removed the data folder and the boot.properties from the admin server
started the admin server from the command prompt with startWebLogic.cmd from the directory.
provided the AD user as weblogic, and when i provide a different password than weblogic, then i get the below error
<> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:947)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1029)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:854)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
and the server is force shutdown
but when i give the username and password as weblogic and weblogic, then the server starts and works well.
Hi Chandu,
Please let us know which LDAP u want to configure with WebLogic. Configuration Part wise most of the External LDAP Servers will need to be configured in the same fashion…as described in the following link: http://download.oracle.com/docs/cd/E12524_01/core.1013/e13058/appendixd.htm
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
the env is weblogic 9.2.2.0, dev env and in windows 2k3 standard edition
I saw your post in creating a active directory user in weblogic and logging in using this AD user and password in to weblogic.t
the issue with our env is
we have configured an active directory authenticator with weblogic and the users are synced with weblogic, i can see the users and groups in weblogic that are configured in the active directory.
now there is one problem,
we have 2 users with name “weblogic” in the users list
one is the default one and the other one is the active directory one
so, when we start the server using the weblogic default username and password it starts well
but when we try the same username with the active directory configured password, the authentication is denied.
i remembered your post where you said, how to create a active directory user from the security realms link in the admin console
by going to the realm, my realm, realm roles and edit global roles, i have clicked “add condition” and created a “user” that was present in the active directory users(visible in admin console list of users and groups in users tab)
and then i stopped the admin server, removed the data folder and also the boot.properties from the security folder in the admin server.
when i restart the server, when i enter the AD user and password, the server forces shut down, but when i enter the regular username and password, that is weblogic and weblogic, the server starts
Can you please help me, or can you please schedule a teamviewer meeting, any time in Indian time and i will be there.
Hi,
A newby here:)
For audit reasons I have change the weblogic admin account password to make it Stronger. Anyone ever done it? Any tips /examples appreciated.
Thanks
I want to set the environment by using the setWLSEnv.sh shell in linux OS. Then execute the “java weblogic.utils.CertGen” the below error is occurred.
[root@loaclhost ~]# cd /oracle/Middleware_1033/wlserver_10.3/server/bin/
[root@loaclhost bin]# ll
total 16
drwxr-x--- 2 root root 4096 Dec 3 14:37 international
-rwxr-x--- 1 root root 3845 Dec 3 14:38 setWLSEnv.sh
-rwxr-x--- 1 root root 4150 Dec 3 14:38 startNodeManager.sh
[root@loaclhost bin]# sh setWLSEnv.sh
CLASSPATH=/oracle/Middleware_1033/patch_wls1033/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/oracle/Middleware_1033/patch_ocp353/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/oracle/Middleware_1033/patch_jdev1111/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/oracle/Middleware_1033/jdk160_18/lib/tools.jar:/oracle/Middleware_1033/wlserver_10.3/server/lib/weblogic_sp.jar:/oracle/Middleware_1033/wlserver_10.3/server/lib/weblogic.jar:/oracle/Middleware_1033/modules/features/weblogic.server.modules_10.3.3.0.jar:/oracle/Middleware_1033/wlserver_10.3/server/lib/webservices.jar:/oracle/Middleware_1033/modules/org.apache.ant_1.7.1/lib/ant-all.jar:/oracle/Middleware_1033/modules/net.sf.antcontrib_1.1.0.0_1-0b2/lib/ant-contrib.jar:
PATH=/oracle/Middleware_1033/wlserver_10.3/server/bin:/oracle/Middleware_1033/modules/org.apache.ant_1.7.1/bin:/oracle/Middleware_1033/jdk160_18/jre/bin:/oracle/Middleware_1033/jdk160_18/bin:/usr/lib64/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin
Your environment has been set.
[root@loaclhost bin]# java weblogic.utils.CertGen welcome1 vinoth_MS1_cert vinoth_MS1_key domestic vinoth
Exception in thread "main" java.lang.NoClassDefFoundError: weblogic.utils.CertGen
at gnu.gcj.runtime.FirstThread.run() (/usr/lib64/libgcj.so.5.0.0)
at _Jv_ThreadRun(java.lang.Thread) (/usr/lib64/libgcj.so.5.0.0)
at _Jv_RunMain(java.lang.Class, byte const, int, byte const, boolean) (/usr/lib64/libgcj.so.5.0.0)
at __gcj_personality_v0 (/oracle/Middleware_1033/wlserver_10.3/server/bin/java.version=1.4.2)
at __libc_start_main (/lib64/tls/libc-2.3.4.so)
at _Jv_RegisterClasses (/oracle/Middleware_1033/wlserver_10.3/server/bin/java.version=1.4.2)
You have new mail in /var/spool/mail/root
But i use check the command ” echo CLASSPATH ” it’s doesn’t show any thing.
How to resolve this problem to execute the mentioned command “java weblogic.utils.CertGen welcome1 vinoth_MS1_cert vinoth_MS1_key domestic vinoth”
Hi Vinoth,
Please follow the below steps: (The note mentioned in Step3 is Mandatory)
Step1). Open a Shell Prompt. Step2). echo $CLASSPATH … Just to see what is the current CLASSPATH value. Step3). run the “setWLSEnv.sh” by adding two DOTs separated by a single space …..before the actual script like following : (use ‘cd’ command to move inside the /wlserver_10.3/server/bin) then run the following command….
. ./setWLSEnv.sh Note: the first DOT represents that set the Environment in the current Shell, AND the second ./ represents execute the script from the current directory. Step4). Verify that the Classpath is Set properly or not:
echo $CLASSPATH Step5). Now u can run your command.
Thanks for giving a solution. Then i am able to execute the “java weblogic.utils.CertGen” command to generate the SSL certificate for every Managed Server in Production Environment.
1)I am upgrading my weblogic portal application from Weblogic 8.1SP4 to Weblogic 10.3.2 version. I found that roles that created under visitor entitlements thru weblogic portal administration portal are not visible to assigned user.For example I created testRole for my application and added user testuser to this user.When I login to my portal application this user should able to see the portal page that related to testRole.But currently this is not working.
To fix the above issue I created one new group under User and groups management and added the above user to that group and added that group to testRole. Now the user is able to see the portal pages
My question is why the user is not able to access the roles when he is not part of any group.Because My portal application have different business users with different entitlement setups which I cannot categorize under groups.
The above functionality is working fine in Weblogic8.1SP4 production environment.
I already upgraded my portal application from 8.1Sp4 to 10.3 version and able to deploy the application in new version without any issues.As mentioned in my previou post I am facing issue with visitor entitlements role.
Hi Satya,
“Visitor Entitlement” related security is different from normal WLS Security…It is very much Portal specific implelemnation of Security so i would request you to please open a Thread in Portal OTN Forum to get more accurate and quick solution: http://forums.oracle.com/forums/forum.jspa?forumID=57
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
How to configure the Cross Domain Security Between WebLogic Server Domains & Trust Between WebLogic Server Domains in the oracle weblogic 10.3.3 server. But i am not able to configure. Kindly give the solution.
I have mentioned the below oracle document to configure the Cross Domain Security configuration.
Hi Vinobabu,
You are referring to the correct links for Cross Domain Security in WebLogic. Still if you have any doubts on that then please refer to : http://sureshsvn.com/weblogic/weblogic_security.html as well.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
Create a Cross-Domain Security Credential Mapping:-
6. On the Create a New Security Credential Map Entry page, enter the following:
* Local User: Enter the string cross-domain.
* Remote User: User configured in the remote domain that is authorized to interact with the local domain.
* Password: The password for the remote user.
7. Click Finish
Example: ( In Dev_domain for Security Credential Mapping 6th step )
HI Sathya,
Please post the complete StackTrace of the error which you are getting with the details like where are you seeing this error ? NodeManager Logs? Server Logs? While Hitting the application ?
Which version of WebLogic are you using ?
Have you applied any the following Debug flags to get more informations regarding the certificate error? If not then please apply them. -Dweblogic.security.SSL.verbose=true -Dssl.debug=true
.
.
Thanks 🙂
Jay SenSharma
HI Sathya,
As your current query does not makes any sense .. we are deducting your 20 Magic Points from your Magic Account. 🙁
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
Hi,
I am working on Oracle SOA Suite 11g in tandem with weblogic server.
I have a requirement in which I have to call an external service(On a Bloomberg server).I have got the digital certificate from Bloomberg such as
Bloomberg-cacert.der, Bloomberg-cert.der and Bloomberg-privKey.der (These are the files provided by the external bloomberg server to us).
Now ,how I have to pass those certificates in the service call. or do I need to install those in my weblogic server.?
They say In their wsdl they have ‘auth’ Schema and we have to map these certificates to the elements exist in the schema. I am not able understand, how It can be done in weblogic server? Or how we can pass these certificate to their service.
Any suggestion would be helpful to me..or possible can you please give your mobile number, so that I can explain it more clearly.
Hi Deepthi,
If you want to pass Certificates to the Service (I am assuming it as a WebService) so in that case we must know exactly which WebService policy they are using at the Service end.
Additionally you can refer to the Step6). mentioned in the following link: http://middlewaremagic.com/weblogic/?p=473
X509Certificate serverCert = (X509Certificate)CertUtils.getCertificate(serverCertFile);
Above is the way to pass the certificate.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
They(My Client) say that,earlier they were able to do the same in webmethods.Now we are using soa suite.what they did was just mapped the byte form form of their .der certificates to the elements in the schema of the web service.
I am very new to the security thing and not able to understand how this can be achieved in Soa suite.
I created new domain for 10.3.4.0. there are two default users weblogic and OracleSystemUser. But in admin stdoutlog file, there are continuous below errors
can you pls let me know where can i find ovowl user in weblogic domain.
Hello,
Do you know a way to log each failed attempt of user login at an application configured with j_security_id? Currently is logging only when the user meets the limit of failed attempts and it’s locked.
Can you please make a detailed article on how to use siteminder with webservers and weblogic servers. I could find an article with screenshots on other websites but there is no explaination. I see you guys do a great job of providing details and tips in your posts. I hope you get a chance to work on this or if you can give pointers it will be great!!
Hi Shawn,
My Friend “Faisal Khan” is an Expert of WebLogic Security and has a great website with 4 articles on Site Minder … http://weblogic-wonders.com/weblogic/siteminder/ That will give you good idea. Let us know if you have any issues in configuring Site minder or while implementing it as described in the above link.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
i have a problem in our environment regarding the security realms. In the production environment, when logged in to the Admin Console, i can see the groups and users list in the security realms but i can’t see any of the groups and users in staging environment for the same domain. What all the things do i need to check? However when i add any new user, its working but i cant see the list of user or groups. Please help me out.
HI Pranay,
As you mentioned that you are not able to see the list of users so in that case please try the following article to see the list of users available in your Domain: http://middlewaremagic.com/weblogic/?p=6678
.
.
.Keep Posting 🙂
Thanks
Jay SenSharma
By going through the steps mentioned in the article, i think i can see the users list in the domain, but is there any way i can populate that list to my Admin Console. My concern is even the group list is also missing. If i can get the group list, users list will be listed by default i guess. Do i need to check any particular flag for these type of issues. As mentioned in the article enabling it as true or false.
You can see the same list in your Admin Console by going through the below AdminConsole path
For Users List:
Security Realms — myrealm — Users and Groups [tab] — Users [sub-tab]
For Groups List:
Security Realms — myrealm — Users and Groups [tab] — Groups [sub-tab]
The WLST script which Jay had asked to look only shows the Users List and not the Group List, hence you were not able to see the Group list with that script.
i didnt used the script which Jay has provided. I ve just gone through it and i figured out my issue is a bit different.
I navigated to all the paths of console for the tab security realms. My cosole is not showing up Groups list also , and users list as well. However if i create a new user, i can login to console with that new user, but its not showing up the new user in the users list. It says ” No entry match such criteria”
We have a bunisess application running on weblogic 10.3.It is configured one cluster of two managed servers running on two different machines. This cluster is priviously accessed by DNS using https with SSL port. For e.g we have cluster of two managed servers like t3://xyz.com,abc.com:4501(Listen port) which is accessed by DNS https://DNSserver:4507(SSL port) successfully with any error.
Now We got a business request to enable t3s protocol for security. When we access same DNS over t3s i.e t3s://DNSserver:4507 it throws following exception.
<Certificate chain received from "XYZ.com" – 150.233.156.186 failed hostname verification check. Certificate contained "DNSserver" but check expected "XYZ.com";
javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://XYZ.com:4507: Destination unreachable; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090504]Certificate chain received from "XYZ.com" – 150.233.156.186 failed hostname verification check. Certificate contained "DNSserver" but check expected "XYZ.com"; No available router to destination]
with this error.
..javax.security.auth.login.LoginException: java.net.ConnectException: Cannot use outbound protocol "t3", it does not have administrator privileges
After researching on google we found most of forum recommonds to use folowing weblogic argument "-Dweblogic.security.SSL.ignoreHostnameVerification=true" or some where I got answer to "add the element to each server in config.xml ( including the admin server ) and restart all. Pls. advice me what is the standered way to enable “t3s” protocol accesed by SSL port for application modules.
The stuck thread is occurred in Production Environment due to Microsoft Active Directory (LDAP) Lock. Kindly provide the solution, then only these type of stuck thread issue (LDAP ) is not happened in Production Environment.
Dev & QA on: Solaris 10
Help needed on: Windows XP & Windows 7
WebLogic10.3 (same version on QA, Dev and local)
We have cacerts file working fine on our QA & Dev boxes. But we want to have those certificates working on our local WebLogic103 running on windows machine.
We know cacerts file is specific to the operating system.
So please let us know with your inputs to overcome this issue.
Hi Praveen,
Please try the following copy the “cacerts” file from your QA/Dev box and then paste it in your Windows Box (like D:/MyJDKs/jdk1.6.0_21/jre/lib/security) directory and then restart your server. I don;t think there should be any issue. Let us know the results.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
The below warning messages are listing in log files, which causes server starting time is increasing.
=======================================================
<RuntimeException thrown by rmi server: weblogic.management.remote.iiop.IIOPServerImpl.newClient(Ljava.lang.Object;)
java.lang.SecurityException: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User xxxxxx javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xxxxx denied.
java.lang.SecurityException: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User xxxxxx javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xxxxxx denied
at weblogic.management.mbeanservers.internal.JMXAuthenticator.authenticate(JMXAuthenticator.java:104)
at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:225)
at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:192)
at weblogic.management.remote.iiop.IIOPServerImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
Truncated. see log file for complete stacktrace
Hi Rajendra,
Please try to take a backup of your “$DOMAIN_HOME/servers/AdminServer/data” and then delete the “data” directory then try to restart your Server. (If the problem is happening while starting Managed Servers then Please delete the “data” directory first from AdminServer and then after starting the AdminServer delete “data” directory from managed Servers as well and then restart them as well.)
Additionally if you have made any recent changes in the AdminConsole or in the Domain configuration then please revert it back by using the Cached Copy of “config.xml” which usually gets placed inside “$DOMAIN_HOME/config/configCache”
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
I am not sure whether the warning message is visible, which is not showing here.
Warning> <Could not get configuration lock used to serialize access to configuration files. Retrying for another 60 seconds.
Hi Rajendra,
By looking at the StackTrace pasted above it looks like there is some communication problem with the External LDAP or the Active Directory server …. Which need to be checked first. Please let us know if you are using any external Security mechanism for your Domain like External LDAP or active directory server ? If yes then we need to check the issue from that side first.
.
.
Keep Posting 🙂
Thanks
Jay Sensharma
We are facing below SSL handshake issue from client (application deployed in websphere which has to send msgs to the Queue configured in Weblogic10g server).
We have observed the following handshake error at client side in the webshpere logs..
1. we tried importing certs configured in WlS keystore to was keystore..this didn’t work for us..
Your help highly appreciated. tnx.
Problem Description: [9/20/11 15:15:27:347 EDT] 00000028 SystemErr R Caused by: java.net.ConnectException: t3s://:20110: Destination unreachable; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from – 159.17.75.243 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.; No available router to destination
[9/20/11 15:15:27:348 EDT] 00000028 SystemErr R at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:203)
[9/20/11 15:15:27:349 EDT] 00000028 SystemErr R at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:153)
[9/20/11 15:15:27:350 EDT] 00000028 SystemErr R at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:352)
[9/20/11 15:15:27:350 EDT] 00000028 SystemErr R … 48 more
small Correcttion in previous comment : t3s://:20110: Destination unreachable; nested exception is:
Problem Description: [9/20/11 15:15:27:347 EDT] 00000028 SystemErr R Caused by: java.net.ConnectException: t3s://:20110: Destination unreachable; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from – 159.17.75.243
Hi Srikanth,
Please enable the -Djavax.net.debug=all JAVA_OPTS in your Servers start script to get more details to know where it is actually failing. This debug will help us in isolating where exactly the SSL handshake is failing.
Is there any solution available to fix Unsupported OID Warning messages in Weblogic. i know the reason for theses messages but not sure if there is any system property which can suppress these warning messages?
Hi Vishal,
Not sure about what kind of ” Unsupported OID Warning messages” you are getting. Without looking at the actually Warning message there is nothing to comment on it. Like some basic information is always needed in order to investigate/debug any issue like ….WebLogic Version, Description of What is happening & When? Actual StackTrace or log snippet…etc.
To Post your Error Messages or exceptions/warning please refer to the Point-4). Mentioned in the following link: http://middlewaremagic.com/weblogic/?page_id=146
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
Issue: while trying to start the managed server it shows the error as exception in main thread java.lang.NoClassDefFoundError
OS: RHEL 6
WLS: 10.3.0
Jdk: Sun jdk160.05 , Xms256 Xmx512
Exception in thread “main” java.lang.NoClassDefFoundError: number
Caused by: java.lang.ClassNotFoundException: number
at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:276)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
Hi Priyanka,
Looks like you have recently added some Wrong JAVA_OPTIONS in your server’s start script. Please check all your startScript (startWebLogic.sh) and in ${DOMAIN_HOME}/config/config.xml” and find a word “number” to see if anywhere mistakenly you added this JAVA_OPTIONS.
If you are using Unix based OS then run the following command to see which file contains the word “number”
(NOTE: run this following command from inside your $DOMAIN_HOME directory)
Hi guys,
I have weblogic 10.3.3 with Oracle oid 11.1.13 and Oracle SSO 10.1.4.3. I have everything up and running. Yea! Yesterday I tried to add the OID as a Authentication provider. Directions located here-http://docs.oracle.com/cd/E17904_01/apirefs.1111/e13952/taskhelp/security/ConfigureOracleInternetDirectoryATNProvider.html
I went to restart my server today, and it wont start. Its giving me the following error located in my AdminServer.log.
[ sourcecode language=”java” wraplines=”false” ]
#### <> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Authentication Failed: User weblogic weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:244)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy16.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:91)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy34.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:929)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
[ /sourcecode ]
I can ldapbind with the user.
I deleted the boot.properties file, re-ran the startup script for WL and it prompted me for a user/password. I recieved the same issue. It did not create a new boot.properties. I also deleted my ldap directory located in AdminServer/data, re-ran the startup script and same error.
Any ideas?
Also I have 5 Java J2ee .Ear files that run in OC4J, but they are all giving me different errors in WL. Can you let me know of any good reads on getting them to run in WL?
Earlier i thought that you are using Sun JDK so i provided you the link to collect the heap dump using jmap.
But as in your above STDOUT i can see that you are using JRockit JVM (BEA JRockit(R) (build R27.6.0-50_o-100423-1.6.0_05-20080626-2104-linux-ia32, compiled mode)) So the jmap will not be helpful in this case. So in case of JRockit JVM You can generate the Heap Dump using the jrmc utility as following:
./jrcmd 9264 hprofdump filename=/home/oracle/temp/dump.hprof
Here 9264 is the Process ID of your WebLogic which is running on JRockit.
. You will get more details on JRMC in the following link:
I had been struggling to make my Webservice Client (using https URL) work within Weblogic Server 10.3.2, which had been causing an issue as below:
*Feb 3, 2012 10:50:28 AM EST Warning Security BEA-090504 Certificate chain received from apcple.XXX.com – 113.128.90.16 failed hostname verification check. Certificate contained apcple.XXX.com but check expected apcple.XXX.com*
If i disable host name verification check using *-Dweblogic.security.SSL.ignoreHostnameVerification=true* , Code is WORKING fine. No Issue. But that is NOT what is want.
a) I enabled weblogic SSL debugs.
b) I introduced my Custom HostNameVerifier and supplied it via console , I see in the logs that My custom verifier is getting picked up and does Host Name comparison against URL hostname Vs Certiicate CN name and it suceeds and code returns true.
c) If you see SSL debug statements, Connection with server got established and First time it tries to validate Certificate chain 0 ,1, 2 and LOADS my CUSTOM HostName Verifier.
d) After few lines passed , It again tries to validate Certificates in same Series and SECOND time it DID NOT load My Custome HostName Verifier AND FAILS with the Standard BEA Security Error as pasted above.
Would you please help me to figure out what is missing ?
Any help in this regard would be highly appreciated.
############################
*SEE SNIPPET OF SSL DEBUG STATEMENTS*
Feb 3, 2012 10:50:23 AM EST Info WebLogicServer BEA-000307 Exportable key maximum lifespan set to 500 uses.
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Filtering JSSE SSLSocket
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 SSLIOContextTable.addContext(ctx): 30958379
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 SSLSocket will be Muxing
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write SSL_20_RECORD
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 received HANDSHAKE
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: ServerHello
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: Certificate
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Validating certificate 0 in the chain: Serial number: 1208925819615937499602513
Issuer:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Subject:C=US, ST=Texas, L=Irving, O=XXX LLC, OU=ns, EMAIL=aes.eng@XXX.com, CN=apcple.XXX.com
Not Valid Before:Fri Jun 17 10:48:17 EDT 2011
Not Valid After:Sun Jun 17 10:48:17 EDT 2012
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Validating certificate 1 in the chain: Serial number: 120010508
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Not Valid Before:Wed Sep 08 13:35:16 EDT 2010
Not Valid After:Tue Sep 08 13:34:08 EDT 2020
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Validating certificate 2 in the chain: Serial number: 33554617
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Not Valid Before:Fri May 12 14:46:00 EDT 2000
Not Valid After:Mon May 12 19:59:00 EDT 2025
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 validationCallback: validateErr = 0
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 cert[0] = Serial number: 1208925819615937499602513
Issuer:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Subject:C=US, ST=Texas, L=Irving, O=XXX LLC, OU=ns, EMAIL=aes.eng@XXX.com, CN=apcple.XXX.com
Not Valid Before:Fri Jun 17 10:48:17 EDT 2011
Not Valid After:Sun Jun 17 10:48:17 EDT 2012
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 cert[1] = Serial number: 120010508
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Not Valid Before:Wed Sep 08 13:35:16 EDT 2010
Not Valid After:Tue Sep 08 13:34:08 EDT 2020
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 cert[2] = Serial number: 33554617
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Not Valid Before:Fri May 12 14:46:00 EDT 2000
Not Valid After:Mon May 12 19:59:00 EDT 2025
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 weblogic user specified trustmanager validation status 0
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 SSLTrustValidator returns: 0
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Trust status (0): NONE
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Performing hostname validation checks: apcple.XXX.com
############ BELOW 6 LINES INDICATES MY CUSTOM HOST NAME VERIFIER GOT PICKED UP ########
Custom HostName Verifier Called =com.XXX.sys.WeblogicHostNameVerifier
Rcvd. Host Name=apcple.XXX.com SSL Session=javax.net.ssl.impl.SSLSessionImpl@1760238
Parsing COMMON Name from Certificates
getPeerLeafCert()….Start
Parsed CN = apcple.XXX.com
HOST NAME AND COMMON NAME MATCH FOUND
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: ServerHelloDone
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm MD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Using JCE Cipher: SunJCE version 1.6 for algorithm RC4
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Using JCE Cipher: SunJCE version 1.6 for algorithm RSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write HANDSHAKE, offset = 0, length = 262
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write CHANGE_CIPHER_SPEC, offset = 0, length = 1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Using JCE Cipher: SunJCE version 1.6 for algorithm RC4
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HMACMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write HANDSHAKE, offset = 0, length = 16
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 received CHANGE_CIPHER_SPEC
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Using JCE Cipher: SunJCE version 1.6 for algorithm RC4
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HMACMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 received HANDSHAKE
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: Finished
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write APPLICATION_DATA, offset = 0, length = 193
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=0, length=8192)
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 143
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 143
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 143
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=143, length=8049)
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 3819
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 3819
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 3819
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=3962, length=4230)
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 8
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 8
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 8
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 write APPLICATION_DATA, offset = 0, length = 193
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=3970, length=4222)
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 143
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 143
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 143
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=4113, length=4079)
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 3819
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 3819
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 3819
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=7932, length=260)
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 8
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 8
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 8
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 SSLSetup: loading trusted CA certificates
Feb 3, 2012 10:50:25 AM EST Notice Security BEA-090898 Ignoring the trusted CA certificate “CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
Feb 3, 2012 10:50:25 AM EST Notice Security BEA-090898 Ignoring the trusted CA certificate “CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 clientInfo has HostnameVerifier
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Filtering JSSE SSLSocket
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 SSLIOContextTable.addContext(ctx): 25583909
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 SSLSocket will be Muxing
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 write SSL_20_RECORD
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 28097422 SSL3/TLS MAC
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 28097422 received HANDSHAKE
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: ServerHello
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: Certificate
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Validating certificate 0 in the chain: Serial number: 1208925819615937499602513
Issuer:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Subject:C=US, ST=Texas, L=Irving, O=XXX LLC, OU=ns, EMAIL=aes.eng@XXX.com, CN=apcple.XXX.com
Not Valid Before:Fri Jun 17 10:48:17 EDT 2011
Not Valid After:Sun Jun 17 10:48:17 EDT 2012
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Validating certificate 1 in the chain: Serial number: 120010508
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Not Valid Before:Wed Sep 08 13:35:16 EDT 2010
Not Valid After:Tue Sep 08 13:34:08 EDT 2020
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Validating certificate 2 in the chain: Serial number: 33554617
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Not Valid Before:Fri May 12 14:46:00 EDT 2000
Not Valid After:Mon May 12 19:59:00 EDT 2025
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 validationCallback: validateErr = 0
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 cert[0] = Serial number: 1208925819615937499602513
Issuer:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Subject:C=US, ST=Texas, L=Irving, O=XXX LLC, OU=ns, EMAIL=aes.eng@XXX.com, CN=apcple.XXX.com
Not Valid Before:Fri Jun 17 10:48:17 EDT 2011
Not Valid After:Sun Jun 17 10:48:17 EDT 2012
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 cert[1] = Serial number: 120010508
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Not Valid Before:Wed Sep 08 13:35:16 EDT 2010
Not Valid After:Tue Sep 08 13:34:08 EDT 2020
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 cert[2] = Serial number: 33554617
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Not Valid Before:Fri May 12 14:46:00 EDT 2000
Not Valid After:Mon May 12 19:59:00 EDT 2025
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 weblogic user specified trustmanager validation status 0
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 SSLTrustValidator returns: 0
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Trust status (0): NONE
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Performing hostname validation checks: apcple.XXX.com
Feb 3, 2012 10:50:25 AM EST Warning Security BEA-090504 Certificate chain received from apcple.XXX.com – 113.128.90.16 failed hostname verification check. Certificate contained apcple.XXX.com but check expected apcple.XXX.com
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Hostname Verification failed for certificate with CommonName ‘apcple.XXX.com’ against hostname: apcple.XXX.com
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.init(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:158)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:363)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:952)
at com.sun.xml.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(HttpClientTransport.java:213)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:172)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:101)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy189.updateMilestone(Unknown Source)
at com.XXX.sys.apc.APCProcessor.updateMilestoneToApc(APCProcessor.java:95)
at com.XXX.sys.apc.APCProcessor.sendAsrFeed(APCProcessor.java:50)
at com.XXX.sys.apc.APCLookupBean.onMessage(APCLookupBean.java:94)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy148.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:466)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:371)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:327)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4585)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4271)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3747)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:114)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5096)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Hi Jay,
My application runs on weblogic installed on UNIX box. I have two questions:
1) I am using compiled WSDL task to generate classes from wsdl where i am receiving objects of the request and response types. How can i print the xml request on to logs whenever required. message handler would not work for me as i am using three levels of transformation which would be logged to another service as well as logs. how do i get the xml as the object created is not implementing xmlobject.
2) I am interfacing with services running on TIBCO, .net and many different programming language web services. How can i implement certificates client which is compatible for all. I know JKS implementation, but will that be valid for any type of service? The end system provides the certificates (Root and intermediate).
Archer,
Thanks for your reply.
My problem here is, security guy scanned our linux servers for any security issues. at that time the above mentioned weblogic SSL related issues were discovered.
we are using node manager in our environment and we don’t have separate SSL certs for the node manager,so they are using demo certs. 5556 is the node manager listen port.
so, security people told us to remediate these SSLissues. can you help me resolve these SSL issues ??
i need to fix the below issues.
Disable SSL medium strength cipher suites
Disable anonymous cipher suites
Disable weak cipher suites
Disable SSLv2 support
-Dweblogic.security.SSL.protocolVersion=SSL3 —> Using this JAVA_OPTION will allow Only SSL V3.0 messages are sent and accepted. So add the mentioned JAVA_OPTION in the server start script along with the below OPTION:
-Dweblogic.security.disableNullCipher=true
Also you can do the following in your “config.xml” to make sure that the Weblogic will not accept weak and medium weak passwords:
We just moved the Web Logic servers to another network and powered them back up. The only thing that changed is the MAC’s and IP’s. Once moved, for some reason the web logic admin server doesn’t like the boot.properties file (or what’s in it). The encrypted user name and password in boot.properties shouldn’t have changed. I can log into the Windows Server with the same one I use for admin server. I’ve followed steps suggested in the threads similar to my problem, but I haven’t gotten anywhere with this.
So, I’ve created a new domain using the same admin account as above. I can start up and access web logic console now, but I can’t connect to the other three nodes
We are migrating the Weblogic server 10.3.3 from Solaris OS to Suse Linux OS. We already configured the SSL certificate in the Weblogic server in Solaris machine. We have one doubt During the weblogic migration we have to use the same identity kekstore file (*.jks) & Trust Keystore file (*.jks) is available in the Solaris Machine to Suse Linux Machine. If possible then we don’t need to request the SSL certificate in vendor side. Kindly give the your valuable commands.
There is user requirement a particular application is accessing in internal(Intranet) and external(Extranet).
We need to configure the SSL certifcate into Weblogic & Webserver side. I have one doubt in webserver side we have to mentioned the managed server http port number or https port number. Kindly give the your valuable advise.
“… we have to mentioned the managed server http port number or https port number…” Depends where you want to terminate the ssl communication. When you do that on the web server you could let the web server route the request by using http. When the termination ends at the WebLogic Server it has to continue with https (it that case you have to use the https port).
“…weblogic migration we have to use the same identity kekstore file (*.jks) & Trust Keystore file (*.jks)…” Note that WebLogic has a hostname verification, when this on and the certicate contains a hostname you have a problem. To solve this problem you can disable hostname verification. Usually when your certificate is still valid, it could be used on the other server. Note that it somehow depends on what type of certificate request you have created for the certificate authority, i.e., what type of information you have included – see here (http://middlewaremagic.com/weblogic/?p=6479) for more info, especially the section on SSL.
As per our client TSS standard we must disable the HTTP port number for admin server and enable the HTTPS port with Verizon SSL certificate.
We also configure the Verizon SSL certificate for ALL managed servers. If we start the admin server we don’t see any error message. We have successfully access the weblogic admin console only through https protocol https://localhost:7002/console.
But if we start the managed servers we have to see the below error message “BEA-141151” how to resolve this issue.
I have updated admin console url in the startManagedWebLogic.sh.
# Set SERVER_NAME to the name of the server you wish to start up.
DOMAIN_NAME=”testDomain”
ADMIN_URL=”https://localhost:7002″
# Set WLS_USER equal to your system username and WLS_PW equal
# to your system password for no username and password prompt
# during server startup. Both are required to bypass the startup
Regards,
S.Vinoth Babu
Hi Jay,
I have mentioned managed server error log message.
Sep 18, 2012 1:12:44 AM SGT> Emergency> Management> BEA-141151> The admin server could not be reached at https://192.168.28.245:7002.>
We have updated the admin url port and https protocal in “startManagedWebLogic.sh” Script. But during the managed server startup we have to see the error message “BEA-141151” the mangaed server log file.
We already raise the SR in Myoracle Support.Kindly provide the solution to resolve the issue.
Regards,
S.Vinoth Babu
Hi Rene,
Oracle has provide the solution to update the protocal and port number for the admin server during the weblogic managed server startup.
But we have updated correctly but still now the problem is not resolved.
BEA-141151
Emergency: The admin server could not be reached at url.
Description:-
This error indicates a failure of the managed server to connect to the admin server during its startup.
Cause:-
The admin server is not available at the specified url or the URL is not specified in the correct format like http://myhost:7001
Action:-
Ensure that an admin server is running at the specified host and port.n Check the url specified and in the format is correct. The url is specified by protocol://host:port, for example http://myhost:7001
Need your help in understanding the possibilities of the below error.
Weblogic 10.3.6
Linux, Jrockit R 28.2.3
STACK TRACE
06:54:31,568 INFO SessionExpireInterceptor : Session => weblogic.servlet.internal.session.ReplicatedSessionData@4074e494
06:54:31,880 ERROR RoleSecurityTagSupport : IO Error executing tag: socket write error: Connection reset by peer.
java.net.SocketException: socket write error: Connection reset by peer.
at jrockit.net.SocketNativeIO.writeBytesPinned(Native Method)
at jrockit.net.SocketNativeIO.socketWrite(SocketNativeIO.java:46)
at java.net.SocketOutputStream.socketWrite0(SocketOutputStream.java)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
at weblogic.servlet.internal.ChunkOutput.writeChunkTransfer(ChunkOutput.java:568)
at weblogic.servlet.internal.ChunkOutput.writeChunks(ChunkOutput.java:539)
at weblogic.servlet.internal.ChunkOutput.flush(ChunkOutput.java:427)
at weblogic.servlet.internal.CharsetChunkOutput.flush(CharsetChunkOutput.java:298)
at weblogic.servlet.internal.ChunkOutput$2.checkForFlush(ChunkOutput.java:648)
at weblogic.servlet.internal.CharsetChunkOutput.write(CharsetChunkOutput.java:200)
at weblogic.servlet.internal.ChunkOutputWrapper.write(ChunkOutputWrapper.java:148)
at weblogic.servlet.jsp.JspWriterImpl.write(JspWriterImpl.java:275)
at jsp_servlet._jsp._common.__errormsg._jspService(__errormsg.java:115)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:526)
at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:447)
at weblogic.servlet.jsp.PageContextImpl.include(PageContextImpl.java:163)
at weblogic.servlet.jsp.PageContextImpl.handlePageException(PageContextImpl.java:402)
at jsp_servlet._jsp._motor._employee.__employeeclaimpartyinfo._jspService(__employeeclaimpartyinfo.java:252)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:526)
at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:447)
at weblogic.servlet.jsp.PageContextImpl.include(PageContextImpl.java:163)
at weblogic.servlet.jsp.PageContextImpl.include(PageContextImpl.java:184)
at org.apache.tiles.jsp.context.JspTilesRequestContext.include(JspTilesRequestContext.java:80)
at org.apache.tiles.jsp.context.JspTilesRequestContext.dispatch(JspTilesRequestContext.java:73)
at org.apache.tiles.context.TilesRequestContextWrapper.dispatch(TilesRequestContextWrapper.java:72)
at org.apache.struts2.tiles.StrutsTilesRequestContext.dispatch(StrutsTilesRequestContext.java:88)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:283)
at org.apache.tiles.jsp.taglib.InsertAttributeTag.render(InsertAttributeTag.java:140)
at org.apache.tiles.jsp.taglib.InsertAttributeTag.render(InsertAttributeTag.java:117)
at org.apache.tiles.jsp.taglib.RenderTagSupport.execute(RenderTagSupport.java:154)
at org.apache.tiles.jsp.taglib.RoleSecurityTagSupport.doEndTag(RoleSecurityTagSupport.java:75)
at org.apache.tiles.jsp.taglib.ContainerTagSupport.doEndTag(ContainerTagSupport.java:80)
at jsp_servlet._jsp._layout.__commonlayout._jsp__tag4(__commonlayout.java:442)
at jsp_servlet._jsp._layout.__commonlayout._jspService(__commonlayout.java:287)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:526)
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:253)
at org.apache.tiles.servlet.context.ServletTilesRequestContext.forward(ServletTilesRequestContext.java:198)
at org.apache.tiles.servlet.context.ServletTilesRequestContext.dispatch(ServletTilesRequestContext.java:179)
at org.apache.tiles.context.TilesRequestContextWrapper.dispatch(TilesRequestContextWrapper.java:72)
at org.apache.struts2.tiles.StrutsTilesRequestContext.dispatch(StrutsTilesRequestContext.java:88)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:606)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:246)
at org.apache.struts2.views.tiles.TilesResult.doExecute(TilesResult.java:105)
at org.apache.struts2.dispatcher.StrutsResultSupport.execute(StrutsResultSupport.java:186)
at com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:373)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:277)
at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:176)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:50)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:133)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:207)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:207)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:190)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:75)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:94)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:243)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:141)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:270)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:176)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:190)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:187)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.qa.common.config.SessionInterceptor.intercept(SessionInterceptor.java:31)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:52)
at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:498)
at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:77)
at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:91)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
06:54:31,880 ERROR BasicTilesContainer : Error rendering tile
java.net.SocketException: socket write error: Connection reset by peer.
at jrockit.net.SocketNativeIO.writeBytesPinned(Native Method)
at jrockit.net.SocketNativeIO.socketWrite(SocketNativeIO.java:46)
at java.net.SocketOutputStream.socketWrite0(SocketOutputStream.java)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
How to configure the X.509 Certificate Revocation Checking Using the OCSP Protocol with Oracle WebLogic Server 12c version. This utility use to verify the certifcate revoking status in the weblogic server log.
We are going to be rolling out a new intranet architecture which will be very strict regarding what hosts can speak with each other and on what ports and protocols. As of now our environment can be thought of as a flat open LAN for the purposes of this question.
I have already successfully introduced the Web Tier with mod_wls.so and setup the directives properly. I also made the necessary code changes to our applications so that any request which may form a URL for a browser or even a button that has a request action comes back in via the newly introduced Web Tier (Apache – latest Red Hat Repo Version).
Because we are going to be locked down tight and I do not have the environment available yet and need to start QA I have decided to setup iptables to simulate the rules that the firewall(s) will enforce. I’ll probably keep them as another level of security as well.
Do you have any examples of iptable setups for a WebLogic host which is accessed via browsers. I’m only concerned with WLS, but if an example has ssh or any other services all the better. I have terminated SSL at the Web Tier so I know that I need to allow the listen port of our managed server. I’m not going to allow console access from the DMZ or Internet but I will from inside / behind the firewalls. Really what I need to know is what ports need to be open for WLS where its only accessed via browser. I know of ListenPort(s), and AdministrationPort but I can’t find Oracle documentation on what ports must be open. I’m thinking it can’t be as simple as just the ListenPort(s). Also we don’t use node manager and no cluster at this time. Once I know all the ports I can create iptables for WLS and I’ll be glad to share a sanitized version here. An example that can be tweaked would be great or just a pointer to documentation on what ports I need for WLS 10.3.3.0 accessed only via Web Browser, no client.
August 25th, 2010 on 2:17 am
I am using weblogic 9.1 in Windows.
We have a Production Server. In that there is a domain, which has 1 Admin Server and 1 Managed Server.
The managed Server is configured on a particular port and an application has been deployed on to it. and that application works fine.
The admin server isnt configured for any port. and is not running. But the managed server is running fine.
Also, I am unable to open the admin console because the admin server is not running.
when i say startWebLogic.cmd, it asks me for a username and password and when i give weblogic and weblogic it says authentication denied.
and when i see the user_projectsdomainsmydomainAdminServerSecurity
There is no boot.properties file
so, when i define a boot.properties file with a username and password and use startWebLogic.cmd, it says, authentication denied and gives a error, saying that the values in boot.properties are invalid.
Can you please suggest me a solution.
Thanks in advance
August 25th, 2010 on 2:19 am
the error it gives when i define a cleartext username and password is , saying that the boot.properties file is invalid and check the file again.
September 4th, 2010 on 8:25 am
Hi guys,
I have a simple security question. We plan to use a simple servlet with form-based authentication (j_security_check). The authentication is performed via the regular WLS LDAP authentication provider. The LDAP has a password expiration policy.
What is the simplest way to detect that user’s password is expired and redirect the user to the password change page?
Thank you
September 10th, 2010 on 5:46 am
Hi Jay,
Thank you for the reply.
I saw the option in the provider properties. Can this option help get more on the cause of the exception at the client side?
If not, is writing a custom LDAP provider is the only possibility to catch the real LDAP error?
September 28th, 2010 on 10:06 pm
Hello Jay,
We are getting in this error when trying to login into an application. The env is development, weblogic 9.2.3.0 and in windows
“The Server is not able to service this request: [Server:002621]Connection rejected, the server license allows connections from only 5 unique IP addresses.”
Can you please help. This is immediate.
Thank you so much
September 28th, 2010 on 10:43 pm
Sorry Jay,
I could solve the problem. I have downloaded a license file and renamed it as new_license.bea and updated and now its working fine.
Thank you
September 30th, 2010 on 10:32 pm
Hello Admin,
The env is weblogic 9.2 in dev env in windows server 2k3.
We are planning to authenticate an Application in a server XXX using LDAP. Default password in directory server for user “weblogic” is “changeit”. But, we have observed that, weblogic is trying to pick password from boot.properties in an encrypted way. How to solve our issue? What are the settings that need to be changed?
Thanks in Advance
Thank you
October 5th, 2010 on 10:56 pm
Hello Jay,
i did the above steps according to the link you have provided. I have created a user with name as weblogic rather than a group like TestGroup you have created in the link.
Then i removed the data folder and the boot.properties from the admin server
started the admin server from the command prompt with startWebLogic.cmd from the directory.
provided the AD user as weblogic, and when i provide a different password than weblogic, then i get the below error
<> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:947)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1029)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:854)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
and the server is force shutdown
but when i give the username and password as weblogic and weblogic, then the server starts and works well.
Can you please help
October 5th, 2010 on 11:49 pm
Also Jay,
In the config.xml i provided before, the control flags for both Sun LDAP and embedded LDAP are kept to optional, i changed both of them to sufficient.
So what should these control flags be set to.
when the Sun LDAP is set to required, the server doesnt start
November 8th, 2010 on 9:10 am
Hi,
what is LDAP?
How to configure LDAP in weblogic 9X/10X.
Thanks in adv..
Regards,
Chandu.
November 8th, 2010 on 10:55 am
Hi Chandu,
Please let us know which LDAP u want to configure with WebLogic. Configuration Part wise most of the External LDAP Servers will need to be configured in the same fashion…as described in the following link: http://download.oracle.com/docs/cd/E12524_01/core.1013/e13058/appendixd.htm
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
November 8th, 2010 on 6:05 pm
Hello admin,
good to see you back. Thank you.
I have a weblogic, LDAP issue.
the env is weblogic 9.2.2.0, dev env and in windows 2k3 standard edition
I saw your post in creating a active directory user in weblogic and logging in using this AD user and password in to weblogic.t
the issue with our env is
we have configured an active directory authenticator with weblogic and the users are synced with weblogic, i can see the users and groups in weblogic that are configured in the active directory.
now there is one problem,
we have 2 users with name “weblogic” in the users list
one is the default one and the other one is the active directory one
so, when we start the server using the weblogic default username and password it starts well
but when we try the same username with the active directory configured password, the authentication is denied.
i remembered your post where you said, how to create a active directory user from the security realms link in the admin console
by going to the realm, my realm, realm roles and edit global roles, i have clicked “add condition” and created a “user” that was present in the active directory users(visible in admin console list of users and groups in users tab)
and then i stopped the admin server, removed the data folder and also the boot.properties from the security folder in the admin server.
when i restart the server, when i enter the AD user and password, the server forces shut down, but when i enter the regular username and password, that is weblogic and weblogic, the server starts
Can you please help me, or can you please schedule a teamviewer meeting, any time in Indian time and i will be there.
thank you so much
Rakesh
November 9th, 2010 on 8:55 am
Thanks Jay..
Can u plz provide me the steps to configure security using SSL in Weblogic 8x/9x/10x.
Also write me what are the pre requisites to configure SSL.
If possible plz provide me the screenshots for the same..
Thanks,
Chandu.
November 10th, 2010 on 10:16 pm
Hi Chandu,
you can follow the steps from the below link:
http://weblogictips.wordpress.com/2008/07/27/configuring-commercial-certificates-on-weblogic-server/
http://weblogictips.wordpress.com/2008/07/27/steps-to-create-self-sign-certificates-for-weblogic-server/
November 11th, 2010 on 9:55 pm
Hi,
A newby here:)
For audit reasons I have change the weblogic admin account password to make it Stronger. Anyone ever done it? Any tips /examples appreciated.
Thanks
November 11th, 2010 on 10:51 pm
Hi Murphy,
Welcome to Middleware Magic…
You can go to the following path from Admin-Console and change the password as strong as you want
Security Realms -> myrealm -> Users and Groups (tab) -> [Select Username] -> Passwords (tab)
Hope this helps you.
Regards,
Ravish Mody
November 11th, 2010 on 11:37 pm
Sorry,
Did not mention ! I need to use a wlst script – going forward we need to automate this process, and we have about 50 weblogic domains.
Thanks
November 12th, 2010 on 1:04 pm
Hi Murphy,
We have just created a WLST script which would do your job 🙂
Check the below post:
WLST Script to Change User Password For Multiple Domains
Hope that would help you.
Regards,
Ravish Mody
December 13th, 2010 on 6:45 pm
Hi Jay,
I want to set the environment by using the setWLSEnv.sh shell in linux OS. Then execute the “java weblogic.utils.CertGen” the below error is occurred.
But i use check the command ” echo CLASSPATH ” it’s doesn’t show any thing.
How to resolve this problem to execute the mentioned command “java weblogic.utils.CertGen welcome1 vinoth_MS1_cert vinoth_MS1_key domestic vinoth”
Regards,
S.Vinoth Babu
December 13th, 2010 on 8:51 pm
Hi Vinoth,
Please follow the below steps: (The note mentioned in Step3 is Mandatory)
Step1). Open a Shell Prompt.
Step2). echo $CLASSPATH … Just to see what is the current CLASSPATH value.
Step3). run the “setWLSEnv.sh” by adding two DOTs separated by a single space …..before the actual script like following : (use ‘cd’ command to move inside the /wlserver_10.3/server/bin) then run the following command….
. ./setWLSEnv.sh
Note: the first DOT represents that set the Environment in the current Shell, AND the second ./ represents execute the script from the current directory.
Step4). Verify that the Classpath is Set properly or not:
echo $CLASSPATH
Step5). Now u can run your command.
The Above Instructions are given in WLST and JMX and ANT Page of Middleware Magic. http://middlewaremagic.com/weblogic/?page_id=1492
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
December 16th, 2010 on 10:47 am
Hi Jay,
Thanks for giving a solution. Then i am able to execute the “java weblogic.utils.CertGen” command to generate the SSL certificate for every Managed Server in Production Environment.
Regards,
S.Vinoth Babu
February 27th, 2011 on 11:51 pm
1)I am upgrading my weblogic portal application from Weblogic 8.1SP4 to Weblogic 10.3.2 version. I found that roles that created under visitor entitlements thru weblogic portal administration portal are not visible to assigned user.For example I created testRole for my application and added user testuser to this user.When I login to my portal application this user should able to see the portal page that related to testRole.But currently this is not working.
To fix the above issue I created one new group under User and groups management and added the above user to that group and added that group to testRole. Now the user is able to see the portal pages
My question is why the user is not able to access the roles when he is not part of any group.Because My portal application have different business users with different entitlement setups which I cannot categorize under groups.
The above functionality is working fine in Weblogic8.1SP4 production environment.
February 27th, 2011 on 11:59 pm
Hi Satya,
I don’t think WebLogic Portal is supported after WLS10.3 Please double check in the OTN forum for Portal:
http://forums.oracle.com/forums/forum.jspa?forumID=573
Also refer to : http://download.oracle.com/docs/cd/E13155_01/wlp/docs103/upgrade/upgrade_process.html#wp1065168
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
February 28th, 2011 on 12:07 am
Hi Jay,
I already upgraded my portal application from 8.1Sp4 to 10.3 version and able to deploy the application in new version without any issues.As mentioned in my previou post I am facing issue with visitor entitlements role.
Regards,
Satya
February 28th, 2011 on 12:10 am
Hi Satya,
“Visitor Entitlement” related security is different from normal WLS Security…It is very much Portal specific implelemnation of Security so i would request you to please open a Thread in Portal OTN Forum to get more accurate and quick solution: http://forums.oracle.com/forums/forum.jspa?forumID=57
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
February 28th, 2011 on 12:14 am
Thanks Jay, I will create a thread in the OTN forum.
Since we are using licensed version I opened a service request to Oracle support team.lets see whether they provide any solution for this.
Regards,
Satya
March 25th, 2011 on 8:15 pm
Hi Jay,
Good day..
Can you please help me in getting a script to monitor expired SSL certs in weblogic.
Thanks in Advance,
James
April 7th, 2011 on 5:16 pm
Hi Jay,
How to configure the Cross Domain Security Between WebLogic Server Domains & Trust Between WebLogic Server Domains in the oracle weblogic 10.3.3 server. But i am not able to configure. Kindly give the solution.
I have mentioned the below oracle document to configure the Cross Domain Security configuration.
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/domain.html#domain_interop
http://download.oracle.com/docs/cd/E14571_01/apirefs.1111/e13952/taskhelp/security/EnableTrustBetweenDomains.html
Regards,
S.Vinoth Babu
April 7th, 2011 on 6:37 pm
Hi Vinobabu,
You are referring to the correct links for Cross Domain Security in WebLogic. Still if you have any doubts on that then please refer to :
http://sureshsvn.com/weblogic/weblogic_security.html as well.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
April 8th, 2011 on 11:28 am
Hi Jay,
I saw your mentioned url.But i have some doubt in Credential Mapping configuration Area.In this 6th step we have enter the remote username & password.
I have two domain like dev_domain & Test_domain.
Dev_doamin –> localdoamin username is “dev-user” & password is “dev-password” and grouped into “CrossDomainConnectors”.
Test-doamin –> localdoamin username is “test-user” & password is “test-password” and grouped into “CrossDomainConnectors”.
http://sureshsvn.com/weblogic/weblogic_security.html
Create a Cross-Domain Security Credential Mapping:-
6. On the Create a New Security Credential Map Entry page, enter the following:
* Local User: Enter the string cross-domain.
* Remote User: User configured in the remote domain that is authorized to interact with the local domain.
* Password: The password for the remote user.
7. Click Finish
Example: ( In Dev_domain for Security Credential Mapping 6th step )
Remote User: test-users1
Remote Password: test-password
The above username & password in Dev_domain Security Credential Mapping Area.
Regards,
S.Vinoth Babu.
April 8th, 2011 on 11:30 am
Hi Jay,
I have wrongly type the Remote username in my previous post.Kindly ignore that line
Example: ( In Dev_domain for Security Credential Mapping 6th step )
Remote User: test-user
Remote Password: test-password
The above username & password in Dev_domain Security Credential Mapping Area.
Regards,
S.vinoth Babu
April 20th, 2011 on 8:44 am
Hi Jay/Ravish.
In the browser we see “Certificate Error” even though the Certificates are valid wrt to Host and Expiry date. Why?
What could be missing?
Thanks
Sathya
April 20th, 2011 on 11:17 am
HI Sathya,
Please post the complete StackTrace of the error which you are getting with the details like where are you seeing this error ? NodeManager Logs? Server Logs? While Hitting the application ?
Which version of WebLogic are you using ?
Have you applied any the following Debug flags to get more informations regarding the certificate error? If not then please apply them.
-Dweblogic.security.SSL.verbose=true -Dssl.debug=true
.
.
Thanks 🙂
Jay SenSharma
April 20th, 2011 on 10:36 pm
Hi Jay/Ravish.
In the browser we see “Certificate Erro”
Thanks
Sathya
April 20th, 2011 on 10:47 pm
HI Sathya,
As your current query does not makes any sense .. we are deducting your 20 Magic Points from your Magic Account. 🙁
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
May 5th, 2011 on 5:38 pm
Hi,
I am working on Oracle SOA Suite 11g in tandem with weblogic server.
I have a requirement in which I have to call an external service(On a Bloomberg server).I have got the digital certificate from Bloomberg such as
Bloomberg-cacert.der, Bloomberg-cert.der and Bloomberg-privKey.der (These are the files provided by the external bloomberg server to us).
Now ,how I have to pass those certificates in the service call. or do I need to install those in my weblogic server.?
They say In their wsdl they have ‘auth’ Schema and we have to map these certificates to the elements exist in the schema. I am not able understand, how It can be done in weblogic server? Or how we can pass these certificate to their service.
Any suggestion would be helpful to me..or possible can you please give your mobile number, so that I can explain it more clearly.
May 5th, 2011 on 5:50 pm
Hi Deepthi,
If you want to pass Certificates to the Service (I am assuming it as a WebService) so in that case we must know exactly which WebService policy they are using at the Service end.
Additionally you can refer to the Step6). mentioned in the following link: http://middlewaremagic.com/weblogic/?p=473
X509Certificate serverCert = (X509Certificate)CertUtils.getCertificate(serverCertFile);
Above is the way to pass the certificate.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
May 5th, 2011 on 6:15 pm
Hi Jay,
Thanks a lot for the plausible solution.
They(My Client) say that,earlier they were able to do the same in webmethods.Now we are using soa suite.what they did was just mapped the byte form form of their .der certificates to the elements in the schema of the web service.
I am very new to the security thing and not able to understand how this can be achieved in Soa suite.
May 16th, 2011 on 8:00 am
Hi,
I created new domain for 10.3.4.0. there are two default users weblogic and OracleSystemUser. But in admin stdoutlog file, there are continuous below errors
can you pls let me know where can i find ovowl user in weblogic domain.
Thanks.
May 17th, 2011 on 12:23 am
Hello,
Do you know a way to log each failed attempt of user login at an application configured with j_security_id? Currently is logging only when the user meets the limit of failed attempts and it’s locked.
Thanks in advance.
May 17th, 2011 on 12:29 am
oh I forgot to tell that the login is configured to use SQLAuthenticator.
May 24th, 2011 on 9:55 pm
HI Jay,
Can you please make a detailed article on how to use siteminder with webservers and weblogic servers. I could find an article with screenshots on other websites but there is no explaination. I see you guys do a great job of providing details and tips in your posts. I hope you get a chance to work on this or if you can give pointers it will be great!!
You guys rock!!
May 26th, 2011 on 6:20 pm
Hi Shawn,
My Friend “Faisal Khan” is an Expert of WebLogic Security and has a great website with 4 articles on Site Minder … http://weblogic-wonders.com/weblogic/siteminder/ That will give you good idea. Let us know if you have any issues in configuring Site minder or while implementing it as described in the above link.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
May 24th, 2011 on 10:03 pm
Hi,
i have a problem in our environment regarding the security realms. In the production environment, when logged in to the Admin Console, i can see the groups and users list in the security realms but i can’t see any of the groups and users in staging environment for the same domain. What all the things do i need to check? However when i add any new user, its working but i cant see the list of user or groups. Please help me out.
May 25th, 2011 on 4:01 pm
HI Pranay,
As you mentioned that you are not able to see the list of users so in that case please try the following article to see the list of users available in your Domain:
http://middlewaremagic.com/weblogic/?p=6678
.
.
.Keep Posting 🙂
Thanks
Jay SenSharma
May 27th, 2011 on 3:38 am
Hi Jay,
By going through the steps mentioned in the article, i think i can see the users list in the domain, but is there any way i can populate that list to my Admin Console. My concern is even the group list is also missing. If i can get the group list, users list will be listed by default i guess. Do i need to check any particular flag for these type of issues. As mentioned in the article enabling it as true or false.
May 28th, 2011 on 7:10 pm
Hi pranau69,
You can see the same list in your Admin Console by going through the below AdminConsole path
For Users List:
Security Realms — myrealm — Users and Groups [tab] — Users [sub-tab]
For Groups List:
Security Realms — myrealm — Users and Groups [tab] — Groups [sub-tab]
The WLST script which Jay had asked to look only shows the Users List and not the Group List, hence you were not able to see the Group list with that script.
Regards,
Ravish Mody
June 1st, 2011 on 12:10 pm
Hi ,
i didnt used the script which Jay has provided. I ve just gone through it and i figured out my issue is a bit different.
I navigated to all the paths of console for the tab security realms. My cosole is not showing up Groups list also , and users list as well. However if i create a new user, i can login to console with that new user, but its not showing up the new user in the users list. It says ” No entry match such criteria”
June 14th, 2011 on 10:36 am
Hi,
my issue is resolved. In our case the problem is with the Siteminder. Its not configured properly.
Thanks.
June 16th, 2011 on 11:22 pm
Hi Jay SenSharma /Ravish
We have a bunisess application running on weblogic 10.3.It is configured one cluster of two managed servers running on two different machines. This cluster is priviously accessed by DNS using https with SSL port. For e.g we have cluster of two managed servers like t3://xyz.com,abc.com:4501(Listen port) which is accessed by DNS https://DNSserver:4507(SSL port) successfully with any error.
Now We got a business request to enable t3s protocol for security. When we access same DNS over t3s i.e t3s://DNSserver:4507 it throws following exception.
<Certificate chain received from "XYZ.com" – 150.233.156.186 failed hostname verification check. Certificate contained "DNSserver" but check expected "XYZ.com";
javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://XYZ.com:4507: Destination unreachable; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090504]Certificate chain received from "XYZ.com" – 150.233.156.186 failed hostname verification check. Certificate contained "DNSserver" but check expected "XYZ.com"; No available router to destination]
with this error.
..javax.security.auth.login.LoginException: java.net.ConnectException: Cannot use outbound protocol "t3", it does not have administrator privileges
After researching on google we found most of forum recommonds to use folowing weblogic argument "-Dweblogic.security.SSL.ignoreHostnameVerification=true" or some where I got answer to "add the element to each server in config.xml ( including the admin server ) and restart all. Pls. advice me what is the standered way to enable “t3s” protocol accesed by SSL port for application modules.
Thanks & Regards,
Micky
June 22nd, 2011 on 12:32 am
hi jay,
Can you please explain the differences between 1-way ssl and 2-way ssl and how they work?
Thanks and Regards,
Hemanth Kumar
June 22nd, 2011 on 10:31 am
Hi Hemanth,
To get the exact definition on 1-way and 2-way SSL check out the below link
Topic: One-Way and Two-Way SSL
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/ssl.html#wp1194335
Regards,
Ravish Mody
June 28th, 2011 on 6:10 pm
Hi Jay,
The stuck thread is occurred in Production Environment due to Microsoft Active Directory (LDAP) Lock. Kindly provide the solution, then only these type of stuck thread issue (LDAP ) is not happened in Production Environment.
Error Log:-
===========
which is more than the configured time (StuckThreadMaxTime) of “600” seconds. Stack trace:
Thread-58 “[STUCK] ExecuteThread: ‘3’ for queue: ‘weblogic.kernel.Default (self-tuning)'” <alive, in native, suspended, priority=1, DAEMON {
java.net.PlainSocketImpl.socketConnect(PlainSocketImpl.java:???)
java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:331)
^– Holding lock: java.net.SocksSocketImpl@b36c6d0[thin lock]
java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:192)
java.net.PlainSocketImpl.connect(PlainSocketImpl.java:173)
java.net.SocksSocketImpl.connect(SocksSocketImpl.java:311)
java.net.Socket.connect(Socket.java:490)
java.net.Socket.connect(Socket.java:469)
java.net.Socket.<init(Socket.java:354)
java.net.Socket.<init(Socket.java:180)
netscape.ldap.LDAPConnSetupMgr.connectServer(LDAPConnSetupMgr.java:490)
netscape.ldap.LDAPConnSetupMgr.openSerial(LDAPConnSetupMgr.java:433)
netscape.ldap.LDAPConnSetupMgr.connect(LDAPConnSetupMgr.java:273)
netscape.ldap.LDAPConnSetupMgr.openConnection(LDAPConnSetupMgr.java:188)
^– Holding lock: netscape.ldap.LDAPConnSetupMgr@b36c5b9[thin lock]
netscape.ldap.LDAPConnThread.connect(LDAPConnThread.java:104)
^– Holding lock: netscape.ldap.LDAPConnThread@b36c5c5[thin lock]
netscape.ldap.LDAPConnection.connect(LDAPConnection.java:1070)
^– Holding lock: netscape.ldap.LDAPConnection@b36c577[thin lock]
netscape.ldap.LDAPConnection.connect(LDAPConnection.java:962)
netscape.ldap.LDAPConnection.referralConnect(LDAPConnection.java:4921)
netscape.ldap.LDAPConnection.performReferrals(LDAPConnection.java:5065)
netscape.ldap.LDAPConnection.checkSearchMsg(LDAPConnection.java:2632)
netscape.ldap.LDAPSearchResults.fetchResult(LDAPSearchResults.java:521)
^– Holding lock: netscape.ldap.LDAPSearchResults@b36c10a[thin lock]
^– Holding lock: netscape.ldap.LDAPSearchResults@b36c10a[thin lock]
netscape.ldap.LDAPSearchResults.hasMoreElements(LDAPSearchResults.java:455)
weblogic.security.providers.authentication.LDAPAtnMemberGroupsNameList.advance(LDAPAtnMemberGroupsNameList.java:106)
weblogic.security.providers.utils.ListerManager.advance(ListerManager.java:233)
weblogic.security.providers.authentication.LDAPAtnDelegate.advance(LDAPAtnDelegate.java:1284)
weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.addAllGroups(LDAPAtnLoginModuleImpl.java:442)
weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.addAllGroups(LDAPAtnLoginModuleImpl.java:442)
weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.addGroups(LDAPAtnLoginModuleImpl.java:434)
weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:138)
com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:101)
sun.reflect.GeneratedMethodAccessor2618.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:575)
javax.security.auth.login.LoginContext.invoke(LoginContext.java:720)
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
javax.security.auth.login.LoginContext.login(LoginContext.java:566)
com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:77)
sun.reflect.GeneratedMethodAccessor265.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:575)
com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
$Proxy16.login(Unknown Source)
weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:83)
com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:74)
sun.reflect.GeneratedMethodAccessor263.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:575)
com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
$Proxy34.authenticate(Unknown Source)
weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:29)
weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:338)
weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:214)
weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:186)
weblogic.servlet.security.internal.FormSecurityModule.processJSecurityCheck(FormSecurityModule.java:234)
weblogic.servlet.security.internal.FormSecurityModule.checkUserPerm(FormSecurityModule.java:202)
weblogic.servlet.security.internal.FormSecurityModule.checkAccess(FormSecurityModule.java:45)
weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:57)
weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2138)
weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2060)
weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1399)
weblogic.work.ExecuteThread.execute(ExecuteThread.java:198)
weblogic.work.ExecuteThread.run(ExecuteThread.java:165)
Regards,
S.Vinoth Babu
August 9th, 2011 on 10:05 pm
Hi Magic team,
Dev & QA on: Solaris 10
Help needed on: Windows XP & Windows 7
WebLogic10.3 (same version on QA, Dev and local)
We have cacerts file working fine on our QA & Dev boxes. But we want to have those certificates working on our local WebLogic103 running on windows machine.
We know cacerts file is specific to the operating system.
So please let us know with your inputs to overcome this issue.
Thanks,
Praveen
August 9th, 2011 on 10:22 pm
Hi Praveen,
Please try the following copy the “cacerts” file from your QA/Dev box and then paste it in your Windows Box (like D:/MyJDKs/jdk1.6.0_21/jre/lib/security) directory and then restart your server. I don;t think there should be any issue. Let us know the results.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
August 23rd, 2011 on 3:48 pm
Hi Jay,
The below warning messages are listing in log files, which causes server starting time is increasing.
=======================================================
<RuntimeException thrown by rmi server: weblogic.management.remote.iiop.IIOPServerImpl.newClient(Ljava.lang.Object;)
java.lang.SecurityException: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User xxxxxx javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xxxxx denied.
java.lang.SecurityException: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User xxxxxx javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User xxxxxx denied
at weblogic.management.mbeanservers.internal.JMXAuthenticator.authenticate(JMXAuthenticator.java:104)
at javax.management.remote.rmi.RMIServerImpl.doNewClient(RMIServerImpl.java:225)
at javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:192)
at weblogic.management.remote.iiop.IIOPServerImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
Truncated. see log file for complete stacktrace
Please help me on this. Thanks.
August 23rd, 2011 on 4:21 pm
crdentials in boo.properties are also not encrypting.
August 23rd, 2011 on 4:39 pm
Hi Rajendra,
Please try to take a backup of your “$DOMAIN_HOME/servers/AdminServer/data” and then delete the “data” directory then try to restart your Server. (If the problem is happening while starting Managed Servers then Please delete the “data” directory first from AdminServer and then after starting the AdminServer delete “data” directory from managed Servers as well and then restart them as well.)
Additionally if you have made any recent changes in the AdminConsole or in the Domain configuration then please revert it back by using the Cached Copy of “config.xml” which usually gets placed inside “$DOMAIN_HOME/config/configCache”
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
August 23rd, 2011 on 4:46 pm
Hi Jay,
Thx for your response. But why the credential details are not encrypting?
and also with the above message servers are taking 10 minute extra time.
Please let me know the fix for it. Thanks.
August 23rd, 2011 on 4:49 pm
I am not sure whether the warning message is visible, which is not showing here.
Warning> <Could not get configuration lock used to serialize access to configuration files. Retrying for another 60 seconds.
August 23rd, 2011 on 5:59 pm
<>
<[STUCK] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)' has been busy for "707" seconds working on the request
"weblogic.kernel.WorkMana
gerWrapper$1@3fad3fad", which is more than the configured time (StuckThreadMaxTime) of "600" seconds. Stack trace:
java.net.SocketInputStream.socketRead0(Native Method)
java.net.SocketInputStream.read(SocketInputStream.java:141)
weblogic.utils.io.ChunkedInputStream.read(ChunkedInputStream.java:159)
java.io.InputStream.read(InputStream.java:97)
com.certicom.tls.record.ReadHandler.readFragment(Unknown Source)
com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
com.certicom.tls.record.ReadHandler.read(Unknown Source)
com.certicom.io.InputSSLIOStreamWrapper.read(Unknown Source)
sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:288)
sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:330)
sun.nio.cs.StreamDecoder.read(StreamDecoder.java:177)
java.io.InputStreamReader.read(InputStreamReader.java:181)
java.io.BufferedReader.fill(BufferedReader.java:148)
java.io.BufferedReader.readLine(BufferedReader.java:311)
java.io.BufferedReader.readLine(BufferedReader.java:374)
weblogic.nodemanager.client.NMServerClient.checkResponse(NMServerClient.java:287)
weblogic.nodemanager.client.NMServerClient.checkResponse(NMServerClient.java:312)
weblogic.nodemanager.client.NMServerClient.start(NMServerClient.java:101)
weblogic.nodemanager.mbean.StartRequest.start(StartRequest.java:75)
weblogic.nodemanager.mbean.StartRequest.execute(StartRequest.java:47)
weblogic.kernel.WorkManagerWrapper$1.run(WorkManagerWrapper.java:63)
weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
I saw the above error in Admin log file.
August 23rd, 2011 on 6:35 pm
Hi Rajendra,
By looking at the StackTrace pasted above it looks like there is some communication problem with the External LDAP or the Active Directory server …. Which need to be checked first. Please let us know if you are using any external Security mechanism for your Domain like External LDAP or active directory server ? If yes then we need to check the issue from that side first.
.
.
Keep Posting 🙂
Thanks
Jay Sensharma
September 22nd, 2011 on 9:25 am
Hi,
We are facing below SSL handshake issue from client (application deployed in websphere which has to send msgs to the Queue configured in Weblogic10g server).
We have observed the following handshake error at client side in the webshpere logs..
1. we tried importing certs configured in WlS keystore to was keystore..this didn’t work for us..
Your help highly appreciated. tnx.
Problem Description: [9/20/11 15:15:27:347 EDT] 00000028 SystemErr R Caused by: java.net.ConnectException: t3s://:20110: Destination unreachable; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from – 159.17.75.243 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.; No available router to destination
[9/20/11 15:15:27:348 EDT] 00000028 SystemErr R at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:203)
[9/20/11 15:15:27:349 EDT] 00000028 SystemErr R at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:153)
[9/20/11 15:15:27:350 EDT] 00000028 SystemErr R at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:352)
[9/20/11 15:15:27:350 EDT] 00000028 SystemErr R … 48 more
September 22nd, 2011 on 10:14 am
small Correcttion in previous comment : t3s://:20110: Destination unreachable; nested exception is:
Problem Description: [9/20/11 15:15:27:347 EDT] 00000028 SystemErr R Caused by: java.net.ConnectException: t3s://:20110: Destination unreachable; nested exception is:
javax.net.ssl.SSLKeyException: [Security:090542]Certificate chain received from – 159.17.75.243
September 22nd, 2011 on 7:05 pm
Hi Srikanth,
Please enable the -Djavax.net.debug=all JAVA_OPTS in your Servers start script to get more details to know where it is actually failing. This debug will help us in isolating where exactly the SSL handshake is failing.
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
October 1st, 2011 on 12:57 pm
Hi Ravish/Jay,
Is there any solution available to fix Unsupported OID Warning messages in Weblogic. i know the reason for theses messages but not sure if there is any system property which can suppress these warning messages?
Here is the complete Warning message:
Regards,
Vishal Mahajan
October 1st, 2011 on 1:36 pm
Hi Vishal,
Not sure about what kind of ” Unsupported OID Warning messages” you are getting. Without looking at the actually Warning message there is nothing to comment on it. Like some basic information is always needed in order to investigate/debug any issue like ….WebLogic Version, Description of What is happening & When? Actual StackTrace or log snippet…etc.
To Post your Error Messages or exceptions/warning please refer to the Point-4). Mentioned in the following link: http://middlewaremagic.com/weblogic/?page_id=146
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
December 6th, 2011 on 7:20 pm
Issue: while trying to start the managed server it shows the error as exception in main thread java.lang.NoClassDefFoundError
OS: RHEL 6
WLS: 10.3.0
Jdk: Sun jdk160.05 , Xms256 Xmx512
Exception in thread “main” java.lang.NoClassDefFoundError: number
Caused by: java.lang.ClassNotFoundException: number
at java.net.URLClassLoader$1.run(URLClassLoader.java:200)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:276)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
December 6th, 2011 on 8:53 pm
Hi Priyanka,
Looks like you have recently added some Wrong JAVA_OPTIONS in your server’s start script. Please check all your startScript (startWebLogic.sh) and in ${DOMAIN_HOME}/config/config.xml” and find a word “number” to see if anywhere mistakenly you added this JAVA_OPTIONS.
If you are using Unix based OS then run the following command to see which file contains the word “number”
(NOTE: run this following command from inside your $DOMAIN_HOME directory)
find . -name “*.*” | xargs grep -il number
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
December 7th, 2011 on 3:38 am
Hi guys,
I have weblogic 10.3.3 with Oracle oid 11.1.13 and Oracle SSO 10.1.4.3. I have everything up and running. Yea! Yesterday I tried to add the OID as a Authentication provider. Directions located here-http://docs.oracle.com/cd/E17904_01/apirefs.1111/e13952/taskhelp/security/ConfigureOracleInternetDirectoryATNProvider.html
I went to restart my server today, and it wont start. Its giving me the following error located in my AdminServer.log.
[ sourcecode language=”java” wraplines=”false” ]
#### <> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:965)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Authentication Failed: User weblogic weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:244)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy16.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:91)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:82)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy34.authenticate(Unknown Source)
at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:348)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:929)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
[ /sourcecode ]
I can ldapbind with the user.
I deleted the boot.properties file, re-ran the startup script for WL and it prompted me for a user/password. I recieved the same issue. It did not create a new boot.properties. I also deleted my ldap directory located in AdminServer/data, re-ran the startup script and same error.
Any ideas?
Also I have 5 Java J2ee .Ear files that run in OC4J, but they are all giving me different errors in WL. Can you let me know of any good reads on getting them to run in WL?
Thanks in advance!!!!!
December 10th, 2011 on 4:34 pm
os:RHEL6.0
ISSUE:while i am trying to run the admin server it gives the error as below.
[dsfqa@DSS-SERVER2 bin]$ ./startWebLogic.sh
.
.
JAVA Memory arguments: -Xms256m -Xmx512m
.
WLS Start Mode=Development
.
CLASSPATH=:/home/dsfqa/beaqa1/patch_wlw1030/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/dsfqa/beaqa1/patch_wls1030/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/dsfqa/beaqa1/patch_cie660/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/home/dsfqa/beaqa1/jrockit_160_05/lib/tools.jar:/home/dsfqa/beaqa1/wlserver_10.3/server/lib/weblogic_sp.jar:/home/dsfqa/beaqa1/wlserver_10.3/server/lib/weblogic.jar:/home/dsfqa/beaqa1/modules/features/weblogic.server.modules_10.3.0.0.jar:/home/dsfqa/beaqa1/wlserver_10.3/server/lib/webservices.jar:/home/dsfqa/beaqa1/modules/org.apache.ant_1.6.5/lib/ant-all.jar:/home/dsfqa/beaqa1/modules/net.sf.antcontrib_1.0.0.0_1-0b2/lib/ant-contrib.jar::/home/dsfqa/beaqa1/wlserver_10.3/common/eval/pointbase/lib/pbclient57.jar:/home/dsfqa/beaqa1/wlserver_10.3/server/lib/xqrl.jar::
.
PATH=/home/dsfqa/beaqa1/wlserver_10.3/server/bin:/home/dsfqa/beaqa1/modules/org.apache.ant_1.6.5/bin:/home/dsfqa/beaqa1/jrockit_160_05/jre/bin:/home/dsfqa/beaqa1/jrockit_160_05/bin:/home/dsfqa/beaqa1/wlserver_10.3/server/bin:/home/dsfqa/beaqa1/modules/org.apache.ant_1.6.5/bin:/home/dsfqa/beaqa1/jrockit_160_05/jre/bin:/home/dsfqa/beaqa1/jrockit_160_05/bin:/usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/dsfqa/bin
.
***************************************************
* To start WebLogic Server, use a username and *
* password assigned to an admin-level user. For *
* server administration, use the WebLogic Server *
* console at http://hostname:port/console *
***************************************************
starting weblogic with Java version:
java version “1.6.0_05”
Java(TM) SE Runtime Environment (build 1.6.0_05-b13)
BEA JRockit(R) (build R27.6.0-50_o-100423-1.6.0_05-20080626-2104-linux-ia32, compiled mode)
Starting WLS with line:
/home/dsfqa/beaqa1/jrockit_160_05/bin/java -jrockit -Xms256m -Xmx512m -Xverify:none -da -Dplatform.home=/home/dsfqa/beaqa1/wlserver_10.3 -Dwls.home=/home/dsfqa/beaqa1/wlserver_10.3/server -Dweblogic.home=/home/dsfqa/beaqa1/wlserver_10.3/server -Dweblogic.management.discover=false -Dweblogic.management.server=192.168.128.7:8888 -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/home/dsfqa/beaqa1/patch_wlw1030/profiles/default/sysext_manifest_classpath:/home/dsfqa/beaqa1/patch_wls1030/profiles/default/sysext_manifest_classpath:/home/dsfqa/beaqa1/patch_cie660/profiles/default/sysext_manifest_classpath -Xverify:none -da -Dplatform.home=/home/dsfqa/beaqa1/wlserver_10.3 -Dwls.home=/home/dsfqa/beaqa1/wlserver_10.3/server -Dweblogic.home=/home/dsfqa/beaqa1/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/home/dsfqa/beaqa1/patch_wlw1030/profiles/default/sysext_manifest_classpath:/home/dsfqa/beaqa1/patch_wls1030/profiles/default/sysext_manifest_classpath:/home/dsfqa/beaqa1/patch_cie660/profiles/default/sysext_manifest_classpath -Dweblogic.Name=qaadmin1 -Djava.security.policy=/home/dsfqa/beaqa1/wlserver_10.3/server/lib/weblogic.policy weblogic.Server
December 10th, 2011 on 5:47 pm
Hi Priyanka,
Earlier i thought that you are using Sun JDK so i provided you the link to collect the heap dump using jmap.
But as in your above STDOUT i can see that you are using JRockit JVM (BEA JRockit(R) (build R27.6.0-50_o-100423-1.6.0_05-20080626-2104-linux-ia32, compiled mode)) So the jmap will not be helpful in this case. So in case of JRockit JVM You can generate the Heap Dump using the jrmc utility as following:
./jrcmd 9264 hprofdump filename=/home/oracle/temp/dump.hprof
Here 9264 is the Process ID of your WebLogic which is running on JRockit.
. You will get more details on JRMC in the following link:
1). http://middlewaremagic.com/weblogic/?p=6930
2). http://middlewaremagic.com/weblogic/?p=7163
.
.
Keep Posting 🙂
Thanks
Jay SenSharma
December 10th, 2011 on 5:41 pm
hi jay ,
sorry, i try to give the entire log file for the above post. but it won’t. and now the server is running fine
December 13th, 2011 on 9:28 pm
Hi Jay/Mody,
I am having some security audits problems in our environment. i got the following exceptions from that TENABLE Network Security Report.
the below issues are reporting against the node manager port 5556. we are using weblogic 10.3.5 version on x86_64 x86_64 x86_64 GNU/Linux.
1)
SSL
Certificate
Signed
using
Weak
Hashing
Algorithm 5556 TCP
2)
SSL
Version
2 (v2)
Protocol
Detection 5556 TCP Service detection
and they provided me the solution for the 2nd exception as below.
Consult the application’s documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
how to clearup these issues ? any help would be appreciated. 5556 port is the node manager port.
Thanks in advance.
December 18th, 2011 on 10:16 pm
Hello,
Can some one please reply to the above post.
Thanks.
February 7th, 2012 on 1:19 am
Experts !
I had been struggling to make my Webservice Client (using https URL) work within Weblogic Server 10.3.2, which had been causing an issue as below:
*Feb 3, 2012 10:50:28 AM EST Warning Security BEA-090504 Certificate chain received from apcple.XXX.com – 113.128.90.16 failed hostname verification check. Certificate contained apcple.XXX.com but check expected apcple.XXX.com*
If i disable host name verification check using *-Dweblogic.security.SSL.ignoreHostnameVerification=true* , Code is WORKING fine. No Issue. But that is NOT what is want.
a) I enabled weblogic SSL debugs.
b) I introduced my Custom HostNameVerifier and supplied it via console , I see in the logs that My custom verifier is getting picked up and does Host Name comparison against URL hostname Vs Certiicate CN name and it suceeds and code returns true.
c) If you see SSL debug statements, Connection with server got established and First time it tries to validate Certificate chain 0 ,1, 2 and LOADS my CUSTOM HostName Verifier.
d) After few lines passed , It again tries to validate Certificates in same Series and SECOND time it DID NOT load My Custome HostName Verifier AND FAILS with the Standard BEA Security Error as pasted above.
Would you please help me to figure out what is missing ?
Any help in this regard would be highly appreciated.
############################
*SEE SNIPPET OF SSL DEBUG STATEMENTS*
Feb 3, 2012 10:50:23 AM EST Info WebLogicServer BEA-000307 Exportable key maximum lifespan set to 500 uses.
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Filtering JSSE SSLSocket
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 SSLIOContextTable.addContext(ctx): 30958379
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 SSLSocket will be Muxing
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write SSL_20_RECORD
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 received HANDSHAKE
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: ServerHello
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: Certificate
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Validating certificate 0 in the chain: Serial number: 1208925819615937499602513
Issuer:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Subject:C=US, ST=Texas, L=Irving, O=XXX LLC, OU=ns, EMAIL=aes.eng@XXX.com, CN=apcple.XXX.com
Not Valid Before:Fri Jun 17 10:48:17 EDT 2011
Not Valid After:Sun Jun 17 10:48:17 EDT 2012
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Validating certificate 1 in the chain: Serial number: 120010508
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Not Valid Before:Wed Sep 08 13:35:16 EDT 2010
Not Valid After:Tue Sep 08 13:34:08 EDT 2020
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Validating certificate 2 in the chain: Serial number: 33554617
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Not Valid Before:Fri May 12 14:46:00 EDT 2000
Not Valid After:Mon May 12 19:59:00 EDT 2025
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 validationCallback: validateErr = 0
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 cert[0] = Serial number: 1208925819615937499602513
Issuer:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Subject:C=US, ST=Texas, L=Irving, O=XXX LLC, OU=ns, EMAIL=aes.eng@XXX.com, CN=apcple.XXX.com
Not Valid Before:Fri Jun 17 10:48:17 EDT 2011
Not Valid After:Sun Jun 17 10:48:17 EDT 2012
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 cert[1] = Serial number: 120010508
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Not Valid Before:Wed Sep 08 13:35:16 EDT 2010
Not Valid After:Tue Sep 08 13:34:08 EDT 2020
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 cert[2] = Serial number: 33554617
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Not Valid Before:Fri May 12 14:46:00 EDT 2000
Not Valid After:Mon May 12 19:59:00 EDT 2025
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 weblogic user specified trustmanager validation status 0
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 SSLTrustValidator returns: 0
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Trust status (0): NONE
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Performing hostname validation checks: apcple.XXX.com
############ BELOW 6 LINES INDICATES MY CUSTOM HOST NAME VERIFIER GOT PICKED UP ########
Custom HostName Verifier Called =com.XXX.sys.WeblogicHostNameVerifier
Rcvd. Host Name=apcple.XXX.com SSL Session=javax.net.ssl.impl.SSLSessionImpl@1760238
Parsing COMMON Name from Certificates
getPeerLeafCert()….Start
Parsed CN = apcple.XXX.com
HOST NAME AND COMMON NAME MATCH FOUND
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: ServerHelloDone
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm MD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Using JCE Cipher: SunJCE version 1.6 for algorithm RC4
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Using JCE Cipher: SunJCE version 1.6 for algorithm RSA
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write HANDSHAKE, offset = 0, length = 262
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write CHANGE_CIPHER_SPEC, offset = 0, length = 1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Using JCE Cipher: SunJCE version 1.6 for algorithm RC4
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HMACMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write HANDSHAKE, offset = 0, length = 16
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 received CHANGE_CIPHER_SPEC
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Using JCE Cipher: SunJCE version 1.6 for algorithm RC4
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HMACMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HMACMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 746666 received HANDSHAKE
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: Finished
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacMD5
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Ignoring not supported JCE Mac: SunJCE version 1.6 for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 Will use default Mac for algorithm HmacSHA1
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 write APPLICATION_DATA, offset = 0, length = 193
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=0, length=8192)
Feb 3, 2012 10:50:23 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 143
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 143
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 143
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=143, length=8049)
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 3819
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 3819
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 3819
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=3962, length=4230)
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 8
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 8
Feb 3, 2012 10:50:24 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 8
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 write APPLICATION_DATA, offset = 0, length = 193
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=3970, length=4222)
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 143
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 143
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 143
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=4113, length=4079)
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 3819
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 3819
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 3819
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read(offset=7932, length=260)
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 SSL3/TLS MAC
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 746666 received APPLICATION_DATA: databufferLen 0, contentLength 8
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read databufferLen 8
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 31771821 read A returns 8
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 SSLSetup: loading trusted CA certificates
Feb 3, 2012 10:50:25 AM EST Notice Security BEA-090898 Ignoring the trusted CA certificate “CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
Feb 3, 2012 10:50:25 AM EST Notice Security BEA-090898 Ignoring the trusted CA certificate “CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE”. The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 clientInfo has HostnameVerifier
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Filtering JSSE SSLSocket
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 SSLIOContextTable.addContext(ctx): 25583909
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 SSLSocket will be Muxing
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 write SSL_20_RECORD
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 isMuxerActivated: false
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 28097422 SSL3/TLS MAC
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 28097422 received HANDSHAKE
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: ServerHello
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 HANDSHAKEMESSAGE: Certificate
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Validating certificate 0 in the chain: Serial number: 1208925819615937499602513
Issuer:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Subject:C=US, ST=Texas, L=Irving, O=XXX LLC, OU=ns, EMAIL=aes.eng@XXX.com, CN=apcple.XXX.com
Not Valid Before:Fri Jun 17 10:48:17 EDT 2011
Not Valid After:Sun Jun 17 10:48:17 EDT 2012
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Validating certificate 1 in the chain: Serial number: 120010508
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Not Valid Before:Wed Sep 08 13:35:16 EDT 2010
Not Valid After:Tue Sep 08 13:34:08 EDT 2020
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Validating certificate 2 in the chain: Serial number: 33554617
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Not Valid Before:Fri May 12 14:46:00 EDT 2000
Not Valid After:Mon May 12 19:59:00 EDT 2025
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 validationCallback: validateErr = 0
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 cert[0] = Serial number: 1208925819615937499602513
Issuer:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Subject:C=US, ST=Texas, L=Irving, O=XXX LLC, OU=ns, EMAIL=aes.eng@XXX.com, CN=apcple.XXX.com
Not Valid Before:Fri Jun 17 10:48:17 EDT 2011
Not Valid After:Sun Jun 17 10:48:17 EDT 2012
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 cert[1] = Serial number: 120010508
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA
Not Valid Before:Wed Sep 08 13:35:16 EDT 2010
Not Valid After:Tue Sep 08 13:34:08 EDT 2020
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 cert[2] = Serial number: 33554617
Issuer:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject:C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Not Valid Before:Fri May 12 14:46:00 EDT 2000
Not Valid After:Mon May 12 19:59:00 EDT 2025
Signature Algorithm:SHA1withRSA
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 weblogic user specified trustmanager validation status 0
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 SSLTrustValidator returns: 0
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Trust status (0): NONE
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Performing hostname validation checks: apcple.XXX.com
Feb 3, 2012 10:50:25 AM EST Warning Security BEA-090504 Certificate chain received from apcple.XXX.com – 113.128.90.16 failed hostname verification check. Certificate contained apcple.XXX.com but check expected apcple.XXX.com
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 Hostname Verification failed for certificate with CommonName ‘apcple.XXX.com’ against hostname: apcple.XXX.com
Feb 3, 2012 10:50:25 AM EST Debug SecuritySSL BEA-000000 NEW ALERT with Severity: FATAL, Type: 42
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.init(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:158)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:363)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:952)
at com.sun.xml.ws.transport.http.client.HttpClientTransport.readResponseCodeAndMessage(HttpClientTransport.java:213)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:172)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:101)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:604)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:563)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:548)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:445)
at com.sun.xml.ws.client.Stub.process(Stub.java:248)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at $Proxy189.updateMilestone(Unknown Source)
at com.XXX.sys.apc.APCProcessor.updateMilestoneToApc(APCProcessor.java:95)
at com.XXX.sys.apc.APCProcessor.sendAsrFeed(APCProcessor.java:50)
at com.XXX.sys.apc.APCLookupBean.onMessage(APCLookupBean.java:94)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy148.onMessage(Unknown Source)
at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:466)
at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:371)
at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:327)
at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4585)
at weblogic.jms.client.JMSSession.execute(JMSSession.java:4271)
at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3747)
at weblogic.jms.client.JMSSession.access$000(JMSSession.java:114)
at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5096)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:516)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
February 8th, 2012 on 9:40 pm
Hi Jay / Mody / Rene,
Can you please shed some light on above issue which hasn’t been resolved yet ?
Thanks in advance.
February 23rd, 2012 on 8:09 pm
Hi Jay,
My application runs on weblogic installed on UNIX box. I have two questions:
1) I am using compiled WSDL task to generate classes from wsdl where i am receiving objects of the request and response types. How can i print the xml request on to logs whenever required. message handler would not work for me as i am using three levels of transformation which would be logged to another service as well as logs. how do i get the xml as the object created is not implementing xmlobject.
2) I am interfacing with services running on TIBCO, .net and many different programming language web services. How can i implement certificates client which is compatible for all. I know JKS implementation, but will that be valid for any type of service? The end system provides the certificates (Root and intermediate).
April 9th, 2012 on 2:53 pm
@vemularam
1)SSL Certificate Signed using Weak Hashing Algorithm 5556 TCP
I believe you can make out the answer for this.
get a list of accepted algorithm for generating certificates which are allowed by weblogic.
2)SSL Version 2 (v2) Protocol Detection 5556 TCP Service detection
check in NodeManager.properties if you are having any other value for SecureListener . by default it is true.
BTW I am still confused as to what u require..?
Regards,
T
April 9th, 2012 on 2:56 pm
@karthikk69
for the second part of your query.
Certificates are all used as a certificate u may create them using different implementation like Keytool or open SSL but the end will be same.
SO as far as I know you may proceed as you wish.
Regards,
T
April 9th, 2012 on 3:02 pm
@dnarnar
Check the Provider CONTROL FLAG in the console….
Regards,
T
April 9th, 2012 on 10:51 pm
Archer,
Thanks for your reply.
My problem here is, security guy scanned our linux servers for any security issues. at that time the above mentioned weblogic SSL related issues were discovered.
we are using node manager in our environment and we don’t have separate SSL certs for the node manager,so they are using demo certs. 5556 is the node manager listen port.
so, security people told us to remediate these SSLissues. can you help me resolve these SSL issues ??
i need to fix the below issues.
Disable SSL medium strength cipher suites
Disable anonymous cipher suites
Disable weak cipher suites
Disable SSLv2 support
Thanks in Advance.
April 12th, 2012 on 3:13 pm
vemularam,
-Dweblogic.security.SSL.protocolVersion=SSL3 —> Using this JAVA_OPTION will allow Only SSL V3.0 messages are sent and accepted. So add the mentioned JAVA_OPTION in the server start script along with the below OPTION:
-Dweblogic.security.disableNullCipher=true
Also you can do the following in your “config.xml” to make sure that the Weblogic will not accept weak and medium weak passwords:
true
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
true
7002
aliasHere
encryptedpassphraseHere
April 12th, 2012 on 3:16 pm
To restrict keysize larger than 128 bit we need to select only those cipher suites in the configuration which use 128 bit key.
Sample config:-
true
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
true
7002
xxxxxxx
xxxxxx
List of Ciphersuites Supported by Weblogic Server are:-
Cipher Suite Symmetric Key Strength
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT_WITH_RC4_40_MD5 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 40
TLS_RSA_WITH_3DES_EDE_CBC_SHA 112
TLS_RSA_WITH_NULL_SHA 0
TLS_RSA_WITH_NULL_MD5 0
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 56
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256
In the past I have seen that AES_256 does not work until we download the unlimited jurisdiction jars from SUN.
Download JCE_policy_1.5_0.zip
Place it in /JRE/lib/Security/
Also Replace localpolicy.jar & US_Export_Policy.jar
This helps in getting rid of Cipher Suite not initialized errors.
Reference:-
1) http://download.oracle.com/docs/cd/E11035_01/wls100/secintro/concepts.html#wp1123076
May 31st, 2012 on 12:17 pm
Hi Experts,
I have ssl configured for my weblogic 10.3 domains. Now the certificate is going to expire and i want to renew it.
So can i generate a new CSR and send it for signing and then import that back to the old existing keystore.
Is that the correct approach or please advice.
Thanks,
Thomas
June 10th, 2012 on 2:55 am
We just moved the Web Logic servers to another network and powered them back up. The only thing that changed is the MAC’s and IP’s. Once moved, for some reason the web logic admin server doesn’t like the boot.properties file (or what’s in it). The encrypted user name and password in boot.properties shouldn’t have changed. I can log into the Windows Server with the same one I use for admin server. I’ve followed steps suggested in the threads similar to my problem, but I haven’t gotten anywhere with this.
So, I’ve created a new domain using the same admin account as above. I can start up and access web logic console now, but I can’t connect to the other three nodes
Any ideas?
July 4th, 2012 on 9:22 pm
Hi Jay,
We are migrating the Weblogic server 10.3.3 from Solaris OS to Suse Linux OS. We already configured the SSL certificate in the Weblogic server in Solaris machine. We have one doubt During the weblogic migration we have to use the same identity kekstore file (*.jks) & Trust Keystore file (*.jks) is available in the Solaris Machine to Suse Linux Machine. If possible then we don’t need to request the SSL certificate in vendor side. Kindly give the your valuable commands.
Regards,
S.Vinoth Babu
July 4th, 2012 on 9:28 pm
Hi Jay,
There is user requirement a particular application is accessing in internal(Intranet) and external(Extranet).
We need to configure the SSL certifcate into Weblogic & Webserver side. I have one doubt in webserver side we have to mentioned the managed server http port number or https port number. Kindly give the your valuable advise.
Regards,
S.Vinoth Babu
July 5th, 2012 on 4:31 pm
“… we have to mentioned the managed server http port number or https port number…” Depends where you want to terminate the ssl communication. When you do that on the web server you could let the web server route the request by using http. When the termination ends at the WebLogic Server it has to continue with https (it that case you have to use the https port).
“…weblogic migration we have to use the same identity kekstore file (*.jks) & Trust Keystore file (*.jks)…” Note that WebLogic has a hostname verification, when this on and the certicate contains a hostname you have a problem. To solve this problem you can disable hostname verification. Usually when your certificate is still valid, it could be used on the other server. Note that it somehow depends on what type of certificate request you have created for the certificate authority, i.e., what type of information you have included – see here (http://middlewaremagic.com/weblogic/?p=6479) for more info, especially the section on SSL.
September 18th, 2012 on 2:51 pm
Hi Jay,
As per our client TSS standard we must disable the HTTP port number for admin server and enable the HTTPS port with Verizon SSL certificate.
We also configure the Verizon SSL certificate for ALL managed servers. If we start the admin server we don’t see any error message. We have successfully access the weblogic admin console only through https protocol https://localhost:7002/console.
But if we start the managed servers we have to see the below error message “BEA-141151” how to resolve this issue.
Managed Server Startup Script:-
./startManagedWebLogic.sh MS1 https://localhost:7002
I have updated admin console url in the startManagedWebLogic.sh.
# Set SERVER_NAME to the name of the server you wish to start up.
DOMAIN_NAME=”testDomain”
ADMIN_URL=”https://localhost:7002″
# Set WLS_USER equal to your system username and WLS_PW equal
# to your system password for no username and password prompt
# during server startup. Both are required to bypass the startup
Regards,
S.Vinoth Babu
Hi Jay,
I have mentioned managed server error log message.
Sep 18, 2012 1:12:44 AM SGT> Emergency> Management> BEA-141151> The admin server could not be reached at https://192.168.28.245:7002.>
Regards,
S.Vinoth Babu
September 25th, 2012 on 2:42 pm
Hi Rene,
I have already checked the oracle blog but they provide the solution to update the admin url in the “startManagedWebLogic.sh”.
ADMIN_URL=”https://localhost:7002″
./startManagedWebLogic.sh MS1 t3s://localhost:7002 &
We have updated the admin url port and https protocal in “startManagedWebLogic.sh” Script. But during the managed server startup we have to see the error message “BEA-141151” the mangaed server log file.
We already raise the SR in Myoracle Support.Kindly provide the solution to resolve the issue.
Regards,
S.Vinoth Babu
Hi Rene,
Oracle has provide the solution to update the protocal and port number for the admin server during the weblogic managed server startup.
But we have updated correctly but still now the problem is not resolved.
http://www.art2dec.com/documentation/docs/fmw11g1114documentation/apirefs.1111/e14397/Management.html
BEA-141151
Emergency: The admin server could not be reached at url.
Description:-
This error indicates a failure of the managed server to connect to the admin server during its startup.
Cause:-
The admin server is not available at the specified url or the URL is not specified in the correct format like http://myhost:7001
Action:-
Ensure that an admin server is running at the specified host and port.n Check the url specified and in the format is correct. The url is specified by protocol://host:port, for example http://myhost:7001
Regards,
S.Vinoth Babu.
September 27th, 2012 on 8:45 pm
Hi Rene,
As per our Client requirement we don’t use nodemanager. We only use the startManagedWebLogic.sh script to start the managed servers.
I have one doubt this is bug in Oracle Weblogic Server side. Because the managed server interact with admin server only through HTTP port number.
Suppose if we disable the HTTP port number then we are facing the “BEA-141151″ error message in the managed serer log file.
Regards,
S.Vinoth Babu
November 8th, 2012 on 1:25 pm
Hi Magic Team,
Need your help in understanding the possibilities of the below error.
Weblogic 10.3.6
Linux, Jrockit R 28.2.3
STACK TRACE
06:54:31,568 INFO SessionExpireInterceptor : Session => weblogic.servlet.internal.session.ReplicatedSessionData@4074e494
06:54:31,880 ERROR RoleSecurityTagSupport : IO Error executing tag: socket write error: Connection reset by peer.
java.net.SocketException: socket write error: Connection reset by peer.
at jrockit.net.SocketNativeIO.writeBytesPinned(Native Method)
at jrockit.net.SocketNativeIO.socketWrite(SocketNativeIO.java:46)
at java.net.SocketOutputStream.socketWrite0(SocketOutputStream.java)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
at weblogic.servlet.internal.ChunkOutput.writeChunkTransfer(ChunkOutput.java:568)
at weblogic.servlet.internal.ChunkOutput.writeChunks(ChunkOutput.java:539)
at weblogic.servlet.internal.ChunkOutput.flush(ChunkOutput.java:427)
at weblogic.servlet.internal.CharsetChunkOutput.flush(CharsetChunkOutput.java:298)
at weblogic.servlet.internal.ChunkOutput$2.checkForFlush(ChunkOutput.java:648)
at weblogic.servlet.internal.CharsetChunkOutput.write(CharsetChunkOutput.java:200)
at weblogic.servlet.internal.ChunkOutputWrapper.write(ChunkOutputWrapper.java:148)
at weblogic.servlet.jsp.JspWriterImpl.write(JspWriterImpl.java:275)
at jsp_servlet._jsp._common.__errormsg._jspService(__errormsg.java:115)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:526)
at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:447)
at weblogic.servlet.jsp.PageContextImpl.include(PageContextImpl.java:163)
at weblogic.servlet.jsp.PageContextImpl.handlePageException(PageContextImpl.java:402)
at jsp_servlet._jsp._motor._employee.__employeeclaimpartyinfo._jspService(__employeeclaimpartyinfo.java:252)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:526)
at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:447)
at weblogic.servlet.jsp.PageContextImpl.include(PageContextImpl.java:163)
at weblogic.servlet.jsp.PageContextImpl.include(PageContextImpl.java:184)
at org.apache.tiles.jsp.context.JspTilesRequestContext.include(JspTilesRequestContext.java:80)
at org.apache.tiles.jsp.context.JspTilesRequestContext.dispatch(JspTilesRequestContext.java:73)
at org.apache.tiles.context.TilesRequestContextWrapper.dispatch(TilesRequestContextWrapper.java:72)
at org.apache.struts2.tiles.StrutsTilesRequestContext.dispatch(StrutsTilesRequestContext.java:88)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:283)
at org.apache.tiles.jsp.taglib.InsertAttributeTag.render(InsertAttributeTag.java:140)
at org.apache.tiles.jsp.taglib.InsertAttributeTag.render(InsertAttributeTag.java:117)
at org.apache.tiles.jsp.taglib.RenderTagSupport.execute(RenderTagSupport.java:154)
at org.apache.tiles.jsp.taglib.RoleSecurityTagSupport.doEndTag(RoleSecurityTagSupport.java:75)
at org.apache.tiles.jsp.taglib.ContainerTagSupport.doEndTag(ContainerTagSupport.java:80)
at jsp_servlet._jsp._layout.__commonlayout._jsp__tag4(__commonlayout.java:442)
at jsp_servlet._jsp._layout.__commonlayout._jspService(__commonlayout.java:287)
at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:526)
at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:253)
at org.apache.tiles.servlet.context.ServletTilesRequestContext.forward(ServletTilesRequestContext.java:198)
at org.apache.tiles.servlet.context.ServletTilesRequestContext.dispatch(ServletTilesRequestContext.java:179)
at org.apache.tiles.context.TilesRequestContextWrapper.dispatch(TilesRequestContextWrapper.java:72)
at org.apache.struts2.tiles.StrutsTilesRequestContext.dispatch(StrutsTilesRequestContext.java:88)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:606)
at org.apache.tiles.impl.BasicTilesContainer.render(BasicTilesContainer.java:246)
at org.apache.struts2.views.tiles.TilesResult.doExecute(TilesResult.java:105)
at org.apache.struts2.dispatcher.StrutsResultSupport.execute(StrutsResultSupport.java:186)
at com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:373)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:277)
at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:176)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:50)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:133)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:207)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:207)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:190)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:75)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:94)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:243)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:141)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(DebuggingInterceptor.java:270)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:176)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:164)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:190)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:187)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at com.qa.common.config.SessionInterceptor.intercept(SessionInterceptor.java:31)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:248)
at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:52)
at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:498)
at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:77)
at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:91)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
06:54:31,880 ERROR BasicTilesContainer : Error rendering tile
java.net.SocketException: socket write error: Connection reset by peer.
at jrockit.net.SocketNativeIO.writeBytesPinned(Native Method)
at jrockit.net.SocketNativeIO.socketWrite(SocketNativeIO.java:46)
at java.net.SocketOutputStream.socketWrite0(SocketOutputStream.java)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
November 8th, 2012 on 2:40 pm
Hi Rene,
Thank you very much for the response.
What is the best practice to avoid this type of error.
Thank you very much for your time.
Sohel.
November 8th, 2012 on 3:02 pm
Hi Rene,
As Weblogic Administrator, is there any thing that we can do or the development team needs to take care of this.
A hint on this will really help full.
Thanks.
November 28th, 2012 on 7:44 pm
Hi René van Wijk,
How to configure the X.509 Certificate Revocation Checking Using the OCSP Protocol with Oracle WebLogic Server 12c version. This utility use to verify the certifcate revoking status in the weblogic server log.
http://www.oracle.com/technetwork/articles/soa/patil-certrevoc-1873528.html
Regards,
S.Vinoth Babu
March 27th, 2013 on 12:32 am
We are going to be rolling out a new intranet architecture which will be very strict regarding what hosts can speak with each other and on what ports and protocols. As of now our environment can be thought of as a flat open LAN for the purposes of this question.
I have already successfully introduced the Web Tier with mod_wls.so and setup the directives properly. I also made the necessary code changes to our applications so that any request which may form a URL for a browser or even a button that has a request action comes back in via the newly introduced Web Tier (Apache – latest Red Hat Repo Version).
Because we are going to be locked down tight and I do not have the environment available yet and need to start QA I have decided to setup iptables to simulate the rules that the firewall(s) will enforce. I’ll probably keep them as another level of security as well.
Do you have any examples of iptable setups for a WebLogic host which is accessed via browsers. I’m only concerned with WLS, but if an example has ssh or any other services all the better. I have terminated SSL at the Web Tier so I know that I need to allow the listen port of our managed server. I’m not going to allow console access from the DMZ or Internet but I will from inside / behind the firewalls. Really what I need to know is what ports need to be open for WLS where its only accessed via browser. I know of ListenPort(s), and AdministrationPort but I can’t find Oracle documentation on what ports must be open. I’m thinking it can’t be as simple as just the ListenPort(s). Also we don’t use node manager and no cluster at this time. Once I know all the ports I can create iptables for WLS and I’ll be glad to share a sanitized version here. An example that can be tweaked would be great or just a pointer to documentation on what ports I need for WLS 10.3.3.0 accessed only via Web Browser, no client.
Best Regards,
-Chris
February 21st, 2014 on 4:25 pm
Hi ,
we have 2 domains in 2 different Admin server hosted in 2 different machines .We need to do a JMS JNDI lookup from one server to another .
We tried enabling cross-domain security credential mapping but that didn’t work .
Look up works only if we enable Global trust , but as the 2 servers are across firewall , we don’t want to do this as it is a security issue.
Please advise if we miss anything here.