Wednesday, November 12, 2008

Using the DemoIdentity and DemoTrust keystores that come with weblogic

Having come from the world of OC4J where enabling https required the sacrifices of your first born: it is nice to know that in weblogic you can start working with just a tick of a box. (For the internal JDeveloper instance http://localhost:7101/console -> Servers -> DefaultServer(Admin) -> SSL Listen Port Enabled)

It is worth knowing that to make this trick happen weblogic generates a new DemoIdentity on install that is unique to your machine. The key in this is then used to set up of the https channel.

If you are connecting to the server you need to know where the key stores live, so here is a table with all the default values in:

Property Value
Trust store location %ORACLE_HOME%/weblogic/wlserver_10.3/ server/lib/DemoTrust.jks
Trust store passwordDemoTrustKeyStorePassPhrase
Key store location %ORACLE_HOME%/weblogic/wlserver_10.3/ server/lib/DemoIdentity.jks
Key store passwordDemoIdentityKeyStorePassPhrase
Private key passwordDemoIdentityPassPhrase

Most of the time you will be using the trust store to talk to the server. (Generally by passing in -Djavax.net.ssl.trustStore=.../DemoTrust.jks to the java process is enough)

If you are trying to configure the http analyzer in JDeveloper to run with https you will run into a problem as it assumes that the keystore and private key password are the same. (This should be fixed in a future version of JDeveloper if all goes well) This is not the case with the weblogic DemoIdentity.jks store. You workaround this is to use the "keytool -importkeystore" command to import the DemoIdentity in a keystore where both password are the same. This would look something like:

  keytool -importkeystore -srckeystore .../DefaultIdentity.jks 
     -srcstorepass DemoIdentityKeyStorePassPhrase -srcalias demoidentity 
     -srckeypass DemoIdentityPassPhrase 
     -destkeystore .../server.jks -deststorepass 
     -deststorepass welcome -destalias demoidentity -destkeypass welcome

13 comments:

Lucast said...

Hello Gerard, my name is Lucas and i am working in a WebService https two-way authentication with Oracle WL 10.3.

In this moment i have authenticate a java client class with https one-way authentication, including the following code:

System.setProperty("javax.net.ssl.trustStore", "C:\\bea103\\wlserver_10.3\\server\\lib\\DemoTrust.jks");

System.setProperty("javax.net.ssl.trustStorePassword", "DemoTrustKeyStorePassPhrase");


This work fine in one-way. Then, I enabled two-way on my WL Server and add the following source code in the java client class:

System.setProperty("javax.net.ssl.keyStore", "C:\\bea103\\wlserver_10.3\\server\\lib\\DemoIdentity.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "DemoIdentityKeyStorePassPhrase");


And this get me the following error:

keyStore is : C:\bea103\wlserver_10.3\server\lib\DemoIdentity.jks
keyStore type is : JKS
keyStore provider is :
init keystore
init keymanager of type SunX509
default context init failed: java.security.UnrecoverableKeyException: Cannot recover key
Respuesta ERROR: ; nested exception is:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)


I try to include a “CertGenCA.der” into a “DemoIdentity.jks” but don’t work, i use this:

C:\bea103\jdk160_05\bin\keytool -import -alias certgenca -file C:/bea103/wlserver_10.3/server/lib/CertGenCA.der -keystore C:/bea103/wlserver_10.3/server/lib/DemoIdentity.jks -keypass DemoIdentityKeyStorePassPhrase -storepass DemoIdentityKeyStorePassPhrase

You can get me a Tips for this problem. Sorry for my english, thanks a lot and special regards from Argentina.

Lucas.

Gerard Davison said...

The problem here is that you can only use the system properties for keystores where the keystore and key passwords are not the same.

This is not true for the DemoIdentityStore which has two different passwords. You can either import the identity into a simpler keystore, create you own identity, or use the following API:

http://download.oracle.com/docs/cd/E12839_01/web.1111/e13713/transport.htm#insertedID3

PersistentSSLInfo provide far more control over the SSL configuration.

Hope this helps,

Gerard

Lucast said...

Thanks Gerard for the faster reply, I finally understand the problem. I’m trying to use the PersistentSSLInfo in a WL Client but cannot be resolved this import:

import weblogic.wsee.jaxws.sslclient;

Anyway, I implement another java class, using an Axis Client, where I can set the tree password to https two-way authentication, this class look like:


package bo.socket;

import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.util.Hashtable;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;

import org.apache.axis.components.net.JSSESocketFactory;
import org.apache.axis.components.net.SecureSocketFactory;

public class MyCustomSSLSocketFactory extends JSSESocketFactory implements SecureSocketFactory

{ public MyCustomSSLSocketFactory(Hashtable attributes) {
super(attributes);
}

protected void initFactory() throws IOException {

try {
SSLContext context = getContext();
sslFactory = context.getSocketFactory();
} catch (Exception e) {
if (e instanceof IOException) {
throw (IOException) e;
}
System.out.print(e.getMessage());
throw new IOException(e.getMessage());
}
}

protected SSLContext getContext() throws Exception
{
try
{
String keystore_type = KeyStore.getDefaultType(); // "JKS"

KeyStore keyStore = KeyStore.getInstance(keystore_type);
KeyStore trustStore = KeyStore.getInstance(keystore_type);

char[] keystore_password = "DemoIdentityKeyStorePassPhrase".toCharArray();
keyStore.load(new FileInputStream("C:\\bea103\\wlserver_10.3\\server\\lib\\DemoIdentity.jks"), keystore_password);

char[] trusstore_password = "DemoTrustKeyStorePassPhrase".toCharArray();
trustStore.load(new FileInputStream("C:\\bea103\\wlserver_10.3\\server\\lib\\DemoTrust.jks"), trusstore_password);

String algorithmTrust = TrustManagerFactory.getDefaultAlgorithm(); // PKIX

TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithmTrust);
tmf.init(trustStore);

String algorithmKey = KeyManagerFactory.getDefaultAlgorithm(); // "SunX509"
KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithmKey);

char[] key_password = "DemoIdentityPassPhrase".toCharArray();

kmf.init(keyStore, key_password);

SSLContext sslctx = SSLContext.getInstance("SSL");

sslctx.init(kmf.getKeyManagers(),tmf.getTrustManagers(),null);

return sslctx;
}
catch (Exception e)
{ e.printStackTrace();
throw new Exception("Error creating context for SSLSocket.", e);
}
}
}


And in the main call of a WS from Client I set the new SSLSocketFactory Class:

AxisProperties.setProperty("axis.socketSecureFactory","bo.socket.MyCustomSSLSocketFactory");


This works fine for https two-way authentication Client Axis implement. I trying now to use this in my Client WL class.

Thanks a lot for your help and to throw some light on our way…;)

Lucas.

Ing. Mauricio J. Savino said...

Hello Gerard,

How can I use DemoIdentity and DemoTrust keystores that comes with weblogic on vb.net or c# client . How can set these values in my code?

Could you help me please?

Thanks

Mauricio

Gerard Davison said...

Sorry no idea, not used .NET

Ganesh said...

Hi Gerard,

Just wanted to let you know that I regularly visit this blog when I need the BEA passphrases and that I've linked to it in our documentation. Very useful, thank you!

Best regards,
Ganesh

Hoang said...

Hi Gerard,

In Weblogic 10.3.1, when I started WL, it will load the trusted certificates automatically as below




But in WL 10.3.2, it does not. In my console under Server -> Configuration -> Keystores tab. In my case, the drop-down for keystore is "Demo Identity and Demo Trust"

I checked and all the jks and cacerts are there. Mine is a fresh installation of WL 10.3.2

Do you have any ideas?

Thanks
Andy

vicky said...

I’m trying to send email notification through SOA 11g and I tried to configure Gmail SMTP port 465 SSL enabled and tried to send a notification but I got SSL exception. I got CA root certificate for gmail and I'm trying to insert into Demotrust.jks would you be able to tell me How I could do this.

Vic

Gerard Davison said...

Hoang,

Sorry for the very late reply; but I don't. Did you have any resolution for this issue?

Gerard

Setya said...

Gerard,

On Weblogic 9.2, when I only pass -Djavax.net.ssl.trustStore= config/DemoTrust.jks, the following exception was thrown :

java.net.SocketException: Default SSL context init failed: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=6, too big.

What's wrong ?

Thanks & Regards

Setya

Setya said...

Hi,

It turns out that the DemoTrust.jks is corrupted.

Setya

ankur said...

Hello Everyone...
I am pretty new to Webservice and SSL.
We have to make a call to a webservice via HTTPS, i have tried from the Weblogic but seems some issue with Weblogic.
So now trying to configure 2way SSL from java code point of view.
We are using axis 2 API.
Can anybody share the source code for the same and give some pointers that how exactly it works.

Aritra Chatterjee said...

Thank you so much for the private key password for the DemoIdentity.jks