Thursday, November 19, 2009

HTTSURLConnection with weblogic.

Hello, I ran into several situations where I need to make a HTTP connection to outside vendors or to a server in a local location to grab data. In most cases it needs to be encrypted. When we work with weblogic (my client runs in weblogic) we have to use the Weblogic libraries to resolve the SSL certificates. In many situations the local servers that connect to only had a demo certificate and we need code around to avoid the errors geneated by the demo certificates.

Here is some basic information about how to make a connection and to ignore the demo certificate warning. You only need to do eht custom hostname verifier if you want to avoid the demo certificate warning. In my case I have it configured so that in all test regions it does that and when we go to production it forces the certificate validation.

import weblogic.net.http.HttpsURLConnection;
import weblogic.security.SSL.HostnameVerifier;
import weblogic.security.SSL.TrustManager;
 
String target = "https://google.com";
URL url = new URL(target);
HttpsURLConnection httpConn = new HttpsURLConnection(url); 
 
SSLContext context = SSLContext.getInstance("https");
        context.setHostnameVerifier(new MyHostNameVerifier());
        context.setTrustManager(new MyTrustManager());
        httpConn.setSSLSocketFactory(context.getSocketFactory());
httpConn.setRequestProperty("Content-Length", String.valueOf(inputBytes.length));
        httpConn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        httpConn.setRequestMethod("POST");
        httpConn.setRequestProperty("Connection", "Keep-Alive");
        httpConn.setDoOutput(true);
        httpConn.setDoInput(true);
        httpConn.setUseCaches(false);

        OutputStream out = httpConn.getOutputStream();
        out.write(inputBytes);
        out.close();

        InputStreamReader isr = new InputStreamReader(httpConn.getInputStream());
        BufferedReader in = new BufferedReader(isr);

        String inputLine = "";
        StringBuffer inputBuffer = new StringBuffer();
        while ((inputLine = in.readLine()) != null) {
            inputBuffer.append(inputLine);
            inputBuffer.append('\n');
        }
        in.close();
 
 
 
// the following classes are used to trust all certificates: 
 
 
class MyHostNameVerifier implements HostnameVerifier {

  public boolean verify(String arg0, SSLSession arg1) {
   // TODO Auto-generated method stub
   return true;
  }
    }

    class MyTrustManager implements TrustManager {

  public boolean certificateCallback(
    java.security.cert.X509Certificate[] arg0, int arg1) {
   // TODO Auto-generated method stub
   return true;
  }
    } 
 

If you are using plain java you normally open the connection with url.openconnection. But inorder to use the Weblogic overloaded connection it is better to use HTTPSUrlConnection.open(url). This is only valid when you use the overloaded connection from weblogic.

Friday, November 13, 2009

BEA-090477 weblogic user specified trustmanager validation status 16

I got an application that connects to a vendor using HTTPS url connection. This app was working find in WLS8.1. I recently had to change this for Oracle 10.3. The app got recompiled with new JDK and all of a sudden I was getting this error.

Searching through Oracle and Google did not result in any solution. After trying several ways to redo the connection and debugging with SSL debug turned on, I ran into an illegal key size issue. The server certificate is from VeriSign. I remember we had similar issue with certificates earlier and searched in google for this specific information. Luckily some one had a document about this

here in this web site.
http://www.java-answers.com/index.php?topic=22.0

I downloaded the policy files from SUN, voila every thing worked fine after that. The "readme" of the policy files explains that this policy is unrestricted but the default one is restricted.

Link to the JDK1.6 policy file:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=jce_policy-6-oth-JPR@CDS-CDS_Developer

I am not sure why this not properly documented or published. The irony is that it worked fine in Weblogic 8.1 and did not even suspect the new JDK policy files as a problem. I have other clients using same version that are working fine (only difference here is that these certificates are from entrust).

Another side note: the development servers that I was connecting from only has a demo certificate configured for incoming connections. (Mine is out going, didn't think it matters but thought of mentioning as so many factors involved in creating this error).

Hope this helps some one if they run into the same issue.

(Update: I found that the security policy files needs to in both JRockit and JDK folders even though I only use JRockit to run my server. Also the production servers where my 8.1 version of the code worked had the right policy to begin with. I synced up the policy files from production to test to keep them consistent. But the error is related to unlimitted encryption policy files. )