0

I have a java application which is hosted using WebLogic 12c managed server. It is calling an external API end point which is secured. This is an outbound connection from weblogic server to target server, for example, https://www.demosite.com/api/end/point. Initially as I got the SSLHandshake error.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I imported Certificate of the target server "https://www.demosite.com" into the CustomTrust.jks keystore in my weblogic managed server. Also imported the same cert into JAVA Default keystore cacerts.

With this I started seeing successful api calls. But this was not consistent. Seeing intermittent failures very often. So I decided to add below java argument to my managed server startup settings.

-Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2

Managed server restarts are done by deleting Managed_Server tmp & cache folders. This action item did not help to fix the problem. Then made some changes to the SSL configuration in the weblogic managed server settings. Like below ones,

Hostname Verification: Custom Hostname verifier Custom Hostname Verifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier Use Server Certs: Checked Two Way Client Cert Behavior: Client Certs Requested But Not Enforced

None of the settings I tried did not help to fix the issue completely.

From Jdeveloper integrated weblogic server in my local machine the API call never fails. Only in weblogic managed server running on the Linux Server is giving this problem. In my local machine I did not import target server certs explicitly. What Am I missing here? Target allows only TLSv1.2/SSLv3 connection.

Improve this question
7
  • 2
    "Seeing intermittent failures very often. So I decided ...." - this information does not help. You don't provide the actual error you get, only "intermittent failures". And then you fiddle around with settings which likely have nothing to do with the error. Unfortunately we cannot help here since it is unclear what error you actually have. Commented Sep 29, 2023 at 18:12
  • 1
    Also it is extremely unlikely any server today allows SSLv3, which has been broken and prohibited by practically everybody since 2015. It is fairly common, and good practice, to allow only (aka require) TLS 1.2 or 1.3 -- or equivalently TLS >= 1.2. However the protocol version makes no difference to the certificate validity, nor vice versa. Commented Sep 30, 2023 at 2:13
  • @SteffenUllrich Apologies for not providing error stack. I mean I'm getting SSLHandshake errors sometime after importing certificate. Before importing cert it was 100% failure. <Sep 30, 2023 3:41:07,303 PM EDT> <Error> <com.demo.application.microservice.testing.rest.resource.v1.TestResource> <BEA-000000> < javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Commented Sep 30, 2023 at 19:47
  • @Subbu: if the same client (your WebLogic server) with the same configuration (i.e. trust store) and in the same network setup is sometimes able to verify the target server with this trust store and sometimes not than there is likely something unexpected with the target server, i.e. it is sometimes sending the certificate + chain you expect and sometimes not. This might for example happen if their are multiple servers for the same domain with different IP addresses and configuration. Commented Sep 30, 2023 at 19:52
  • 1
    What does it matter what pass rate the local weblogic setup has if this is about communicating with some remote server? It is not even clear what is even tested. And there is nothing "blocking". If there would be something blocking, then you would get a connection error not a certificate problem. Commented Sep 30, 2023 at 21:27

1 Answer 1

Reset to default
-1

This is resolved. Found that I was suppose to install only the root and intermediate certificate in the JKS keystore or java default cacerts, I was missing the Intermediate Cert in my keystore. It did not require the target Server certificate.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.