It's all about Weblogic..!!!

January 11, 2011

SSLHandshakeException while connecting to admin server using WLST over t3s

Filed under: Core Issues — streethawkz @ 5:25 pm

Stack Trace :

javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://localhost:7002: Destination unreachable; nested exception is:
javax.net.ssl.SSLHandshakeException: FATAL Alert:HANDSHAKE_FAILURE – The handshake handler was unable to negotiate an acceptable set of security parameters.; No available router to destination]
at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)
at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:787)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:366)
at weblogic.jndi.Environment.getContext(Environment.java:315)
at weblogic.jndi.Environment.getContext(Environment.java:285)
at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:117)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

—-

D:\weblogic\wls924\user_projects\domains\saml_1.1_source_post>java weblogic.WLST

Initializing WebLogic Scripting Tool (WLST) …
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands
wls:/offline> connect()

Please enter your username [weblogic] :weblogic

Please enter your password [weblogic] :

Please enter your server URL [t3://localhost:7001] :t3s://localhost:7002

Connecting to t3s://localhost:7002 with userid weblogic …

localhost – 127.0.0.1 was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not.If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>Traceback (innermost last):

File “<console>”, line 1, in ?

File “”, line 22, in connectWLSTException: ‘Error occured while performing connect :

Error getting the initial context. There is no server running at t3s://localhost:7002 Use dumpStack() to view the full stacktrace’

wls:/offline>

Solution / Workaround :

– Use the following flags while starting WLST :

java -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.CustomTrustKeyStoreType=”JKS” -Dweblogic.security.TrustKeyStore=CustomTrust -Dweblogic.security.CustomTrustKeyStoreFileName=”D:/weblogic/wls924/user_projects/domains/saml_1.1_source_post/trust.jks” weblogic.WLST

OR

java -Dweblogic.security.SSL.ignoreHostnameVerification=true weblogic.WLST

OR

Recreate the certificates with the cn name same as the host name of the machine so that the host name verification succeeds.

Advertisements

1 Comment »

  1. What happens if the weblogic instance is configured with 2-way SSL? i.e., the weblogic server requires a client certificate from wlst before allowing connection. How do I define a client certificate (identity keystore) for WLST? In my test, the WLST console shows that it receives the certificate from the weblogic server and accepts it (based on the correct CustomTrustKeyStore configuration as per your example), but the weblogic server rejects the connection because it does not receive a certificate from WLST. I also tried to set up “Use Server Certificate” in the Weblogic server console’s SSL config but the WLST connect () command still fails.

    Comment by Philip N — October 25, 2011 @ 6:55 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: