33426 - WebLogic Server 8.1 SP3 is not compatible by default with U.S. government standard Windows configuration

Problem Note 33426: WebLogic Server 8.1 SP3 is not compatible by default with U.S. government standard Windows configuration

WebLogic Server 8.1 SP3 has a documented issue with negotiating Secure Socket Layer (SSL) communication — SSL error: ... SSLCipherUtility.getCompatabilityKeySize()—when the browser presents AES encryption.

Internet Explorer 7, when configured to be compliant with the Federal Desktop Core Configuration (FDCC), presents AES as the first choice for SSL encryption.

Therefore, all SSL URLs hosted on WebLogic 8.1 SP3 and accessed by IE7 with the FDCC configuration will result in a failed browser session, often with a blank browser window and no timeout response.

See the Output tab for exception stack traces that appear in the WebLogic managed server log.

Under FDCC encryption requirements, there are two acceptable encryption cipher suites: AES and Triple DES (3DES). A workaround for this issue is to modify the WebLogic server configuration for SSL to only use the 3DES cipher suite. This is done in the SSL configuration, described in the WebLogic Server Configuration Reference

The CIPHERSUITES parameter is set to limit encryption at the server to 3DES, using the cipher suite identifier "TLS_RSA_WITH_3DES_EDE_CBC_SHA". In the SSL tag for each managed server defined in the WebLogic config.xml file, specify the CIPHERSUITES= parameter as shown below:

    <Server Machine="MyMachine" Name="myserver" ServerVersion="8.1.3.07quot; 
    …
    >
    …
     <SSL Ciphersuites="TLS_RSA_WITH_3DES_EDE_CBC_SHA" Enabled="true"
            IdentityAndTrustLocations="KeyStores" Name="myserver"
            ServerPrivateKeyAlias="t2252" ServerPrivateKeyPassPhrase="{3DES}sguM2SSMEDY="/>
    …
    </Server>

Prior to editing the config.xml file, all BEA server processes must be stopped, including the Administration Server and the Node Manager.

The limitation of cipher suite can be confirmed through the use of server logging and SSL debug logging. Use these JVM options

-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

and these server XML options in the config.xml file:

    <Server Machine="MyMachine" Name="myserver"
      …    
    StdoutDebugEnabled="true" StdoutSeverityLevel="64"
    …
    >
          <ServerDebug DebugSSL="true" Name="myserver"/>
    </Server>

With these options and parameters set, the server log will display this message at startup:

<May 15, 2008 10:26:36 AM EDT> <Debug> <TLS> <000000> <Cipher suites enabled:> 
<May 15, 2008 10:26:36 AM EDT> <Debug> <TLS> <000000> < TLS_RSA_WITH_3DES_EDE_CBC_SHA>

The logging and debug options should be removed after successful testing.

Another option to remedy this issue, as described in "SSL error: ... SSLCipherUtility.getCompatabilityKeySize()", is to move to SP5 or higher for WebLogic 8.1, and follow instructions for AES cipher suite support. The SAS^® Enterprise BI Server 9.1.3 SP4 Web applications and most SAS^® solutions are supported on WebLogic 8.1 SP6.

Operating System and Release Information

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
WEBLOGIC	BEA WebLogic Server	64-bit Enabled AIX	8.1.3	8.1.6	9.1 TS1M3 SP4	9.1 TS1M3 SP4
		64-bit Enabled Solaris	8.1.3	8.1.6	9.1 TS1M3 SP4	9.1 TS1M3 SP4
		HP-UX IPF	8.1.3	8.1.6	9.1 TS1M3 SP4	9.1 TS1M3 SP4

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

When WebLogic Server is configured to use Java Cryptography Extension (JCE) cipher suites, this exception appears in the server log:

####<May 8, 2008 6:09:58 PM EDT> <Error> <Kernel> <t2252> <myadminserver> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest failed
 java.lang.IllegalStateException: Cipher not initialized.
java.lang.IllegalStateException: Cipher not initialized
at javax.crypto.Cipher.update(DashoA6275)
at com.certicom.tls.provider.Cipher.update(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown Source)
at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:522)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)>

If the JCE cipher suites are not in use, this exception will appear in the server log:

####<May 8, 2008 6:51:13 PM EDT> <Error> <HTTP> <t2252> <myadminserver> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <BEA-101083> <Connection failure.
java.lang.NullPointerException
at weblogic.security.utils.SSLCipherUtility.getCompatabilityKeySize(SSLCipherUtility.java:80)
at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(MuxableSocketHTTP.java:608)
at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281)
at weblogic.socket.MuxableSocketDiscriminator.dispatch(MuxableSocketDiscriminator.java:284)
at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281)
at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:105)
at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)>

Date Modified:	2008-09-30 09:28:16
Date Created:	2008-09-26 11:11:51

Type:	Problem Note
Priority:	high

Support

Problem Note 33426: WebLogic Server 8.1 SP3 is not compatible by default with U.S. government standard Windows configuration

Operating System and Release Information