WebLogic Server 8.1 SP3 has a documented issue with negotiating Secure Socket Layer (SSL) communication — SSL error: ... SSLCipherUtility.getCompatabilityKeySize()—when the browser presents AES encryption.
Internet Explorer 7, when configured to be compliant with the Federal Desktop Core Configuration (FDCC), presents AES as the first choice for SSL encryption.
Therefore, all SSL URLs hosted on WebLogic 8.1 SP3 and accessed by IE7 with the FDCC configuration will result in a failed browser session, often with a blank browser window and no timeout response.
See the Output tab for exception stack traces that appear in the WebLogic managed server log.
Under FDCC encryption requirements, there are two acceptable encryption cipher suites: AES and Triple DES (3DES). A workaround for this issue is to modify the WebLogic server configuration for SSL to only use the 3DES cipher suite. This is done in the SSL configuration, described in the WebLogic Server Configuration Reference
The CIPHERSUITES parameter is set to limit encryption at the server to 3DES, using the cipher suite identifier "TLS_RSA_WITH_3DES_EDE_CBC_SHA". In the SSL tag for each managed server defined in the WebLogic config.xml file, specify the CIPHERSUITES= parameter as shown below:
<Server Machine="MyMachine" Name="myserver" ServerVersion="8.1.3.07quot; … > … <SSL Ciphersuites="TLS_RSA_WITH_3DES_EDE_CBC_SHA" Enabled="true" IdentityAndTrustLocations="KeyStores" Name="myserver" ServerPrivateKeyAlias="t2252" ServerPrivateKeyPassPhrase="{3DES}sguM2SSMEDY="/> … </Server>
Prior to editing the config.xml file, all BEA server processes must be stopped, including the Administration Server and the Node Manager.
The limitation of cipher suite can be confirmed through the use of server logging and SSL debug logging. Use these JVM options
-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
and these server XML options in the config.xml file:
<Server Machine="MyMachine" Name="myserver" … StdoutDebugEnabled="true" StdoutSeverityLevel="64" … > <ServerDebug DebugSSL="true" Name="myserver"/> </Server>
With these options and parameters set, the server log will display this message at startup:
<May 15, 2008 10:26:36 AM EDT> <Debug> <TLS> <000000> <Cipher suites enabled:> <May 15, 2008 10:26:36 AM EDT> <Debug> <TLS> <000000> < TLS_RSA_WITH_3DES_EDE_CBC_SHA>
The logging and debug options should be removed after successful testing.
Another option to remedy this issue, as described in
"SSL error: ... SSLCipherUtility.getCompatabilityKeySize()",
is to move to SP5 or higher for WebLogic 8.1, and follow instructions for AES cipher
suite support. The SAS® Enterprise BI Server 9.1.3 SP4 Web applications and most SAS® solutions are supported on WebLogic 8.1 SP6.
Product Family | Product | System | Product Release | SAS Release | ||
Reported | Fixed* | Reported | Fixed* | |||
WEBLOGIC | BEA WebLogic Server | 64-bit Enabled AIX | 8.1.3 | 8.1.6 | 9.1 TS1M3 SP4 | 9.1 TS1M3 SP4 |
64-bit Enabled Solaris | 8.1.3 | 8.1.6 | 9.1 TS1M3 SP4 | 9.1 TS1M3 SP4 | ||
HP-UX IPF | 8.1.3 | 8.1.6 | 9.1 TS1M3 SP4 | 9.1 TS1M3 SP4 |
####<May 8, 2008 6:09:58 PM EDT> <Error> <Kernel> <t2252> <myadminserver> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <BEA-000802> <ExecuteRequest failed java.lang.IllegalStateException: Cipher not initialized. java.lang.IllegalStateException: Cipher not initialized at javax.crypto.Cipher.update(DashoA6275) at com.certicom.tls.provider.Cipher.update(Unknown Source) at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source) at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source) at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source) at com.certicom.net.ssl.CerticomContextWrapper.forceHandshakeOnAcceptedSocket(Unknown Source) at weblogic.t3.srvr.SSLListenThread$1.execute(SSLListenThread.java:522) at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)>
If the JCE cipher suites are not in use, this exception will appear in the server log:
####<May 8, 2008 6:51:13 PM EDT> <Error> <HTTP> <t2252> <myadminserver> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <BEA-101083> <Connection failure. java.lang.NullPointerException at weblogic.security.utils.SSLCipherUtility.getCompatabilityKeySize(SSLCipherUtility.java:80) at weblogic.servlet.internal.MuxableSocketHTTP.dispatch(MuxableSocketHTTP.java:608) at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281) at weblogic.socket.MuxableSocketDiscriminator.dispatch(MuxableSocketDiscriminator.java:284) at weblogic.socket.SSLFilter.dispatch(SSLFilter.java:281) at weblogic.socket.NTSocketMuxer.processSockets(NTSocketMuxer.java:105) at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:32) at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)>
Type: | Problem Note |
Priority: | high |
Date Modified: | 2008-09-30 09:28:16 |
Date Created: | 2008-09-26 11:11:51 |