SSLHandshakeException using t3s weblogic

Question

I have done t3s setting and configured it. Now when I try to make a call getting below exception. Please help guys.

Have tried the url mentioned steps Enterprise Software Development with Java: WebLogic Server SSL (https/t3s) and Java Web Start

As well as below code inclusion as per the Configuring Transport-Level Security

System.setProperty("weblogic.security.SSL.ignoreHostnameVerification","true");  
System.setProperty("java.protocol.handler.pkgs", "weblogic.net");  
System.setProperty("weblogic.security.TrustKeyStore","CustomTrust");  
System.setProperty("weblogic.security.CustomTrustKeyStoreFileName","TRUST_STORE_LOCATION");
System.setProperty("weblogic.security.CustomTrustKeyStorePassPhrase","TRUST_STORE_PASSWORD");
System.setProperty("weblogic.security.CustomTrustKeyStoreType","JKS");

Exception :

[java] <Feb 25, 2014 1:14:22 AM EST> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>   
[java] <Feb 25, 2014 1:14:22 AM EST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>   
[java] <Feb 25, 2014 1:14:22 AM EST> <Info> <Security> <BEA-090908> <Using the default WebLogic SSL Hostname Verifier implementation.>   
[java]   
[java] TYPE_PARAM = ERROR  
[java] CODE_PARAM = null  
[java] MESSAGE_PARAM = null  
[java]   
[java]  
[java] at junit.extensions.jfunc.SALQATestCase.runBare(SALQATestCase.java:111)  
[java] at junit.extensions.jfunc.SALQATestCase$1.protect(SALQATestCase.java:96)  
[java] at junit.framework.TestResult.runProtected(TestResult.java:124)  
[java] at junit.extensions.jfunc.SALQATestCase.run(SALQATestCase.java:99)  
[java] at junit.framework.TestSuite.runTest(TestSuite.java:208)  
[java] at junit.framework.TestSuite.run(TestSuite.java:203)  
[java] at junit.extensions.jfunc.textui.SALQARunner.doRun(SALQARunner.java:69)  
[java] at junit.extensions.jfunc.textui.SALQARunner.run(SALQARunner.java:314)  
[java]  Caused by: javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3s://xxxxxxxxxx.com:7002: Destination xx.xx.xx.xx, 7002 unreachable; nested exception is:   
[java] javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination]  
[java] at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:40)  
[java] at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:808)  
[java] at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:363)  
[java] at weblogic.jndi.Environment.getContext(Environment.java:319)  
[java] at weblogic.jndi.Environment.getContext(Environment.java:288)  
[java] at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:117)  
[java] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)  
[java] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)  
[java] at javax.naming.InitialContext.init(InitialContext.java:223)  
[java] at javax.naming.InitialContext.<init>(InitialContext.java:197)  
[java]  
[java] Caused by: java.net.ConnectException: t3s://xxxxxxxxxx.com:7002: Destination xx.xx.xx.xx, 7002 unreachable; nested exception is:   
[java] javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination  
[java] at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:216)  
[java] at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java:169)  
[java] at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java:165)  
[java] at weblogic.jndi.WLInitialContextFactoryDelegate$1.run(WLInitialContextFactoryDelegate.java:342)  
[java] at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)  
[java] at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)  
[java] at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:337)  
[java] ... 21 more  
[java] Caused by: java.rmi.ConnectException: Destination xx.xx.xx.xx, 7002 unreachable; nested exception is:   
[java] javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination  
[java] at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:490)  
[java] at weblogic.rjvm.ConnectionManager.bootstrap(ConnectionManager.java:328)  
[java] at weblogic.rjvm.RJVMManager.findOrCreateRemoteInternal(RJVMManager.java:267)  
[java] at weblogic.rjvm.RJVMManager.findOrCreate(RJVMManager.java:204)  
[java] at weblogic.rjvm.RJVMFinder.findOrCreateRemoteServer(RJVMFinder.java:238)  
[java] at weblogic.rjvm.RJVMFinder.findOrCreateInternal(RJVMFinder.java:200)

---

On netstat getting below list. I see 7002 on listen mode. Isn't it correct?

$ netstat -tulpn | grep :7002
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp        0      0 xxxxxxxxxxxxxxxxxxxxxx:7002 :::*                        LISTEN      25657/java
tcp        0      0 ::xxxx:127.0.0.1:7002       :::*                        LISTEN      25657/java
tcp        0      0 xxxx::xxxxxxxxxxxxxxxx:7002 :::*                        LISTEN      25657/java
tcp        0      0 ::xxxx:xx.xxx.xx.xx:7002  :::*                        LISTEN      25657/java

Answer 1

SSL errors are often misleading. An SSLHandshakeException is usually a certificate issue, (that the SSL connection cannot be validated as trusted).

Your server is likely signed with a self-signed certificate, which will usually need to be added to your cacerts keystore to allow SSL to trust it. i.e., You need to add the SSL Certificate from the Weblogic server to your JDK/JRE keystore. See the answer(s) to this question:

How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default

If you are on UNIX, the commands at the link above work as-is. If you are on windows, all of the UNIX utilities you need, (openssl, sed), are secretly included in the installation of GIT, or you can use cygwin. All I had to do was to use openssl to grab the certificate and then use keytool, (part of the JDK), to add it to my JDK's cacerts file. (%JAVA_HOME%\jre\lib\security\cacerts)

Note: If you import the certificate to your ~/.keystore, (on windows: %userprofile%.keystore), file it will still fail but you will likely get a different exception:

javax.net.ssl.SSLHandshakeException: General SSLEngine problem; No available router to destination

Once you are successfully connected, it will look like this:

Connecting to t3s://*********:7001 with userid ********...
<Jul 23, 2014 4:00:25 PM EDT> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify -Dweblogic.security.allowCryptoJDefaultJCEVerification=true.>
<Jul 23, 2014 4:00:25 PM EDT> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG to FIPS186PRNG. To disable this change, specify -Dweblogic.security.allowCryptoJDefaultPRNG=true.>
<Jul 23, 2014 4:00:25 PM EDT> <Info> <Security> <BEA-090908> <Using the default WebLogic SSL Hostname Verifier implementation.>
Successfully connected to Admin Server "AdminServer" that belongs to domain "******".

Another related post on retrieving and adding an SSL key (through java): Java keytool easy way to add server cert from url/port

Answer 2

The error you are getting is not a SSLHandshake error, it says

" java.net.ConnectException: t3s://xxxxxxxxxx.com:7002: Destination xx.xx.xx.xx, 7002 unreachable "

1) Check the url you are providing.

2) Do a telnet on that DNS port

3) Make sure there's no firewall blocking the request.

4) If 7002 if the port of your admin server (I am assuming you have only 1 server in domain) then try accessing https://DNS:7002/console and see if that loads fine first.