Thursday, May 29, 2014

SSL on Weblogic Made Simple – PART4 (Unix utilities)


                                      



Here are some of the unix utilities I put together to test the SSL connectivity on Unix System

We see lot of SSL related issues on the client side , We can do synthetic ssl testing before we handover to the stake holders.


1)      Wget
 
# wget http://www.google.com
The above command will test the connectivity and download the home

 # wget -vSd   --no-check-certificate  --ca-certificate=cacert.pem https://<url>
         This command will make a SSL connection using the trusted store cacert.pem
          Verifies SSL handshake

          # wget -vSd  --no-check-certificate  --ca-certificate=cacert.pem https://<url> 
            --http-user=pavanuser --http-password=pavanpassword         
          If the url is protected then you need to pass username and password as above to
         test  the connectivity.

2)      Openssl

#openssl s_client -connect <HOST>:<PORT>
Testing HTTPS Services Using "openssl s_client -connect" Command
This will open an SSL connection to <HOST>  < PORT> and print the ssl certificate used by the service. After connecting you can manually send http requests. This is similar to using telnet to connect to an http service and manually sending an http, i.e GET, request.

If openssl fails to connect it will wait until a timeout occurs and will print an error similar to the following :
connect: Operation timed out

# openssl s_client -connect <hostname>:<port> -showcerts
Adding -showcerts parameter to this command will print all certificates in the certificate chain



# openssl s_client -showcerts -msg  -debug  -host  <host>  -port  <PORT>
# openssl s_client -showcerts -msg -debug -host <URL> -port 443
(URL with SSL Port)
For additional debugging information

3)      Curl

# gives  brief description of parameters
curl --help

# curl manual page
man curl

#Make a GET request without any data:
curl –k https://www.xignite.com/xcurrencies.asmx?WSDL

#To print Headers and content
curl –k https://www.xignite.com/xcurrencies.asmx?WSDL –include

#To Test the SSL connectivity (fail if we don’t pass CAcert)
curl -q -verbose -insecure -Iv https://<URL>:<PORT>

## To test the SSL connectivity passing the Trusted CA’s
curl -q -verbose -insecure --cacert  myCAcert.pem -Iv https://<URL>:<PORT>
curl -q -verbose -insecure --cacert  myCAcert.pem -Iv https://<host>:<PORT>

 
Posted by at No comments:
Labels:

Tuesday, May 27, 2014

SSL on Weblogic Made Simple – PART3 (TroubleShooting)



SSL on Weblogic Made Simple – PART3

We come cross lot SSL related issues in our day to day middleware activities; I will talk about different ways of troubleshooting SSL related issues.

      1)      The first and foremost thing we need to look as soon as we start looking into a SSL issue is the validity of the SSL certificate.


              

      2)      Enable Debugging on the weblogic servers to see the ssl traces and dumps

          
     

 
         To see the debug messages you need to enable server severity level to debug

           
        
 

    

     3)      You can also enable  debugging in the setDomainEnv.sh File ( command line parameters)
This will write all SLL debug information in server logs.

-Dweblogic.log.RedirectStdoutToServerLogEnabled=true
-Dweblogic.StdoutDebugEnabled=TRUE
 -Djavax.net.debug=ssl,handshake,verbose
-Dweblogic.log.RedirectStdoutToServerLogEnabled=true
 -Dssl.debug=true

Run the command to find the debug flags enabled or disabled

java weblogic.Admin -username weblogic -password weblogic -url localhost:7001 GET -type ServerDebug -pretty

or 


java  -cp .:$WL_HOME/wlserver_10.3/server/lib/weblogic.jar weblogic.Admin -username weblogic -password weblogic -url localhost:7001 GET -type ServerDebug –pretty
 



     4 )      Testing with a JAVA Client to test the SSL Connectivity.

  
   Here is Java Code , Name it as  SSL_Test.java


 
import java.io.*;
import java.net.*;
import javax.net.ssl.*;
import java.util.*;
import java.security.Permission;
import java.security.cert.Certificate;

public class SSL_Test {
    
    //Usage ::
    // java_home/bin/java -Djavax.net.debug=ssl,handshake,verbose -XX:+PrintCommandLineFlags -Djavax.net.ssl.trustStore=TurstStore .jks SSL_Test
    public static void main(String[] args) throws Exception {
        
        
        //Disabling the Host Name verification of the certificate
        HostnameVerifier allHostsValid = new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        };
        HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
        
        // Replace WS URL with the actual URL
        URL url =
            new URL("https:///context");
        System.out.println("Opening URL: " + url.toString());
        
        // SSL handShake with the below method
        HttpsURLConnection con = (HttpsURLConnection)url.openConnection();
        System.out.println("===================================== HandShake Successfull !!!");
        System.out.println("===================================== SSL Connection Successfull !!!");
        System.out.println("got the connection Object.....!");
        System.out.println("TRUST STORE :::::::::javax.net.ssl.trustStore::" +
                           System.getProperty("javax.net.ssl.trustStore"));
        
        
        System.out.println("%%%%%%%%%% P R I N T I N G    C O N N E C T I O N    I N F O R M A T I O N %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%");
        //print_https_cert(con);
        System.out.println(" %%%%%%%%%%            E     N   D   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%           ");
        
        
        System.out.println("################## P R I N T I N G    J  A V A    E N V I R O N M E N T  ################## ");
        //print_java_classpath();
        System.out.println(" ##################            E     N   D   ##################  ");


        System.out.println("===================================== PRINTING THE CONTENT OF THE URL  ======================================================");

        BufferedReader in =
            new BufferedReader(new InputStreamReader(url.openStream()));

        String inputLine;
        while ((inputLine = in.readLine()) != null)
            System.out.println(inputLine);
        in.close();

    }

    private static void print_https_cert(HttpsURLConnection con) {

        if (con != null) {
            try {
                //System.out.println("PeerPrincipal : " + con.getPeerPrincipal());
                //System.out.println("LocalPrincipal : " + con.getLocalPrincipal());
                System.out.println("HostnameVerifier : " +
                                   con.getHostnameVerifier());
                System.out.println("DefaultVerifier : " +
                                   con.getDefaultHostnameVerifier());
                System.out.println("Response Code : " + con.getResponseCode());
                System.out.println("Cipher Suite : " + con.getCipherSuite());
                System.out.println("ErrorStream : " + con.getErrorStream());
                System.out.println("ResponseMessage : " +
                                   con.getResponseMessage());
                System.out.println("RequestMethod : " +
                                   con.getRequestMethod());
                Permission sp = con.getPermission();
                System.out.println("Permission : " + sp.toString());
                System.out.println("Permission : " + sp.getName());
                System.out.println("Permission : " + sp.getActions());
                Map> lst = con.getHeaderFields();

                for (Map.Entry> me : lst.entrySet()) {
                    String key = me.getKey();
                    List valueList = me.getValue();
                    System.out.println("Key: " + key);
                    System.out.print("Values: ");
                    for (String s : valueList) {
                        System.out.print(s + " ");
                    }
                }
                System.out.println("\n");
            } catch (SSLPeerUnverifiedException e) {
                e.printStackTrace();
            } catch (IOException e) {
                e.printStackTrace();
            }

        }

    }
     private static void print_java_classpath() {
        ClassLoader cl = ClassLoader.getSystemClassLoader();

        URL[] urls = ((URLClassLoader)cl).getURLs();

        for (URL url1 : urls) {
            System.out.println(url1.getFile());
        }
        Properties p = System.getProperties();
        Enumeration keys = p.keys();
        while (keys.hasMoreElements()) {
            String key = (String)keys.nextElement();
            String value = (String)p.get(key);
            System.out.println(key + ": " + value);
        }
    }
   
}
You need to update the URL with the required string in the code

Compile the Code :
[JAVA_HOME]/jdk160_31/bin/javac SSL_Test.java

Execute the Code :
<JAVA_HOME>/jdk160_31/bin/java -Djavax.net.debug=ssl,handshake,verbose -XX:+PrintCommandLineFlags -Djavax.net.ssl.trustStore=/tmp/truststore.jks SSL_Test

Note: This code is used to test the SSL handshake and also verify whether you are passing right
          Trust store which has the appropriate CA's
          We need to make sure /tmp/truststore.jks has all the Trusted and Root CA's of the calling system

if you don't pass -Djavax.net.ssl.trustStore=/tmp/truststore.jks then SSL handshake will fail




Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)