SSL Hostname verification in Weblogic Server

While accessing any webservice on SSL, if you get the below error in the logs - 

<Notice> <StdErr> <BEA-000000> <javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://<Host-Name>:<Port>/<Webservice Endpoint>?wsdl. It failed with: [Security:090504]Certificate chain received from <Host-Name>.<Domain-Name> failed hostname verification check. Certificate contained *.<Domain Name> but check expected  <Host-Name>.<Domain-Name>

To Resolve this follow the below steps to disable the host name verification in WLS –

1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
2. In the left pane of the Console, expand Environment and select Servers.
3. Click the name of the server for which you want to disable host name verification.
4. Select Configuration > SSL , and click Advanced at the bottom of the page.
5. Set the Hostname Verification field to None.
6. Click Save.
7. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
   Not all changes take effect immediately—some require a restart (see Use the Change Center).

Note: This is not recommended for Production Environment.

Passed Oracle Mobile Security Suite 11g Essentials Exam

I am glad to share that I passed the Oracle Mobile Security Suite(OMSS) 11g Essentials Exam. OMSS leverages the technology acquired from the acquisition of Bitzer Mobile. It's a new Mobile Application Management(MAM) solution that comes with many cool features like App Containerization and simplify enterprise mobility. This is going to address BYOD(Bring your own device) initiative that many corporate started following and many more to join.

When I started preparing for exam, I didn't find much documentation other than the Oracle documents. To pass in the exam, just going through the Oracle documentation is enough. Most of the questions are straight forward and directly from the documents. Unlike Oracle other exams, none of the questions asked based on real implementation experience.

Some Useful Links -

OMSS Documentation - http://docs.oracle.com/cd/E52357_01/index.htm
Oracle Webcast - http://medianetwork.oracle.com/video/player/3442504861001
Blogs - http://ptotech.blogspot.com/2014/05/oracle-mobile-and-security-suite-omss.html

Weblogic Security Exception : Invalid Subject Principals

If you are seeing "Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals" error in weblogic server logs on RMI invocation of EJB(deployed on different Weblogic domain), this means the issue is in domain trust security settings.

Stack trace

Caused by: java.lang.SecurityException: [Security:090398]Invalid Subject: principals
at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:833)
at weblogic.security.service.SecurityServiceManager.getSealedSubjectFromWire(SecurityServiceManager.java:522)
at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:352)
at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:953)
at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:351)

To solve the above issues, enable trust between multiple Weblogic Server Domains and specify same credential in both the weblogic server domains. It can be fixed by -

• Enabling Cross Domain Security between Weblogic Server Domains
• Enabling Global Trust

I fixed it by enabling global trust between the weblogic server domains. By default, domain credentials are randomly generated and no two domains will have the same Domain credential. So, replace the generated credential and specify the same domain credential for each of the domains. In this way, identity is passed between WLS domains over an RMI connection without requiring authentication in the second domain.

Note: Don't confuse Domain credential with the credential for login to WLS console

Configuration Steps 

1. Log in to WLS console and click on Lock and Edit (top left pane)

2. In the left pane click on Domain name.

3. Select Security > General on the center pane. Click Advanced link.

4. Enter password in Credential and Confirm Credential fields.

5. Click on Activate Changes in the top left pane.