I had an interesting case at a customer where the Single Sign On (using SAML2) on a WebLogic Server stopped working after the renewal of the WebLogic SSL Certificate. The WebLogic Server itself and its applications were still accessible (by bypassing the SSO) and working fine but not the SSO itself. That’s definitively a strange behavior and not something I would expect to see broken after just changing a certificate that has, apparently, no link to it at all but that’s what happened.<\/p>\n
<\/p>\n
What I mean by the SSO stopped working is that WebLogic returned its usual 403 Forbidden (e.g.:\u00a0WebLogic \u2013 SSO\/Atn\/Atz \u2013 403 Forbidden, a first issue<\/a> or WebLogic \u2013 SSO\/Atn\/Atz \u2013 403 Forbidden, another issue<\/a>). As always, the first step to try to debug what is really happening is to enable the SAML2\/Atn\/Atz logging (WebLogic \u2013 SSO\/Atn\/Atz \u2013 How to enable debug logs<\/a>) since it usually gives good insight into the real issue and it was again the case:<\/p>\n <\/p>\n As you can see above, the SSO itself starts properly, the SAML2 exchange is done successfully but then WebLogic tries to check if the SAML2 user is valid by trying to check the user details inside the LDAP but that fails with “Fatal Alert received: Certificate Unknown<\/em>“. Because WebLogic isn’t able to contact the LDAP, it checks the local users but, in this case, all users are on the LDAP so the SSO is rejected, and the 403 Forbidden page is displayed.<\/p>\n <\/p>\n As part of the update process for the WebLogic SSL Certificate, the following is done:<\/p>\n <\/p>\n All these steps were verified and there were no big differences before and after the SSL Certificate renewal. The only small one I could see was regarding the SSL Certificate itself and more specifically regarding the “ExtendedKeyUsages<\/strong><\/em>” of it. On the old\/previous SSL Certificate, this property\u00a0contained two options: serverAuth<\/strong> and clientAuth<\/strong>. However, the new SSL Certificate only contained the serverAuth<\/strong> and not the clientAuth<\/strong>:<\/p>\n <\/p>\n After some digging, it appeared that the process of generating the SSL Certificate, which is managed by another team at this customer, changed for security reasons. Therefore, newly generated SSL Certificates do not have the clientAuth<\/strong> anymore, which means that this SSL Certificate cannot be used as a “client<\/em>” certificate. It is understandable that they would want to remove that by default since it could be used by malicious people, but it also means that it would break any 2-way-SSL or similar behavior where SSL Certificates of a “client<\/em>” and “server<\/em>” are exchanged.<\/p>\n <\/p>\n In this case, the WebLogic Server is acting as the “client<\/em>” of the LDAP Server (which must be requesting the client certificate I assume) and the communication isn’t proceeding because the SSL Certificate of the WebLogic Server doesn’t contain the clientAuth<\/strong>. Therefore, the only solution is to re-generate an SSL Certificate with the clientAuth<\/strong> this time. After doing so, the communication with the LDAPS was back and the SSO as well. If you ever face a similar situation, try to compare the previous JKS with the new one using the keytool utility for example and make sure there are no differences between them!<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" I had an interesting case at a customer where the Single Sign On (using SAML2) on a WebLogic Server stopped working after the renewal of the WebLogic SSL Certificate. The WebLogic Server itself and its applications were still accessible (by bypassing the SSO) and working fine but not the SSO itself. That’s definitively a strange […]<\/p>\n","protected":false},"author":20,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197],"tags":[1719,1149,1229,382,445,647],"type_dbi":[],"class_list":["post-17122","post","type-post","status-publish","format-standard","hentry","category-application-integration-middleware","tag-2-way-ssl","tag-certificate","tag-saml2","tag-ssl","tag-sso","tag-weblogic"],"acf":[],"yoast_head":"\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <SAML2Filter: Processing request on URI '\/D2\/X3_Portal.jsp'>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <getServiceTypeFromURI(): request URI is '\/D2\/X3_Portal.jsp'>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <getServiceTypeFromURI(): request URI is not a service URI>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <getServiceTypeFromURI(): returning service type 'SPinitiator'>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <SP initiating authn request: processing>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <SP initiating authn request: partner id is null>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <SP initiating authn request: use partner binding HTTP\/Redirect>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <signature algorithm of saml object: null>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <URL encoded saml message:fZBRa4MwF...Rd%2F%2FgU%3D>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <URL encoded relay state:null>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <QueryString without signature_SAMLRequest=fZBRa4MwF...Rd%2F%2FgU%3D>\n####<Jan 24, 2022 7:04:57> <SecuritySAML2Service> <BEA-000000> <URL:https:\/\/sso.domain.net\/oamfed\/idp\/samlv20?SAMLRequest=fZBRa4MwF...Rd%2F%2FgU%3D>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <SAML2Servlet: Initialized logger service>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <SAML2Servlet: Initialized SAML2 service>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <SAML2Servlet: setConfigKey called with key 'default'>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <SAML2Servlet: Processing request on URI '\/saml2\/sp\/acs\/post'>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <getServiceTypeFromURI(): request URI is '\/saml2\/sp\/acs\/post'>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <getServiceTypeFromURI(): service URI is '\/sp\/acs\/post'>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <getServiceTypeFromURI(): returning service type 'ACS'>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <Assertion consumer service: processing>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <get SAMLResponse from http request:PHNhbWxwO...\n...\n...\n...bnNlPg==\n>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <BASE64 decoded saml message:<samlp:Response xmlns_samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ...\n...\n...\n...<\/saml:Assertion><\/samlp:Response>>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Service> <BEA-000000> <<samlp:Response> is signed.>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(SAML2.Assertion.DOM)>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity(SAML2.Assertion.DOM)>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Atn> <BEA-000000> <SAML2IdentityAsserterProvider: start assert SAML2 token>\n...\n...\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@5dec31be>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <LDAP ATN LoginModule initialized>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <LDAP Atn Login>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>\n####<Jan 24, 2022 7:04:58> <SecuritySAML2Atn> <BEA-000000> <SAMLIACallbackHandler: callback[0]: NameCallback: setName(PatouMorgan01)>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=PatouMorgan01>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: PatouMorgan01>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <getUserDNName? user:PatouMorgan01>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <getDNForUser search(\"ou=people,ou=intranet,dc=company,dc=com\", \"(&(uid=PatouMorgan01)(objectclass=companyperson))\", base DN & below)>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <new LDAP connection to host ldaps.domain.net port 636 use local connection is false>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:\"\"}>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <Connecting to host=ldaps.domain.net, ssl port=636>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <Successfully connected to host=ldaps.domain.net, ssl port=636>\n####<Jan 24, 2022 7:04:58> <Security> <BEA-099117> <The LDAP authentication provider named \"LDAPSAuthenticator\" failed to make connection to ldap server at ldaps:\/\/ldaps.domain.net:636, the error cause is: Fatal Alert received: Certificate Unknown.>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <connection failed netscape.ldap.LDAPException: Fatal Alert received: Certificate Unknown (91); Cannot connect to the LDAP server>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LoginServerUnavailableException: Fatal Alert received: Certificate Unknown\n at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.handleLDAPAtnDelegateException(LDAPAtnLoginModuleImpl.java:679)\n at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:219)\n at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)\n at java.security.AccessController.doPrivileged(Native Method)\n at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)\n at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n at java.lang.reflect.Method.invoke(Method.java:498)\n at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)\n at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)\n at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)\n at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)\n at java.security.AccessController.doPrivileged(Native Method)\n ...\n at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1632)\n at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:256)\n at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)\n at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)\n>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>\n####<Jan 24, 2022 7:04:58> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@5dec31be>\n...<\/pre>\n\n
[weblogic@wls01 certs]$ keytool -v -list -keystore new\/identity.jks\nEnter keystore password:\nKeystore type: jks\nKeystore provider: SUN\n\nYour keystore contains 1 entry\n\nAlias name: wlscert\nCreation date: Jan 24, 2022\nEntry type: PrivateKeyEntry\nCertificate chain length: 3\nCertificate[1]:\nOwner: CN=wls01.domain.net, OU=it, O=company, L=city, ST=state, C=CH\nIssuer: CN=Int CA\nSerial number: ...9773\nValid from: Mon Jan 24 06:30:09 UTC 2022 until: Tue Jan 24 06:30:09 UTC 2023\nCertificate fingerprints:\n MD5: ...\n SHA1: ...\n SHA256: ...\nSignature algorithm name: SHA256withRSA\nSubject Public Key Algorithm: 2048-bit RSA key\nVersion: 3\n\nExtensions:\n...\n#7: ObjectId: 2.5.29.37 Criticality=false\nExtendedKeyUsages [\n serverAuth\n]\n\n#8: ObjectId: 2.5.29.15 Criticality=true\nKeyUsage [\n DigitalSignature\n Key_Encipherment\n]\n...\n\nCertificate[2]:\nOwner: CN=Int CA\nIssuer: CN=Root CA\n...\n\nCertificate[3]:\nOwner: CN=Root CA\nIssuer: CN=Root CA\n...\n\n\n*******************************************\n*******************************************\n\n\n[weblogic@wls01 certs]$\n[weblogic@wls01 certs]$\n[weblogic@wls01 certs]$ keytool -v -list -keystore old\/identity.jks\nEnter keystore password:\nKeystore type: jks\nKeystore provider: SUN\n\nYour keystore contains 1 entry\n\nAlias name: wlscert\nCreation date: Jan 29, 2020\nEntry type: PrivateKeyEntry\nCertificate chain length: 3\nCertificate[1]:\nOwner: CN=wls01.domain.net, OU=it, O=company, L=city, ST=state, C=CH\nIssuer: CN=Int CA\nSerial number: ...3e41\nValid from: Wed Jan 29 08:27:25 UTC 2020 until: Fri Jan 28 08:27:25 UTC 2022\nCertificate fingerprints:\n MD5: ...\n SHA1: ...\n SHA256: ...\nSignature algorithm name: SHA256withRSA\nSubject Public Key Algorithm: 2048-bit RSA key\nVersion: 3\n\nExtensions:\n...\n#7: ObjectId: 2.5.29.37 Criticality=false\nExtendedKeyUsages [\n clientAuth\n serverAuth\n]\n\n#8: ObjectId: 2.5.29.15 Criticality=true\nKeyUsage [\n DigitalSignature\n Key_Encipherment\n]\n...\n\nCertificate[2]:\nOwner: CN=Int CA\nIssuer: CN=Root CA\n...\n\nCertificate[3]:\nOwner: CN=Root CA\nIssuer: CN=Root CA\n...\n\n\n*******************************************\n*******************************************\n\n\n[weblogic@wls01 certs]$<\/pre>\n