Websphere Application Server SSL 403 error

1
votes

Am getting "org.apache.axis2.AxisFault: HTTP ( 403 )" error while calling a secured webservice from WebsphereApplicationServer7 (JRE 1.6). The service is just HTTPS and doesn't require any authentication. I imported the certificate to the Websphere server truststore through "Signer Certificates".

I can call the same service through the same Websphere JRE1.6 as standalone java program by adding the certificate to the cacerts using keytool command.

Any help is appreciated!

SSL DEBUG failure log:

    O Using SSLEngineImpl.
     O SSLv3 protocol was requested but was not enabled
     O SSLv3 protocol was requested but was not enabled
     O 
Is initial handshake: true
     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
     O %% Client cached [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA]
     O %% Try resuming [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA] from port -1
     O *** ClientHello, TLSv1
     O RandomCookie:  GMT: 1474467386 bytes = { 207 }
     O Session ID:  {16}
     O Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RENEGO_PROTECTION_REQUEST]
     O Compression Methods:  { 0 }
     O ***
     O [write] MD5 and SHA1 hashes:  len = 97
     O 0000: ......X.........

    O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 97
    O [Raw write]: length = 102
    O 0000: ....a......X....

     O [Raw read]: length = 5
     O 0000: 16 03 01 00 51                                     ....Q

     O [Raw read]: length = 81
     O 0000: 02 00 00 4d 03 01 58 e3  96 0b 5b d1 87 59 13 41  ...M..X......Y.A

     O ListenerContainer-1, READ: TLSv1 Handshake, length = 81
     O *** ServerHello, TLSv1
     O RandomCookie:  GMT: 1474467339 bytes = { 91 }
     O Session ID:  {16,128}
     O Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
     O Compression Method: 0
     O Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
     O ***
     O JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.2
     O JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.2
     O JsseJCE:  Using KeyGenerator IbmTlsKeyMaterial from provider TBD via init 
     O CONNECTION KEYGEN:
     O Client Nonce:

    O Server Nonce:

    O Master Secret:
    O 0000: ..0..x.Q.....3..

    O Client MAC write Secret:
    O 0000: ..y..3..........
             ..M.

    O Server MAC write Secret:
    O 0000: 39 33 d2 cf a0 1c 20 fa  e2 4f 02 a1 86 ff b5 c9  93.......O......
             w..L

    O Client write key:
    O 0000: c7 3f fa 9b 84 98 44 bc  4d bb 69 5d 9d d2 71 db  ......D.M.i...q.

    O Server write key:
    O 0000: dc df 01 38 e5 07 32 9e  d4 1a b1 8a 5a e8 6f d4  ...8..2.....Z.o.

    O Client write IV:
    O 0000: a2 15 75 d4 8e d1 1b 4f  31 7b b1 e3 36 01 01 34  ..u....O1...6..4

    O Server write IV:
    O 0000: e6 46 38 f7 aa 03 f2 7e  f4 fb 6b 9f cb 88 df 48  .F8.......k....H

    O %% Server resumed [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA]
    O [read] MD5 and SHA1 hashes:  len = 81
    O 0000: 02 00 00 4d 03 01 58 e3  96 0b 5b d1 87 59 13 41  ...M..X......Y.A

     O [Raw read]: length = 5
     O 0000: 14 03 01 00 01                                     .....

     O [Raw read]: length = 1
     O 0000: 01                                                 .

     O ListenerContainer-1, READ: TLSv1 Change Cipher Spec, length = 1
     O JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init 
     O CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
     O JsseJCE:  Using MAC HmacSHA1 from provider TBD via init 
     O MAC:  Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
     O [Raw read]: length = 5
     O 0000: 16 03 01 00 30                                     ....0

     O [Raw read]: length = 48
     O 0000: 32 d4 5a 8e 54 a3 bc d6  e4 38 f4 fb 3a 85 fa e1  2.Z.T....8......

     O ListenerContainer-1, READ: TLSv1 Handshake, length = 48
     O 0000: 14 00 00 0c 13 9c d6 b0  ca a6 cd e1 81 dd 8b c1  ................

     O *** Finished
     O verify_data:  { 19, 156, 214, 176, 202, 166, 205, 225, 129, 221, 139, 193 }
     O ***
     O JsseJCE:  Using KeyGenerator IbmTlsPrf from provider TBD via init 
     O HandshakeMessage:  TLS Keygenerator IbmTlsPrf  from provider from init IBMJCE version 1.2
     O [read] MD5 and SHA1 hashes:  len = 16
     O 0000: 14 00 00 0c 13 9c d6 b0  ca a6 cd e1 81 dd 8b c1  ................

     O JsseJCE:  Using KeyGenerator IbmTlsPrf from provider TBD via init 
     O HandshakeMessage:  TLS Keygenerator IbmTlsPrf  from provider from init IBMJCE version 1.2
     O ListenerContainer-1, WRITE: TLSv1 Change Cipher Spec, length = 1
     O JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init 
     O CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
     O JsseJCE:  Using MAC HmacSHA1 from provider TBD via init 
     O MAC:  Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
     O *** Finished
     O verify_data:  { 56, 215, 170, 111, 66, 74, 59, 26, 94, 46, 231, 190 }
     O ***
     O [write] MD5 and SHA1 hashes:  len = 16
     O 0000: 14 00 00 0c 38 d7 aa 6f  42 4a 3b 1a 5e 2e e7 be  ....8..oBJ......

     O Padded plaintext before ENCRYPTION:  len = 48
     O 0000: 14 00 00 0c 38 d7 aa 6f  42 4a 3b 1a 5e 2e e7 be  ....8..oBJ......

     O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 48
     O [Raw write]: length = 6
     O 0000: 14 03 01 00 01 01                                  ......

     O [Raw write]: length = 53
     O 0000: 16 03 01 00 30 aa a8 a4  54 00 fd ba 45 1b d8 e2  ....0...T...E...

    O Padded plaintext before ENCRYPTION:  len = 496
    O 0000: 50 4f 53 54 20 2f 49 6c  61 6e 69 53 65 72 76 69  POST..IlaniServi
  ce.svc.HTTP.1.1.
  .Host..otlsap
  p1..enterpri
  se.sun.co
  m.8090..Accept..
  application.soap
  .xml.multipart.r
  elated.text....U
  ser.Agent..IBM.W
  ebServices.1.0..
  Cache.Control..n
  o.cache..Pragma.
  .no.cache..SOAPA
  ction...http...t
  empuri.org.IIlan
  iService.P


     O ListenerContainer-1, WRITE: TLSv1 Application Data, length = 472
     O [Raw write (bb)]: length = 501
     O 0000: 17 03 01 01 f0 be c2 0c  b6 1a 50 47 bc 99 d5 c3  ..........PG....
0010: a9 01 b0 05 0e f2 0b a8  32 a0 19 6f 48 35 3f a4  ........2..oH5..

     O Padded plaintext before ENCRYPTION:  len = 32
     O 0000: 3c a3 cc cf c4 13 b4 7e  35 a6 26 d7 0e 78 9e 66  ........5....x.f
0010: 9f a9 2e 22 2f 0a 0a 0a  0a 0a 0a 0a 0a 0a 0a 0a  ................

     O ListenerContainer-1, WRITE: TLSv1 Application Data, length = 1
     O Padded plaintext before ENCRYPTION:  len = 480
     O 0000: 73 6f 61 70 65 6e 76 3a  45 6e 76 65 6c 6f 70 65  soapenv.Envelope
  .xmlns.soapenv..
  http...schemas.x
  mlsoap.org.soap.
  envelope....soap
  env.Body..ns2.Ad
  justBalanc
  e.xmlns..http...
  schemas.datacont
  ract.org.2004.07


     O ListenerContainer-1, WRITE: TLSv1 Application Data, length = 456
     O [Raw write (bb)]: length = 522
     O 0000: 17 03 01 00 20 8b 55 88  99 5b b5 b6 2d 04 a0 b2  ......U.........
0010: 62 88 01 77 f9 d7 7d 58  8c 13 3e 61 0d 55 ab d2  b..w...X...a.U..

     O [Raw read]: length = 5
     O 0000: 16 03 01 00 20                                     .....

     O [Raw read]: length = 32
     O 0000: 9d 7f 17 1a 16 ca 52 b8  8c f6 6e e9 81 a1 e9 47  ......R...n....G
0010: 03 6c ac d4 25 e9 5f 90  a2 48 f7 a2 7c fe 5e 6e  .l.......H.....n

     O ListenerContainer-1, READ: TLSv1 Handshake, length = 32
     O 0000: 00 00 00 00 f6 20 dc f4  08 0c 1a 51 c3 79 9f 04  ...........Q.y..
0010: 73 a2 e1 ea 8a ca dd d4  07 07 07 07 07 07 07 07  s...............

     O ListenerContainer-1, RENEGOTIATE 
     O 
Is initial handshake: false
     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
     O Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
     O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
     O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
     O *** HelloRequest (empty)
     O %% Client cached [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA]
     O %% Try resuming [Session-7, SSL_RSA_WITH_AES_128_CBC_SHA] from port -1
     O *** ClientHello, TLSv1
     O RandomCookie:  GMT: 1474467386 bytes = { 47, 48, 108, 24, 0, 145, 59, 124, 205, 83, 175, 151, 62, 250, 72, 23, 83, 219, 54, 35, 246, 240, 218, 216, 8, 185, 240, 129 }
     O Session ID:  {16, 48, 0, 0, 26, 118, 255, 9, 42, 147, 147, 244, 73, 27, 74, 188, 230, 10, 207, 45, 40, 144, 227, 82, 57, 194, 148, 119, 92, 41, 25, 128}
     O Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA]
     O Compression Methods:  { 0 }
     O Extension renegotiation_info, ri_length: 12, ri_connection_data: { 56, 215, 170, 111, 66, 74, 59, 26, 94, 46, 231, 190 }
     O ***
     O [write] MD5 and SHA1 hashes:  len = 114
     O 0000: 01 00 00 6e 03 01 58 e3  96 3a 2f 30 6c 18 00 91  ...n..X....0l...

     O Padded plaintext before ENCRYPTION:  len = 144
     O 0000: 01 00 00 6e 03 01 58 e3  96 3a 2f 30 6c 18 00 91  ...n..X....0l...


     O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 144
     O [Raw write]: length = 149
     O 0000: 16 03 01 00 90 39 0c d3  85 c2 c7 a6 db 1b 19 c9  .....9..........


     O [Raw read]: length = 5
     O 0000: 16 03 01 03 c0                                     .....

     O [Raw read]: length = 960
     O 0000: 52 a5 c4 98 5e 3a ba 29  0c 5d 33 ba e7 a6 f6 9d  R.........3.....

     O ListenerContainer-1, READ: TLSv1 Handshake, length = 960
     O 0000: 02 00 00 65 03 01 58 e3  96 0b d1 0f ec fc 78 bd  ...e..X.......x.

     O *** ServerHello, TLSv1
     O RandomCookie:  GMT: 1474467339 bytes = { 209, 15, 236, 252, 120, 189, 229, 92, 195, 178, 12, 253, 84, 35, 32, 141, 135, 199, 74, 135, 129, 147, 179, 39, 140, 238, 136, 245 }
     O Session ID:  {227, 16, 0, 0, 137, 23, 115, 18, 172, 166, 216, 5, 39, 117, 98, 130, 126, 247, 92, 123, 95, 173, 213, 94, 76, 116, 115, 203, 213, 63, 223, 177}
     O Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA
     O Compression Method: 0
     O Extension renegotiation_info, ri_length: 24, ri_connection_data: { 56, 215, 170, 111, 66, 74, 59, 26, 94, 46, 231, 190, 19, 156, 214, 176, 202, 166, 205, 225, 129, 221, 139, 193 }
     O ***
     O JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.2
     O JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.2
     O RI_Extension verification complete
     O %% Initialized:  [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA]
     O ** SSL_RSA_WITH_AES_128_CBC_SHA
     O [read] MD5 and SHA1 hashes:  len = 105
     O 0000: 02 00 00 65 03 01 58 e3  96 0b d1 0f ec fc 78 bd  ...e..X.......x.

     O *** Certificate chain
     O chain [0] = [
[
  Version: V3
  Subject: CN=OTLS..enterprise.sun.com
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  IBMJCE RSA Public Key:
modulus:
23553703497639596335070510257137281846668772458655810320677790628829221930261149412925591183146781723536526781277172608739916146526544854651533994944277413821681774452388324836206810729946188205549925379818388956830834110706891819099617718057830110501768074462851693346833893969477290813937343022841978362903738008267590984351543136396192926768606970581686949544516090193350198903123024609160656153681262348428606470586055201848713219772934786602559592543952662556702629365940208481126300406324501533729138789679650468030591267044786502786266360792591465166026083070678688183035912219682765397505679240220734169611841
public exponent:
65537

  Validity: [From: Mon Feb 27 07:21:04 EST 2017,
               To: Mon Feb 26 19:00:00 EST 2018]
  Issuer: CN=OTLS..enterprise.sun.com
  SerialNumber: [157540854616312716013046194484672082663]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
    1.3.6.1.5.5.7.3.1]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
  Data_Encipherment
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 95 2e 1f 6b bf f4 08 1b  05 bc af 0b 83 2b d5 9e  ...k............

]
     O ***
     O Found trusted certificate:
     O [
[
  Version: V3
  Subject: CN=OTLS..enterprise.sun.com
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  IBMJCE RSA Public Key:
modulus:
23553703497639596335070510257137281846668772458655810320677790628829221930261149412925591183146781723536526781277172608739916146526544854651533994944277413821681774452388324836206810729946188205549925379818388956830834110706891819099617718057830110501768074462851693346833893969477290813937343022841978362903738008267590984351543136396192926768606970581686949544516090193350198903123024609160656153681262348428606470586055201848713219772934786602559592543952662556702629365940208481126300406324501533729138789679650468030591267044786502786266360792591465166026083070678688183035912219682765397505679240220734169611841
public exponent:
65537

  Validity: [From: Mon Feb 27 07:21:04 EST 2017,
               To: Mon Feb 26 19:00:00 EST 2018]
  Issuer: CN=OTLS..enterprise.sun.com
  SerialNumber: [157540854616312716013046194484672082663]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.37 Criticality=false
ExtKeyUsage [
    1.3.6.1.5.5.7.3.1]

[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_Encipherment
  Data_Encipherment
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 95 2e 1f 6b bf f4 08 1b  05 bc af 0b 83 2b d5 9e  ...k............

]
     O [read] MD5 and SHA1 hashes:  len = 806
     O 0000: 0b 00 03 22 00 03 1f 00  03 1c 30 82 03 18 30 82  ..........0...0.
0010: 02 00 a0 03 02 01 02 02  10 76 85 43 d2 e9 21 07  .........v.C....

     O *** CertificateRequest
     O Cert Types: RSA, DSS, ECDSA
     O Cert Authorities:
     O <Empty>
     O [read] MD5 and SHA1 hashes:  len = 10
     O 0000: 0d 00 00 06 03 01 02 40  00 00                    ..........

     O *** ServerHelloDone
     O [read] MD5 and SHA1 hashes:  len = 4
     O 0000: 0e 00 00 00                                        ....

     O ClientHandshaker: KeyManager com.ibm.ws.ssl.core.WSX509KeyManager
     O matching alias: default
     O *** Certificate chain
     O chain [0] = [
[
  Version: V3
  Subject: CN=XQ1..enterprise.sun.com, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  IBMJCE RSA Public Key:
modulus:
110843921622147780318384621158214764705470317393194727986877851877285223474158936772266058764800503835209829711284711944290493529045508433479261112669514928128534895563063819307253434406155487303648611935061998559156762974027014248792380105199377095915876433187824227059900869413289818622830165728007892211197
public exponent:
65537

  Validity: [From: Sun Mar 05 17:32:19 EST 2017,
               To: Mon Mar 05 17:32:19 EST 2018]
  Issuer: CN=XQ1..enterprise.sun.com, OU=Root Certificate, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
  SerialNumber: [32229148073970]

Certificate Extensions: 2
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:was70profile1-BASE-8665f1be-6c91-4f3f-9737-7ea56a84c9a7]]

[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4c 25 62 5f 59 c0 a9 87                           L.b.Y...
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 64 3c 9d e8 00 ca f0 f9  9a 33 10 a1 16 39 3a 6d  d........3...9.m

]
     O chain [1] = [
[
  Version: V3
  Subject: CN=XQ1..enterprise.sun.com, OU=Root Certificate, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  IBMJCE RSA Public Key:
modulus:
133709287124393792230601765881699139284227312626945278928615499964607234524332116007234980646619761347476316748109684673947697597508730909561799232875111817433344405710867175697607140981134928059514395419168832779709507872705080489476741742323610788920900244447196181703106638720154734901400895308937603956483
public exponent:
65537

  Validity: [From: Thu Dec 15 12:44:52 EST 2011,
               To: Fri Dec 11 12:44:52 EST 2026]
  Issuer: CN=XQ1..enterprise.sun.com, OU=Root Certificate, OU=XQ1Node01Cell, OU=XQ1Node01, O=IBM, C=US
  SerialNumber: [14851033508608]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

[2]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[RFC822Name: ProfileUUID:was70profile1-BASE-8665f1be-6c91-4f3f-9737-7ea56a84c9a7]]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4b be 7e 6a 81 18 dc 91                           K..j....
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 7f 18 a5 d0 88 a1 95 d4  2c 8e b9 51 13 21 b5 df  ...........Q....

]
     O ***
     O JsseJCE: Choose KeyGenerator for IbmTlsRsaPremasterSecret.
     O JsseJCE:  Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init 
     O JsseJCE:  Using cipher RSA/SSL/PKCS1Padding from provider TBD via init 
     O PreMasterSecret:  Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2
     O *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
     O [write] MD5 and SHA1 hashes:  len = 1857
     O 0000: ...7..4...0...0.

     O Padded plaintext before ENCRYPTION:  len = 1888
     O 0000:  ...7..4...0...0.

     O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 1888
     O SESSION KEYGEN:
     O PreMaster Secret:
     O 0000: ........Q.J...K.

     O javax.crypto.spec.SecretKeySpec@13e5009
     O JsseJCE:  Using KeyGenerator IbmTlsMasterSecret from provider TBD via init 
     O JsseJCE:  Using KeyGenerator IbmTlsKeyMaterial from provider TBD via init 
     O CONNECTION KEYGEN:
     O Client Nonce:
     O 0000: 58 e3 96 3a 2f 30 6c 18  00 91 3b 7c cd 53 af 97  X....0l......S..

     O Server Nonce:
     O 0000: 58 e3 96 0b d1 0f ec fc  78 bd e5 5c c3 b2 0c fd  X.......x.......

     O Master Secret:
     O 0000: 31 f7 d1 f5 85 14 c3 3f  b4 86 26 04 e9 5d 4a 80  1.............J.

     O Client MAC write Secret:
     O 0000: 3d f9 24 a2 e8 6b a3 3a  1d cb 1d 89 c4 92 14 dd  .....k..........

     O Server MAC write Secret:
     O 0000:  ...W......m.Z..2

     O Client write key:
     O 0000:  p..9....U..f....

     O Server write key:
     O 0000: 12 69 bf 32 56 85 16 a8  ef f4 56 f7 2e 59 99 62  .i.2V.....V..Y.b

     O Client write IV:
     O 0000: fe 71 85 da 9e c1 4c 9b  2d 78 47 6d 6b 0b 14 47  .q....L..xGmk..G

     O Server write IV:
     O 0000: b6 00 6c c6 06 89 77 96  73 54 97 77 2b 92 91 6c  ..l...w.sT.w...l

     O JsseJCE:  Using signature RSAforSSL from provider TBD via init 
     O JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.2
     O JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.2
     O Signatures:  Using signature RSA from provider from initSignIBMJCE version 1.2
     O *** CertificateVerify
     O [write] MD5 and SHA1 hashes:  len = 134
     O 0000: 0f 00 00 82 00 80 8f 81  da ae ea d9 b0 80 7d f3  ................

     O JsseJCE:  Using KeyGenerator IbmTlsPrf from provider TBD via init 
     O HandshakeMessage:  TLS Keygenerator IbmTlsPrf  from provider from init IBMJCE version 1.2
     O Padded plaintext before ENCRYPTION:  len = 160
     O 0000: 0f 00 00 82 00 80 8f 81  da ae ea d9 b0 80 7d f3  ................

     O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 160
     O Padded plaintext before ENCRYPTION:  len = 32
     O 0000:  ....R..u.iAt7.q.

     O ListenerContainer-1, WRITE: TLSv1 Change Cipher Spec, length = 32
     O JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init 
     O CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
     O JsseJCE:  Using MAC HmacSHA1 from provider TBD via init 
     O MAC:  Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
     O *** Finished
     O verify_data:  {  100 }
     O ***
     O [write] MD5 and SHA1 hashes:  len = 16
     O 0000:  .....g........jd

     O Padded plaintext before ENCRYPTION:  len = 48
     O 0000:  .....g........jd

     O ListenerContainer-1, WRITE: TLSv1 Handshake, length = 48
     O [Raw write]: length = 1893
     O 0000: 16 03 01 07 60 30 e0 6b  5b 53 27 32 30 1a b2 be  .....0.k.S.20...

     O [Raw write]: length = 165
     O 0000: 16 03 01 00 a0 42 1b 86  be 1e ac 1d 81 23 74 44  .....B........tD


     O [Raw write]: length = 37
     O 0000: 14 03 01 00 20 24 21 46  20 90 77 7a 1d 02 81 b2  .......F..wz....

     O [Raw write]: length = 53
     O 0000:   ....0.3.a...x...

     O [Raw read]: length = 5
     O 0000: 14 03 01 00 20                                     .....

     O [Raw read]: length = 32
     O 0000:   ...m.....x..0...

     O ListenerContainer-1, READ: TLSv1 Change Cipher Spec, length = 32
     O 0000:   .O.......nJ...g.


     O JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init 
     O CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
     O JsseJCE:  Using MAC HmacSHA1 from provider TBD via init 
     O MAC:  Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
     O [Raw read]: length = 5
     O 0000: 16 03 01 00 30                                     ....0

     O [Raw read]: length = 48
     O 0000: 04 93 78 76 db 42 1d af  85 e9 bd 2b b8 7a d6 e6  ..xv.B.......z..

     O ListenerContainer-1, READ: TLSv1 Handshake, length = 48
     O 0000: 14 00 00 0c 77 2e ab 89  d0 91 9c 47 12 35 00 40  ....w......G.5..

     O *** Finished
     O verify_data:  { 119, 46, 171, 137, 208, 145, 156, 71, 18, 53, 0, 64 }
     O ***
     O JsseJCE:  Using KeyGenerator IbmTlsPrf from provider TBD via init 
     O HandshakeMessage:  TLS Keygenerator IbmTlsPrf  from provider from init IBMJCE version 1.2
     O cached session [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA]
     O %% Cached client session: [Session-8, SSL_RSA_WITH_AES_128_CBC_SHA]
     O [read] MD5 and SHA1 hashes:  len = 16
     O 0000:   ....w......G.5..

     O [Raw read (bb)]: length = 37
     O 0000: 17 03 01 00 20 c4 23 30  6c 3e 32 03 92 8a a8 b8  .......0l.2.....

     O Padded plaintext after DECRYPTION:  len = 32
     O 0000: 48 de e8 a9 44 bf cf 82  73 c1 a2 4c b7 01 8c 12  H...D...s..L....

     O [Raw read (bb)]: length = 1429
     O 0000: 17 03 01 05 90 ed 7b 79  7c b6 e2 b4 2e 17 54 68  .......y......Th

     O Padded plaintext after DECRYPTION:  len = 1424
     O 0000:   TTP.1.1.403.Forb
idden..Content.T
ype..text.html..
Server.http.eq
uiv..Content.Typ
e..content..text
.html..charset.i
so.8859.1......t
itle.403...Forbi
dden..Access.is.
denied...title..

Update: Successful truncated ssl log from Standalone IBM JRE Java client.

    IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2

*** ServerHello, TLSv1
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA

*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4

JsseJCE: Choose KeyGenerator for IbmTlsRsaPremasterSecret.
JsseJCE:  Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init 
JsseJCE:  Using cipher RSA/SSL/PKCS1Padding from provider TBD via init 
PreMasterSecret:  Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2

JsseJCE:  Using KeyGenerator IbmTlsPrf from provider TBD via init 
HandshakeMessage:  TLS Keygenerator IbmTlsPrf  from provider from init IBMJCE version 1.2
main, WRITE: TLSv1 Change Cipher Spec, length = 1

JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init 
CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
JsseJCE:  Using MAC HmacSHA1 from provider TBD via init 

main, READ: TLSv1 Change Cipher Spec, length = 1
JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init 
CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2

*** ServerHello, TLSv1
Cipher Suite: SSL_RSA_WITH_AES_128_CBC_SHA

*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0e 00 00 00                                        ....

ClientHandshaker: KeyManager com.ibm.jsse2.aJ
JsseJCE:  Using KeyAgreement ECDH from provider IBMJCE version 1.2
JsseJCE:  Using signature SHA1withECDSA from provider TBD via init 
JsseJCE:  Using signature NONEwithECDSA from provider TBD via init 
JsseJCE:  Using KeyFactory EC from provider IBMJCE version 1.2
JsseJCE:  Using KeyPairGenerator EC from provider TBD via init 
JsseJce:  EC is available
*** Certificate chain
***
JsseJCE: Choose KeyGenerator for IbmTlsRsaPremasterSecret.
JsseJCE:  Using KeyGenerator IbmTlsRsaPremasterSecret from provider TBD via init 
JsseJCE:  Using cipher RSA/SSL/PKCS1Padding from provider TBD via init 
PreMasterSecret:  Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1

JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init 
CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
JsseJCE:  Using MAC HmacSHA1 from provider TBD via init 
MAC:  Using MessageDigest HmacSHA1 from provider IBMJCE version 1.2
*** Finished
verify_data:  { 216, 231, 207, 130, 172, 141, 204, 125, 55, 250, 84, 30 }
***
JsseJCE:  Using KeyGenerator IbmTlsPrf from provider TBD via init 
HandshakeMessage:  TLS Keygenerator IbmTlsPrf  from provider from init IBMJCE version 1.2
cached session [Session-2, SSL_RSA_WITH_AES_128_CBC_SHA]
%% Cached client session: [Session-2, SSL_RSA_WITH_AES_128_CBC_SHA]

main, READ: TLSv1 Application Data, length = 720
  TTP.1.1.200.OK..
  Cache.Control..p
  rivate..Content.
2
sslwebspherehttp-status-code-403
What cipher is negotiated when you test a command-line java client? The 403 clearly comes from the backend server. - covener
@covener Please see the updates. - Kgan
no luck there unfortunately. This really needs to be debugged at the origin server side since it returns 403. - covener
@covener Thanks for looking into this issue, we fixed it finally. - Kgan

2 Answers

0
votes

We fixed this issue by turning off "Client Certificate" requirement at IIS Server which was set to Optional before. We wanted One-way SSL but the server was set up for Two-way SSL Client Authentication.

It worked with standalone Java client because Java-Client was not sending the client certificate and as the "Client-Certificate" was Optional at IIS, it worked well.

However, Websphere Application Server was sending the default "Client-Certificate" to IIS and IIS obviously didn't have any clue on this certificate, hence it was failing.

This can be verified from the failure log in the question. Right after the "*** CertificateRequest", WAS-Client was sending the default-cert.

0
votes

Browsium ION will allow you to set the highest java security globally, whilst reducing security for chosen specific applications. We advise to always keep the version of JRE on machines at the very latest version.

  1. Download the latest (x86) version of Jre https://java.com/en/download/

  2. Download Browsium ION - Browsium Ion Evaluation Kit

  3. Create a profile and a Rule to swap from latest version to JRE 1.6 version. See the demo video Keep Java Up to Date" on our Website for simple instruction of how to do this.

  4. Using a Browsium ION Custom file the Deployment.Properties file can be amended to change the SSL and TLS Security attributes.

Let me know if you need any help.