SOLVED WL-OPC Connection with WLSDM Over https

wlcommunityusers · Sep 28, 2021, 8:39 AM

Hi,

I’m trying to configure WL-OPC with my WLSDMs domains over https (I checked connection through telnet and it works ok) but it seems OPC doesn’t reach targets over https, just over http.

Could you please help me with this?

Regards.

wlcommunityusers · Sep 28, 2021, 9:51 AM

@wlcommunityusers

Hi,

Finally, I found the solution.
I changed java.security in WL-OPC disabling jdk.tls.disabledAlgorithms like this:

And then I removed all the arguments in JAVA_OPTIONS to default OPC installation.

I restarted OPC and I could add the domains without any problem.

Regards.

WLSDM Support · Sep 28, 2021, 8:40 AM

@wlcommunityusers

Hi,

When you enabled SSL WL-OPC, you are facing WL-OPC to WLSDM connecting issues?

Could you send “OPC_HOME\bin\WLOPC\logs\wl-opc.log” ?

Regards

WLSDM Support · Sep 28, 2021, 2:40 PM

@can-sahin-wlsdmteam

Hi,

There is missing certificate configuration. You need to add certificate for SSL WL-OPC.

Could you check attached configuration for below error please?

"Caused by: java.io.FileNotFoundException: /u01/opc/bin/keystore.p12 (No such file or directory)"

wlcommunityusers · Sep 28, 2021, 8:42 AM

@can-sahin-wlsdmteam

I added certificates to WL-OPC and WLSDM is still not reachable.

WLSDM Support · Sep 28, 2021, 8:44 AM

@wlcommunityusers

Hi,

Can you explain with screenshots what you want to do and whats is the issue?

Regards.

wlcommunityusers · Sep 28, 2021, 2:39 PM

@can-sahin-wlsdmteam

This is what happened when I try to register a new domain from WL-OPC (http or https) to WLSDM/Weblogic console (over https)

This is what I have in log files

Telnet test:

From WLSDM side
URL: https://…:9002/console/WLSDM/config/system

This is a strange thing I see from tcpdump in WLSDM server

OPC is trying to connect to WLSDM through http instead https
This is the configuration from WLSDM to OPC

WLSDM Support · Sep 28, 2021, 9:17 AM

@wlcommunityusers

Hi,

I understand your case and you want HTTPS communication. Why you are not considering to add WebLogic admin’s HTTP port? When you add as https port; you need to also take care of adding trust certificates on both side?

Thank you for your communication.

Kind Regards.

wlcommunityusers · Sep 28, 2021, 9:20 AM

@can-sahin-wlsdmteam

Hi,

Thanks for your feedback.

I understand we will need to create certificates for https communication between OPC and WLS AdminServers but it’s our default procedure for any WebLogic managed server or AdminServer.

Thank you very much for your update.

Regards,

WLSDM Support · Sep 28, 2021, 9:22 AM

@wlcommunityusers

Hi,

In WL-OPC https and http traffic both can be enabled at the same time. The WLSDM & WL-OPC traffic based on token and without a registered token WLSDM cannot publish to WL-OPC. Currently we are supporting both https and http.

As a result, we fixed the problem and you are going to able to add your https and t3s domains. On the other hand, are you prefer https traffic from WLSDM to WL-OPC, too? Our default setting is http from WLSDM to WL-OPC but you can disable HTTP on WL-OPC setting. Take below screen capture as a reference.

We are waiting your reply back.

Regards.

WLSDM Support · Sep 28, 2021, 9:23 AM

@can-sahin-wlsdmteam

wlcommunityusers · Sep 28, 2021, 9:24 AM

@can-sahin-wlsdmteam
Hi,

For now, it’s ok having http traffic from WLSDM to WL-OPC, by the way, it would be great to have both options in future releases.

Regards.

WLSDM Support · Sep 28, 2021, 2:38 PM

@wlcommunityusers

Hi ,

You can follow below path to setup your HTTPS traffic. If any help needed please let us know.

Generate keystore wlopc.p12

keytool -genkeypair -alias wlopc -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore wlopc.p12 -validity 3650

Update WL-OPC settings as below screen capture.
Export & download WL-OPC’s certificate from browser (Use firefox and the output is volthread-technology.pem)
Convert pem format to der format.

openssl x509 -outform der -in volthread-technology.pem  -out volthread-technology.der

Then import to WebLogic AdminServer’s JKS file, set WebLogic AdminServer’s HostName Verification to NONE and finally restart admin server.

keytool -import -alias volthread -keystore DemoTrust.jks -file volthread-technology.der

Anymore WLSDM and WL-OPC works as HTTPS

wlcommunityusers · Sep 28, 2021, 2:33 PM

@can-sahin-wlsdmteam

Hi,

By the way, when I try to add the domain from WL-OPC I get this.

Handshake failed: TLSv1.3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1.2, error = The server selected protocol version TLS10 is not accepted by client preferences [TLS12]

Handshake failed: TLSv1.1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1.3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1.2, error = The server selected protocol version TLS10 is not accepted by client preferences [TLS12]

Handshake failed: TLSv1.1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

It looks like TLS version is not supported.

Regards.

WLSDM Support · Sep 28, 2021, 9:30 AM

@wlcommunityusers

Hi,

Please increase the timeout and re-try again. This time remember to select “Overwrite” option on WL-OPC.

Then let me know the result?

wlcommunityusers · Sep 28, 2021, 9:31 AM

@can-sahin-wlsdmteam

Hi,

I did the changes:

wlcommunityusers · Sep 28, 2021, 9:32 AM

@wlcommunityusers
Hi,

Some additional information:

From the domains side, I can see http post in tcpdump

Regards.

WLSDM Support · Sep 28, 2021, 2:41 PM

@wlcommunityusers

Hi,

This problem can be something according to your environment. Please follow below steps, if it is not going to solve your problem let’s have a teams support meeting.

Add this JVM argument to WL-OPC.
Open $WLOPC_HOME/bin/setenv.properties and apend the value to JAVA_OPTIONS parameter.

-Dweblogic.security.SSL.minimumProtocolVersion=ALL

Increase the timeout as below.
Hard restart the OPC instance.

$WLOPC_HOME/bin/opc stop
$WLOPC_HOME/bin/opc start

Then re-try adding the domain as I explained before.

Kind Regards.

wlcommunityusers · Sep 28, 2021, 2:32 PM

@can-sahin-wlsdmteam

Hi,

I’m still facing the same issue

 Handshake failed: TLSv1.3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1.2, error = The server selected protocol version TLS10 is not accepted by client preferences [TLS12]

Handshake failed: TLSv1.1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: SSLv3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: SSLv2Hello, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1.3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1.2, error = The server selected protocol version TLS10 is not accepted by client preferences [TLS12]

Handshake failed: TLSv1.1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: TLSv1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: SSLv3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Handshake failed: SSLv2Hello, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

Thank you very much.

Regards,

WLSDM Support · Sep 28, 2021, 9:47 AM

@wlcommunityusers

Hi ,

Could you send us your WebLogic version, Adminserver and Managed Server JVM startup parameters, java version and java vendor please?

Regards.

WLSDM Support · Sep 28, 2021, 2:34 PM

@can-sahin-wlsdmteam

Hi,

By the way may be your WebLogic TLS version is legacy. Could you please let me know the WL-OPC’s JDK version with below command output?

cat $JAVA_HOME/jre/lib/security | grep "jdk.tls.disabledAlgorithms"

Send us the value of “jdk.tls.disabledAlgorithms”

WLSDM Support · Sep 28, 2021, 2:35 PM

@can-sahin-wlsdmteam

Hi,

After you have sent the environment details of your WebLogic and Java version we have realized that the client is legacy and we are compatible with TLS legacy Java version. We have detected the problem by reproducing in our LAB environments.

Please add below JVM argument to WL-OPC setenv.properties file then bounce the OPC instance by using opc command executable.

-Djdk.tls.client.protocols=TLSv1,TLSv1.1

After restarting OPC please retry to add the client then let us know the result.

Kind Regards.

wlcommunityusers · Sep 28, 2021, 9:50 AM

@can-sahin-wlsdmteam

Hi,

I added the argument to setenv, I send you the errors I have in log files.

Regards.

wlcommunityusers · Sep 28, 2021, 9:51 AM

@wlcommunityusers

Hi,

Finally, I found the solution.
I changed java.security in WL-OPC disabling jdk.tls.disabledAlgorithms like this:

And then I removed all the arguments in JAVA_OPTIONS to default OPC installation.

I restarted OPC and I could add the domains without any problem.

Regards.

SOLVED WL-OPC Connection with WLSDM Over https

WLSDM: Native WebLogic Monitoring & Diagnostics