SOLVED WL-OPC Connection with WLSDM Over https
-
Hi,
I’m trying to configure WL-OPC with my WLSDMs domains over https (I checked connection through telnet and it works ok) but it seems OPC doesn’t reach targets over https, just over http.
Could you please help me with this?
Regards.
Community Users Case Notes (Diary)
-
Hi,
Finally, I found the solution.
I changed java.security in WL-OPC disabling jdk.tls.disabledAlgorithms like this:
And then I removed all the arguments in JAVA_OPTIONS to default OPC installation.
I restarted OPC and I could add the domains without any problem.
Regards.
-
Hi,
When you enabled SSL WL-OPC, you are facing WL-OPC to WLSDM connecting issues?
Could you send “OPC_HOME\bin\WLOPC\logs\wl-opc.log” ?
Regards
WLSDM Community Support Team
-
Hi,
There is missing certificate configuration. You need to add certificate for SSL WL-OPC.
Could you check attached configuration for below error please?
"Caused by: java.io.FileNotFoundException: /u01/opc/bin/keystore.p12 (No such file or directory)"
WLSDM Community Support Team
-
I added certificates to WL-OPC and WLSDM is still not reachable.
Community Users Case Notes (Diary)
-
Hi,
Can you explain with screenshots what you want to do and whats is the issue?
Regards.
WLSDM Community Support Team
-
This is what happened when I try to register a new domain from WL-OPC (http or https) to WLSDM/Weblogic console (over https)
This is what I have in log files
Telnet test:
From WLSDM side
URL: https://…:9002/console/WLSDM/config/system
This is a strange thing I see from tcpdump in WLSDM server
OPC is trying to connect to WLSDM through http instead https
This is the configuration from WLSDM to OPC
Community Users Case Notes (Diary)
-
Hi,
I understand your case and you want HTTPS communication. Why you are not considering to add WebLogic admin’s HTTP port? When you add as https port; you need to also take care of adding trust certificates on both side?
Thank you for your communication.
Kind Regards.
WLSDM Community Support Team
-
Hi,
Thanks for your feedback.
I understand we will need to create certificates for https communication between OPC and WLS AdminServers but it’s our default procedure for any WebLogic managed server or AdminServer.
Thank you very much for your update.
Regards,
Community Users Case Notes (Diary)
-
Hi,
In WL-OPC https and http traffic both can be enabled at the same time. The WLSDM & WL-OPC traffic based on token and without a registered token WLSDM cannot publish to WL-OPC. Currently we are supporting both https and http.
As a result, we fixed the problem and you are going to able to add your https and t3s domains. On the other hand, are you prefer https traffic from WLSDM to WL-OPC, too? Our default setting is http from WLSDM to WL-OPC but you can disable HTTP on WL-OPC setting. Take below screen capture as a reference.
We are waiting your reply back.
Regards.
WLSDM Community Support Team
-
WLSDM Community Support Team
-
For now, it’s ok having http traffic from WLSDM to WL-OPC, by the way, it would be great to have both options in future releases.
Regards.
Community Users Case Notes (Diary)
-
Hi ,
You can follow below path to setup your HTTPS traffic. If any help needed please let us know.
- Generate keystore wlopc.p12
keytool -genkeypair -alias wlopc -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore wlopc.p12 -validity 3650-
Update WL-OPC settings as below screen capture.
-
Export & download WL-OPC’s certificate from browser (Use firefox and the output is volthread-technology.pem)
-
Convert pem format to der format.
openssl x509 -outform der -in volthread-technology.pem -out volthread-technology.der- Then import to WebLogic AdminServer’s JKS file, set WebLogic AdminServer’s HostName Verification to NONE and finally restart admin server.
keytool -import -alias volthread -keystore DemoTrust.jks -file volthread-technology.derAnymore WLSDM and WL-OPC works as HTTPS
WLSDM Community Support Team
-
Hi,
By the way, when I try to add the domain from WL-OPC I get this.
Handshake failed: TLSv1.3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1.2, error = The server selected protocol version TLS10 is not accepted by client preferences [TLS12] Handshake failed: TLSv1.1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1.3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1.2, error = The server selected protocol version TLS10 is not accepted by client preferences [TLS12] Handshake failed: TLSv1.1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)It looks like TLS version is not supported.
Regards.
Community Users Case Notes (Diary)
-
Hi,
Please increase the timeout and re-try again. This time remember to select “Overwrite” option on WL-OPC.
Then let me know the result?
WLSDM Community Support Team
-
Community Users Case Notes (Diary)
-
Some additional information:
From the domains side, I can see http post in tcpdump
Regards.
Community Users Case Notes (Diary)
-
Hi,
This problem can be something according to your environment. Please follow below steps, if it is not going to solve your problem let’s have a teams support meeting.
- Add this JVM argument to WL-OPC.
Open $WLOPC_HOME/bin/setenv.properties and apend the value to JAVA_OPTIONS parameter.
-Dweblogic.security.SSL.minimumProtocolVersion=ALL-
Increase the timeout as below.
-
Hard restart the OPC instance.
$WLOPC_HOME/bin/opc stop $WLOPC_HOME/bin/opc start- Then re-try adding the domain as I explained before.
Kind Regards.
WLSDM Community Support Team
- Add this JVM argument to WL-OPC.
-
Hi,
I’m still facing the same issue
Handshake failed: TLSv1.3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1.2, error = The server selected protocol version TLS10 is not accepted by client preferences [TLS12] Handshake failed: TLSv1.1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: SSLv3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: SSLv2Hello, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1.3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1.2, error = The server selected protocol version TLS10 is not accepted by client preferences [TLS12] Handshake failed: TLSv1.1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: TLSv1, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: SSLv3, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate) Handshake failed: SSLv2Hello, error = No appropriate protocol (protocol is disabled or cipher suites are inappropriate)Thank you very much.
Regards,
Community Users Case Notes (Diary)
-
Hi ,
Could you send us your WebLogic version, Adminserver and Managed Server JVM startup parameters, java version and java vendor please?
Regards.
WLSDM Community Support Team
-
Hi,
By the way may be your WebLogic TLS version is legacy. Could you please let me know the WL-OPC’s JDK version with below command output?
cat $JAVA_HOME/jre/lib/security | grep "jdk.tls.disabledAlgorithms"Send us the value of “jdk.tls.disabledAlgorithms”
WLSDM Community Support Team
-
Hi,
After you have sent the environment details of your WebLogic and Java version we have realized that the client is legacy and we are compatible with TLS legacy Java version. We have detected the problem by reproducing in our LAB environments.
Please add below JVM argument to WL-OPC setenv.properties file then bounce the OPC instance by using opc command executable.
-Djdk.tls.client.protocols=TLSv1,TLSv1.1After restarting OPC please retry to add the client then let us know the result.
Kind Regards.
WLSDM Community Support Team
-
Hi,
I added the argument to setenv, I send you the errors I have in log files.
Regards.
Community Users Case Notes (Diary)
-
Hi,
Finally, I found the solution.
I changed java.security in WL-OPC disabling jdk.tls.disabledAlgorithms like this:And then I removed all the arguments in JAVA_OPTIONS to default OPC installation.
I restarted OPC and I could add the domains without any problem.
Regards.
