Friday, August 18, 2017

GPG key administration for Middle-ware Administrators

GnuPG is a tool for secure communication. Using this tool administrators can create public/private key pair which can be used by to encrypt and decrypt critical information. GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate.



In this article I intend to provide some basic steps to create and use such key pairs. Also I will try to provide some very informative and useful links pertaining to this topic. Often you may receive requests to generate key pairs required for PGP encryption. How do you do that ?

Ok ! first things first. In order to create the required key pairs you will need to install GnuPG on the system you intend to encrypt the message on. You can also install GnuPG on your local machine but then you will need to import the key to the source system where you will be encrypting the message.Installation of GnuPG will create a key ring which stores the below.


  • pubring.gpg     # stores the public keys
  • secring.gpg     # has your secret keys
  • trustdb.gpg     # the levels of trust for signed keys


On windows the key ring was stored at C:\Users\<>\AppData\Roaming\gnupg. On Linux based system the default location is .gnupg (hidden directory) under the OS user default directory location.You will need to use ls -la option to view this directory on Linux/Solaris systems.

Now for installing GnuPG tool I will highly recommend you follow this blog. I feel the blog is very detailed and takes you through the below topics.


  • Downloading the software
  • Installing the software
  • Generating the key pair
  • Exporting Public/Private keys
  • Obtaining private keys
  • Importing private/public keys
  • Encrypting/Decrypting message


The blog shows how to do the above using Kleopatra a GUI tool for certificate management. I personally like the tool since it is very intuitive and easy to use. Same will be installed while you install GnuPG (mentioned in blog above. In case you want to use command line to do the above (like on UNIX based systems) you can easily do so by using commands mentioned here.

The GNU Privacy handbook talks of all these steps and even more. I highly recommend you go through the content to understand more on this subject. The documentation is available here 

I hope this post was helpful. Please let me know in the comment section ! 

Happy Learning
Soumya Mishra

Tuesday, August 8, 2017

Received fatal alert: handshake_failure error while making outbound connection with TLS version v1.2 [TLSv1.2] using Java 1.7.x

The below described issue affects the below version of SOA/Weblogic install:

  • Oracle SOA Suite - Version 11.1.1.6.0 to 11.1.1.9.0 [Release 11gR1 to 11g]
  • Oracle WebLogic Server - Version 10.3.6 and later


While trying to make an outbound connection using TLS 1.2 from SOA 11.1.1.7 running on WLS 10.3.6/JDK 1.7U80 as per my article here one gets the below error.

"javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"

As per the article and Oracle notes below startup argument should help enabling the TLS 1.2 protocol to make the outbound connection. Below startup argument will support/enable TLS 1.0 to TLS 1.2 protocols for out bound connections made from the server.

-Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"

However there is a bug that the system may in most cases run into. The bug 22612527 may cause JVM to ignore above flag.

How do we solve this ?

Option A:

Install Patch 22612527 (Please Note: required Patch 13866584 is needed before installing 22612527)

After installing the patch, add -Dhttps.protocols="TLSv1.2" to the SOA JVM startup arguments and test if the issue is gone ! This approach is recommended in case you do not want to upgrade the JDK and retest the code.

Option B:

Upgrade Java to version 1.8 or 1.7 131 b12 (or greater) both of these versions use TLSv1.2 by default.

Voila, you just solved a critical issue and turned your Integration server into a more secure system ! Please let me know in the comment section if this article helped you anyways.

Happy Learning ...

Soumya Mishra