[ Team LiB ] Previous Section Next Section

Using Secure Sockets Layer

WebLogic Server can be configured to work with the Secure Sockets Layer (SSL) protocol. SSL is the Internet standard for secure communication and provides end-to-end encryption of transmitted data.

There are two pages in the administrator console that configure SSL support. To get to these pages, expand the Servers node in the left panel and click on one of the servers executing your domain. In the right panel, click on the Configurations tab. The two SSL pages can be reached by clicking on the General or Keystores & SSL tab. The General page allows SSL to be enabled and the SSL port to be set, as shown in Figure 28.19. Enabling SSL requires an SSL port to be chosen. Enabling or disabling requires WebLogic Server to be restarted. Simply enabling SSL will encrypt client connections. This will provide data integrity and make communications confidential. However, it will not allow the server or the client to authenticate itself.

Figure 28.19. The General page allows us to enable and disable SSL and to select the SSL port.

graphics/28fig19.jpg

For the server to be able to authenticate itself to clients, it must have a private key and a digital certificate.

Generating Digital Certificates

To use SSL within WebLogic Server, you need a digital certificate. The sample certificates that come with WebLogic Server can be used in a development environment, but for production purposes, you must create your own. There are several ways of doing this as the following sections point out.

CertGen Tool

The CertGen tool can be used to generate certificates and private keys to be used for testing, not for production. The CertGen tool is found in weblogic.jar and is started with the following syntax:


java utils.CertGen password certfile keyfile

This command will generate certificate files named certfile and private key files named keyfile. The private key's password will be the one entered. Before executing this tool, copy the files CertGenCA.der and CertGenCAKey.der from the WL_HOME/server/lib directory to the directory you are running the tool in.

Certificate Request Generator Servlet

To use SSL in a production environment, you must request and get a certificate and private key from a trusted certificate authority (CA). Examples of CA are Entrust (www.entrust.com) and VeriSign (www.verisign.com). CAs expect requests to come in a format called a certificate signature request (CSR). WebLogic Server 7.x came with a servlet that collects information from you and generates a private key file (.der extension), a CSR in binary format (.dem file), and in ASCII format (.pem file). WebLogic 8.1 still comes with the Web application certificate.war that contains the certificate signature request servlet. However, this Web application has been deprecated as of 8.1 and BEA recommends using the keytool utility mentioned in the next section.

keytool Utility

Another option for generating private keys and certificates is the keytool utility that comes with the JDK. This utility stores private keys and certificates in a keystore. By default, this file is named .keystore and its location is determined by the value of the user.home environmental variable. To generate keys and certificates, use the following syntax:


keytool -genkey -alias myalias -keypass mypassword

This will generate a key pair—a public and private key—and wrap the public key into a X.509 v1 self-signed certificate. The alias myalias will be used to refer to this key pair when using keytool in the future. The password mypassword will be used to protect the private key.

keytool has many options for generating, importing, and managing private keys and digital certificates. For more information, please go to the following URL: http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html.

SSL for Server Authentication

To have WebLogic Server authenticate itself to clients, WebLogic Server must be able to find its private key and digital certificate. You will either refer to them by their filenames or by their alias in a keystore. This information will be entered into the SSL page in the administrator console. To get to this page, expand the Servers node in the left panel and click on the name of the server to configure. Click on the Configuration tab in the right panel and then click on the Keystores & SSL tab. You'll see the SSL form shown in Figure 28.20.

Figure 28.20. The SSL page contains information specific to certificates and private keys used by the server.

graphics/28fig20.jpg

When using a keystore:

  1. Make sure that the WebLogic keystore provider has been configured properly as explained earlier.

  2. Enter the same alias into the Server Private Key Alias field that you used when you configured the keystore.

  3. Enter the same password into Server Private Key Passphrase field that you used when you configured the keystore.

When using filenames:

  1. Enter the name and location of the certificate file into Server Certificate File Name field.

  2. Enter the name and location of the key file into Server Key File Name field.

In either case, click the Apply button and reboot WebLogic Server.

SSL for Mutual Authentication

To request clients for digital certificates, you must have SSL enabled and also set the Two Way Client Cert Behavior: drop down in the advanced options in the Keystores & SSL page in the administrator console.

If set, the Client Certificate Enforced attribute requires a client to present a certificate. If the client cannot present a certificate, WebLogic Server ends the SSL connection.

If set, the Client Certificate Requested But Not Enforced attribute request a client to present a certificate. If the client cannot present a certificate, WebLogic Server continues the SSL connection. In this case, the connection is encrypted, but the client is not authenticated.

    [ Team LiB ] Previous Section Next Section