|[ Team LiB ]|
Using Secure Sockets Layer
WebLogic Server can be configured to work with the Secure Sockets Layer (SSL) protocol. SSL is the Internet standard for secure communication and provides end-to-end encryption of transmitted data.
There are two pages in the administrator console that configure SSL support. To get to these pages, expand the Servers node in the left panel and click on one of the servers executing your domain. In the right panel, click on the Configurations tab. The two SSL pages can be reached by clicking on the General or Keystores & SSL tab. The General page allows SSL to be enabled and the SSL port to be set, as shown in Figure 28.19. Enabling SSL requires an SSL port to be chosen. Enabling or disabling requires WebLogic Server to be restarted. Simply enabling SSL will encrypt client connections. This will provide data integrity and make communications confidential. However, it will not allow the server or the client to authenticate itself.
For the server to be able to authenticate itself to clients, it must have a private key and a digital certificate.
Generating Digital Certificates
To use SSL within WebLogic Server, you need a digital certificate. The sample certificates that come with WebLogic Server can be used in a development environment, but for production purposes, you must create your own. There are several ways of doing this as the following sections point out.
The CertGen tool can be used to generate certificates and private keys to be used for testing, not for production. The CertGen tool is found in weblogic.jar and is started with the following syntax:
java utils.CertGen password certfile keyfile
This command will generate certificate files named certfile and private key files named keyfile. The private key's password will be the one entered. Before executing this tool, copy the files CertGenCA.der and CertGenCAKey.der from the WL_HOME/server/lib directory to the directory you are running the tool in.
Certificate Request Generator Servlet
To use SSL in a production environment, you must request and get a certificate and private key from a trusted certificate authority (CA). Examples of CA are Entrust (www.entrust.com) and VeriSign (www.verisign.com). CAs expect requests to come in a format called a certificate signature request (CSR). WebLogic Server 7.x came with a servlet that collects information from you and generates a private key file (.der extension), a CSR in binary format (.dem file), and in ASCII format (.pem file). WebLogic 8.1 still comes with the Web application certificate.war that contains the certificate signature request servlet. However, this Web application has been deprecated as of 8.1 and BEA recommends using the keytool utility mentioned in the next section.
Another option for generating private keys and certificates is the keytool utility that comes with the JDK. This utility stores private keys and certificates in a keystore. By default, this file is named .keystore and its location is determined by the value of the user.home environmental variable. To generate keys and certificates, use the following syntax:
keytool -genkey -alias myalias -keypass mypassword
This will generate a key pair—a public and private key—and wrap the public key into a X.509 v1 self-signed certificate. The alias myalias will be used to refer to this key pair when using keytool in the future. The password mypassword will be used to protect the private key.
keytool has many options for generating, importing, and managing private keys and digital certificates. For more information, please go to the following URL: http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html.
SSL for Server Authentication
To have WebLogic Server authenticate itself to clients, WebLogic Server must be able to find its private key and digital certificate. You will either refer to them by their filenames or by their alias in a keystore. This information will be entered into the SSL page in the administrator console. To get to this page, expand the Servers node in the left panel and click on the name of the server to configure. Click on the Configuration tab in the right panel and then click on the Keystores & SSL tab. You'll see the SSL form shown in Figure 28.20.
Figure 28.20. The SSL page contains information specific to certificates and private keys used by the server.
When using a keystore:
When using filenames:
In either case, click the Apply button and reboot WebLogic Server.
SSL for Mutual Authentication
To request clients for digital certificates, you must have SSL enabled and also set the Two Way Client Cert Behavior: drop down in the advanced options in the Keystores & SSL page in the administrator console.
If set, the Client Certificate Enforced attribute requires a client to present a certificate. If the client cannot present a certificate, WebLogic Server ends the SSL connection.
If set, the Client Certificate Requested But Not Enforced attribute request a client to present a certificate. If the client cannot present a certificate, WebLogic Server continues the SSL connection. In this case, the connection is encrypted, but the client is not authenticated.
|[ Team LiB ]|