Authorization

The SSL layer authenticates the peers during the connect handshake. After the handshake, you can be assured that the peer is authenticated to be who they said they are. In addition, since the server has specified, within an Oracle wallet, its trustpoints, the SSL adapter on the server will authorize the client. However, the client has the option of how much authorization is done against the server.

• The client can direct the SSL layer to authorize the server by setting up trustpoints.

• The client can authorize the server itself by extracting the server's certificate chain and parsing through the chain.

Setting up Trust Points

The server automatically has trustpoints established through the installed Oracle Wallet. The trustpoints in the wallet are used to verify the client's certificates. However, if the client wants to verify the server's certificates against certain trustpoints, it can set up its these trustpoints, as follows:

• If server-side authentication is requested, the client does not have any certificates set. Thus, to verify the server's certificates, the client can set a single trustpoint through JNDI, or if it is a pure CORBA application--that does not use JNDI--can add trustpoints through the AuroraCertificateManager.addTrustedCertificate method. See Example 6-4 on how to set a single trustpoint through JNDI.

• If client-side authentication is requested, the client has set up certificates. Thus, the client can add trustpoints to the file that contains its certificates, can add a single trustpoint through JNDI, or if it is a pure CORBA application--that does not use JNDI--can add trustpoints through the AuroraCertificateManager.addTrustedCertificate method.

If the client does not set up trust points, it does not hinder the authorization. That is, JServer assumes that the client trusts the server.

Example 6-4 Verifying Trustpoints

The following example shows how the client sets up its trustpoints through JNDI. The JNDI SECURITY_TRUSTED_CERT property can take only a single certificate.

// setup the trust point
env.put(ServiceCtx.SECURITY_TRUSTED_CERT, trustedCert);

Parsing through the Server's Certificate Chain

The client retrieves the certificates to perform any authorization checks. In the past, you could retrieve the single issuer certificate. Now, you receive the entire issuer certificate chain. You must parse the certificate chain for the information that you need. You can parse the chain through the AuroraCurrent object.

Note: You must configure the database and listener to be SSL-enabled, as described in Chapter 3, "Configuring IIOP Applications".

Note: JDK 1.1 certificate classes were contained within javax.security.cert. In JDK 1.2, these classes moved to java.security.cert.

AuroraCurrent contains three methods for retrieving and managing the certificate chain. For creating and parsing the certificate chain, you can use the X509Cert class methods. For information on this class, see Sun Microsystems's JDK documentation. Note that the X509Cert class manipulates the certificate chain differently in JDK 1.1 than in Java 2.

The AuroraCurrent class methods are as follows:

• getPeerDERCertChain--obtain the peer's certificate chain, which enables you to verify that the peer is authorized to access your application methods.

• getNegotiatedProtocolVersion--obtain the SSL protocol version being used by the connection, to verify the versioning.

• getNegotiatedCipherSuite--obtain the cipher suite used to encrypt messages passed over the connection, to verify that the encryption is strong enough for your purposes.

When the handshake occurs, the protocol version and the type of encryption used is negotiated. The type of encryption can be full or limited encryption, which complies with the United States legal restrictions. After the handshake completes, the AuroraCurrent can retrieve what was resolved in the negotiation.

AuroraCurrent Class

The following describes the methods contained within AuroraCurrent. See Example 6-5 for a code example of these methods.

getNegotiatedCipherSuite

This method obtains the type of encryption negotiated in the handshake with the peer.

Syntax

String getNegotiatedCipherSuite(org.omg.CORBA.Object peer);

Parameter	Description
peer	The peer from which you obtain the negotiated cipher.

Returns

A string one of the following values:

Export ciphers:

• SSL_RSA_EXPORT_WITH_RC4_40_MD5

• SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

• SSL_DH_anon_EXPORT_WITH_RC4_40_MD5

• SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

• SSL_RSA_WITH_NULL_SHA

• SSL_RSA_WITH_NULL_MD5

Domestic ciphers

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_RSA_WITH_RC4_128_SHA

• SSL_RSA_WITH_RC4_128_MD5

• SSL_RSA_WITH_DES_CBC_SHA

• SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

• SSL_DH_anon_WITH_RC4_128_MD5

• SSL_DH_anon_WITH_DES_CBC_SH

getPeerDERCertificateChain

This method obtains the peer's certificate chain. After retrieving the chain, you can parse through the certificates within the chain, to authorize the peer to your application.

Syntax

byte [] [] getPeerDERCertificateChain(org.omg.CORBA.Object peer);

Parameter	Description
peer	The peer from which you obtain its certificate chain.

Returns

A byte array containing an array of certificates.

getNegotiatedProtocolVersion

This method obtains the negotiated SSL protocol version of a peer.

Syntax

String getNegoriatedProtocolVersion(org.omg.CORBA.Object peer);

Parameter	Description
peer	The peer from which you obtain the negotiated protocol version.

Returns

A string with one of the following values:

• SSL_Version_Undetermined

• SSL_Version_3_0

Example 6-5 Retrieving a Peer's SSL information for Authorization

This example shows how to authorize a peer by retrieving the certificate information using the AuroraCurrent object.

1. To retrieve an AuroraCurrent object, invoke the ORB.resolve_initial_references method with AuroraSSLCurrent as the argument.

2. Retrieve the SSL information from the peer through AuroraCurrent methods: getNegotiatedCipherSuite, getNegotiatedProtocolVersion, and getPeerDERCertChain.

3. Authorize the peer. You can authorize the peer based on its certificate chain.

   Note: This example uses the x509Certificate class methods for parsing the certificate chain and is specific to Java 2. If you are using Java 1.1, you must use the x509Certificate class methods specific to Java 1.1.

   static boolean verifyPeerCert(org.omg.CORBA.Object obj) throws Exception
    {
      org.omg.CORBA.ORB orb = oracle.aurora.jndi.orb_dep.Orb.init();
   
      // Get the SSL current
      AuroraCurrent current = AuroraCurrentHelper.narrow
          (orb.resolve_initial_references("AuroraSSLCurrent"));
   
      // Check the cipher
      System.out.println("Negotiated Cipher:  " +
                         current.getNegotiatedCipherSuite(obj));
      // Check the protocol version
      System.out.println("Protocol Version:   " +
                         current.getNegotiatedProtocolVersion(obj));
      // Check the peer's certificate
      System.out.println("Peer's certificate chain : ");
      byte [] [] certChain = current.getPeerDERCertChain(obj);
   
      //Parse through the certificate chain using the X509Certificate methods
      System.out.println("length : " + certChain.length);
      System.out.println("Certificates: ");
      CertificateFactory cf = CertificateFactory.getInstance("X.509");
   
      //For each certificate in the chain
      for(int i = 0; i < certChain.length; i++) {
        ByteArrayInputStream bais = new ByteArrayInputStream(certChain[i]);
        Certificate  xcert = cf.generateCertificate(bais);
        System.out.println(xcert);
        if(xcert instanceof X509Certificate)
        {
          X509Certificate x509Cert = (X509Certificate)xcert;
          String globalUser = x509Cert.getSubjectDN().getName();
          System.out.println("DN out of the cert : " + globalUser);
        }
      }
   
      return true;
    }
   

   Note: The x509Certificate class is a Java 2 class. See Sun Microsystems's documentation for more information. In addition, you can find information in the javadoc for javax.net.ssl.

---