Administration Console Online Help

    Previous Next  Open TOC in new window 
Content starts here

Servers: Configuration: SSL

Configuration Options     Advanced Configuration Options     Related Tasks     Related Topics

This page lets you view and define various Secure Sockets Layer (SSL) settings for this server instance. These settings help you to manage the security of message transmissions.

For purposes of backward compatibility, WebLogic Server lets you store private keys and trusted certificates authorities in files or in the WebLogic Keystore provider. If you use either of these mechanisms for identity and trust, choose the Files or Keystore Providers (Deprecated) option.

Note: When you use the WebLogic Keystore provider, you store the digital certificates in files.

Configuration Options

Name Description
Identity and Trust Locations

Indicates where SSL should find the server's identity (certificate and private key) as well as the server's trust (trusted CAs).

  • If set to KEYSTORES, then SSL retrieves the identity and trust from the server's keystores (that are configured on the Server).

  • If set to FILES_OR_KEYSTORE_PROVIDERS, then SSL first looks in the deprecated KeyStore providers for the identity and trust. If not found, then it looks in the flat files indicated by the SSL Trusted CA File Name, Server Certificate File Name, and Server Key File Name attributes.

Domains created in WebLogic Server version 8.1 or later, default to KEYSTORES. Domains created before WebLogic Server version 8.1, default to FILES_OR_KEYSTORE_PROVIDERS.

MBean Attribute:
SSLMBean.IdentityAndTrustLocations

Private Key Location

The keystore attribute that defines the location of the private key file.

Private Key File Name

The full directory location of the private key file (.der or .pem) for the server.

The pathname should either be absolute or relative to the directory from which the server is booted. This field provides backward compatibility for security configurations that store private keys in files. For a more secure deployment, BEA recommends saving private keys in keystores.

The file extension (.der or .pem) indicates the method that should be used to read the file.

MBean Attribute:
SSLMBean.ServerKeyFileName

Private Key Alias

The keystore attribute that defines the string alias used to store and retrieve the server's private key.

MBean Attribute:
SSLMBean.ServerPrivateKeyAlias

Private Key Passphrase

The keystore attribute that defines the passphrase used to retrieve the server's private key.

MBean Attribute:
SSLMBean.ServerPrivateKeyPassPhrase

Changes take effect after you redeploy the module or restart the server.

Confirm Private Key Passphrase

Re-enter the private key passphrase.

Certificate Location

The keystore attribute that defines the location of the trusted certificate.

Server Certificate File Name

The full directory location of the digital certificate file (.der or .pem) for the server.

The pathname should either be absolute or relative to the directory from which the server is booted. This field provides backward compatibility for security configurations that stored digital certificates in files.

The file extension ( .der or .pem) tells WebLogic Server how to read the contents of the file.

MBean Attribute:
SSLMBean.ServerCertificateFileName

Trusted Certificate Authorities

The keystore attribute that defines the location of the certificate authorities.

MBean Attribute:
ServerMBean.CustomTrustKeyStoreFileName

Trusted CA File Name

The full directory location of the file that specifies the certificate authorities trusted by the server.

The pathname should either be absolute or relative to the directory from which the server is booted. This field provides backward compatibility for security configurations that store trusted certificate authorities in files.

The file specified in this attribute can contain a single digital certificate or multiple digital certificates. The file extension ( .der or .pem) tells WebLogic Server how to read the contents of the file.

MBean Attribute:
SSLMBean.TrustedCAFileName

Advanced Configuration Options

Name Description
Hostname Verification

Specifies whether to ignore the installed implementation of the weblogic.security.SSL.HostnameVerifier interface (when this server is acting as a client to another application server).

MBean Attribute:
SSLMBean.HostnameVerificationIgnored

Changes take effect after you redeploy the module or restart the server.

Custom Hostname Verifier

The name of the class that implements the weblogic.security.SSL.HostnameVerifier interface.

This class verifies whether the connection to the host with the hostname from URL should be allowed. The class is used to prevent man-in-the-middle attacks. The weblogic.security.SSL.HostnameVerifier has a verify() method that WebLogic Server calls on the client during the SSL handshake.

MBean Attribute:
SSLMBean.HostnameVerifier

Secure value: weblogic.security.SSL.HostnameVerifier

Changes take effect after you redeploy the module or restart the server.

Export Key Lifespan

Indicates the number of times WebLogic Server can use an exportable key between a domestic server and an exportable client before generating a new key. The more secure you want WebLogic Server to be, the fewer times the key should be used before generating a new key.

MBean Attribute:
SSLMBean.ExportKeyLifespan

Minimum value: 1

Maximum value: 2147483647

Use Server Certs

Sets whether the client should use the server certificates/key as the client identity when initiating a connection over https.

MBean Attribute:
SSLMBean.UseServerCerts

Changes take effect after you redeploy the module or restart the server.

Two Way Client Cert Behavior

The form of SSL that should be used.

By default, WebLogic Server is configured to use one-way SSL (implied by the Client Certs Not Requested value). Selecting Client Certs Requested But Not Enforced enables two-way SSL. With this option, the server requests a certificate from the client, but the connection continues if the client does not present a certificate. Selecting Client Certs Requested And Enforced also enables two-way SSL and requires a client to present a certificate. However, if a certificate is not presented, the SSL connection is terminated.

MBean Attribute:
SSLMBean.TwoWaySSLEnabled

Secure value: true

Cert Authenticator

The name of the Java class that implements the weblogic.security.acl.CertAuthenticator class, which is deprecated in this release of WebLogic Server. This field is for Compatibility security only, and is only used when the Realm Adapter Authentication provider is configured.

The weblogic.security.acl.CertAuthenticator class maps the digital certificate of a client to a WebLogic Server user. The class has an authenticate() method that WebLogic Server calls after validating the digital certificate presented by the client.

MBean Attribute:
SSLMBean.CertAuthenticator

Secure value: weblogic.security.acl.CertAuthenticator

Changes take effect after you redeploy the module or restart the server.

SSLRejection Logging Enabled

Indicates whether warning messages are logged in the server log when SSL connections are rejected.

MBean Attribute:
SSLMBean.SSLRejectionLoggingEnabled

Inbound Certificate Validation

Indicates the client certificate validation rules for inbound SSL.

This attribute only applies to ports and network channels using 2-way SSL.

MBean Attribute:
SSLMBean.InboundCertificateValidation

Outbound Certificate Validation

Indicates the server certificate validation rules for outbound SSL.

This attribute always applies to outbound SSL that is part of WebLogic Server (that is, an Administration Server talking to the Node Manager). It does not apply to application code in the server that is using outbound SSL unless the application code uses a weblogic.security.SSL.ServerTrustManager that is configured to use outbound SSL validation.

MBean Attribute:
SSLMBean.OutboundCertificateValidation

Related Tasks

Related Topics


  Back to Top