To use a client certificate for specifying an outbound two-way SSL connection, complete the steps described in the following sections:
Note:
Switching WebLogic Server's identity to a client certificate is supported only when making an outbound two-way SSL connection. For inbound SSL connections, where Weblogic Server is acting as an SSL server, the server certificate is always used for identity.
Add a client certificate to WebLogic Server's identity keystore and define the name of the alias under which the private key and public certificate are stored. This task only needs to be done once. After completing the configuration steps, the ability to use a client identity for making an outbound two-way SSL connection is always available for the current WebLogic Server instance.
To add a client certificate to the identity keystore, complete the following steps:
Learn how to write a WLST script to initiate an outbound two-way SSL connection using the client certificate.
To initiate an outbound two-way SSL connection using the client certificate, create a WLST script that does the following:
SSLMBean.UseServerCerts
attribute to true
, which establishes the server identity for the outbound connection.SSLMBean.UseClientCertForOutbound
attribute to true
.SSLMBean.ClientCertPrivateKeyPassPhrase
attribute, and the client certificate keystore alias, using the SSLMBean.ClientCertAlias
attribute.Example 33-1 Sample WLST Script that Initiates an Outbound Two-Way SSL Connection Using a Client Identity
url="t3://localhost:7001" adminUsername="weblogic" adminPassword="password" connect(adminUsername, adminPassword, url) edit() server=cmo.lookupServer('myserver') cd('Servers') cd('myserver') startEdit() cd('SSL') cd('myserver') ssl = server.getSSL() ssl.setUseServerCerts(true) ssl.setUseClientCertForOutbound(true) ssl.setClientCertAlias("myClientCert") ssl.setClientCertPrivateKeyPassPhrase("myClientCertPrivateKeyPassPhrase") save() activate() disconnect() exit()
Example 33-1 shows a WLST script that initiates an outbound two-way SSL connection using a client certificate from the identity keystore configured with WebLogic Server.
To restore use of the server identity certificate for outbound SSL connections, specify a WLST command that sets the SSLMBean.UseClientCertForOutbound
attribute to false
.
Note the following:
Note that the values of the SSLMBean.ClientCertPrivateKeyPassPhrase
and SSLMBean.ClientCertAlias
attributes are persisted and are used the next time an outbound two-way SSL connection using a client identity is made (that is, the next time the SSLMBean.UseClientCertForOutbound
attribute is set to true
).
The SSLMBean attributes used for specifying a client certificate for outbound SSL connections are not available from the WebLogic Server Administration Console.