Oracle8i Enterprise JavaBeans Developer's Guide and Reference
Release 3 (8.1.7)

Part Number A83725-01

Library

Solution Area

Contents

Index

Go to previous page Go to beginning of chapter Go to next page

Authorization

The SSL layer authenticates the peers during the connect handshake. After the handshake, you can be assured that the peer is authenticated to be who they said they are. In addition, since the server has specified, within an Oracle wallet, its trustpoints, the SSL adapter on the server will authorize the client. However, the client has the option of how much authorization is done against the server.

Setting up Trust Points

The server automatically has trustpoints established through the installed Oracle Wallet. The trustpoints in the wallet are used to verify the client's certificates. However, if the client wants to verify the server's certificates against certain trustpoints, it can set up its these trustpoints, as follows:

If the client does not set up trust points, it does not hinder the authorization. That is, JServer assumes that the client trusts the server.

Example 6-4 Verifying Trustpoints

The following example shows how the client sets up its trustpoints through JNDI. The JNDI SECURITY_TRUSTED_CERT property can take only a single certificate.

// setup the trust point
env.put(ServiceCtx.SECURITY_TRUSTED_CERT, trustedCert);

Parsing through the Server's Certificate Chain

The client retrieves the certificates to perform any authorization checks. In the past, you could retrieve the single issuer certificate. Now, you receive the entire issuer certificate chain. You must parse the certificate chain for the information that you need. You can parse the chain through the AuroraCurrent object.


Note:

You must configure the database and listener to be SSL-enabled, as described in Chapter 3, "Configuring IIOP Applications".  



Note:

JDK 1.1 certificate classes were contained within javax.security.cert. In JDK 1.2, these classes moved to java.security.cert.  


AuroraCurrent contains three methods for retrieving and managing the certificate chain. For creating and parsing the certificate chain, you can use the X509Cert class methods. For information on this class, see Sun Microsystems's JDK documentation. Note that the X509Cert class manipulates the certificate chain differently in JDK 1.1 than in Java 2.

The AuroraCurrent class methods are as follows:

When the handshake occurs, the protocol version and the type of encryption used is negotiated. The type of encryption can be full or limited encryption, which complies with the United States legal restrictions. After the handshake completes, the AuroraCurrent can retrieve what was resolved in the negotiation.

AuroraCurrent Class

The following describes the methods contained within AuroraCurrent. See Example 6-5 for a code example of these methods.

getNegotiatedCipherSuite

This method obtains the type of encryption negotiated in the handshake with the peer.

Syntax

String getNegotiatedCipherSuite(org.omg.CORBA.Object peer);

Parameter   Description  

peer  

The peer from which you obtain the negotiated cipher.  

Returns

A string one of the following values:

Export ciphers:

Domestic ciphers

getPeerDERCertificateChain

This method obtains the peer's certificate chain. After retrieving the chain, you can parse through the certificates within the chain, to authorize the peer to your application.

Syntax

byte [] [] getPeerDERCertificateChain(org.omg.CORBA.Object peer);

Parameter   Description  

peer  

The peer from which you obtain its certificate chain.  

Returns

A byte array containing an array of certificates.

getNegotiatedProtocolVersion

This method obtains the negotiated SSL protocol version of a peer.

Syntax

String getNegoriatedProtocolVersion(org.omg.CORBA.Object peer);

Parameter   Description  

peer  

The peer from which you obtain the negotiated protocol version.  

Returns

A string with one of the following values:

This example shows how to authorize a peer by retrieving the certificate information using the AuroraCurrent object.

  1. To retrieve an AuroraCurrent object, invoke the ORB.resolve_initial_references method with AuroraSSLCurrent as the argument.

  2. Retrieve the SSL information from the peer through AuroraCurrent methods: getNegotiatedCipherSuite, getNegotiatedProtocolVersion, and getPeerDERCertChain.

  3. Authorize the peer. You can authorize the peer based on its certificate chain.


    Note:

    This example uses the x509Certificate class methods for parsing the certificate chain and is specific to Java 2. If you are using Java 1.1, you must use the x509Certificate class methods specific to Java 1.1.  


    static boolean verifyPeerCert(org.omg.CORBA.Object obj) throws Exception
     {
       org.omg.CORBA.ORB orb = oracle.aurora.jndi.orb_dep.Orb.init();
    
       // Get the SSL current
       AuroraCurrent current = AuroraCurrentHelper.narrow
           (orb.resolve_initial_references("AuroraSSLCurrent"));
    
       // Check the cipher
       System.out.println("Negotiated Cipher:  " +
                          current.getNegotiatedCipherSuite(obj));
       // Check the protocol version
       System.out.println("Protocol Version:   " +
                          current.getNegotiatedProtocolVersion(obj));
       // Check the peer's certificate
       System.out.println("Peer's certificate chain : ");
       byte [] [] certChain = current.getPeerDERCertChain(obj);
    
       //Parse through the certificate chain using the X509Certificate methods
       System.out.println("length : " + certChain.length);
       System.out.println("Certificates: ");
       CertificateFactory cf = CertificateFactory.getInstance("X.509");
    
       //For each certificate in the chain
       for(int i = 0; i < certChain.length; i++) {
         ByteArrayInputStream bais = new ByteArrayInputStream(certChain[i]);
         Certificate  xcert = cf.generateCertificate(bais);
         System.out.println(xcert);
         if(xcert instanceof X509Certificate)
         {
           X509Certificate x509Cert = (X509Certificate)xcert;
           String globalUser = x509Cert.getSubjectDN().getName();
           System.out.println("DN out of the cert : " + globalUser);
         }
       }
    
       return true;
     }
    


    Note:

    The x509Certificate class is a Java 2 class. See Sun Microsystems's documentation for more information. In addition, you can find information in the javadoc for javax.net.ssl.  




Go to previous page
Go to beginning of chapter
Go to next page
Oracle
Copyright © 1996-2000, Oracle Corporation.

All Rights Reserved.

Library

Solution Area

Contents

Index