Oracle8i Enterprise JavaBeans Developer's Guide and Reference Release 3 (8.1.7) Part Number A83725-01 |
|
The SSL layer authenticates the peers during the connect handshake. After the handshake, you can be assured that the peer is authenticated to be who they said they are. In addition, since the server has specified, within an Oracle wallet, its trustpoints, the SSL adapter on the server will authorize the client. However, the client has the option of how much authorization is done against the server.
The server automatically has trustpoints established through the installed Oracle Wallet. The trustpoints in the wallet are used to verify the client's certificates. However, if the client wants to verify the server's certificates against certain trustpoints, it can set up its these trustpoints, as follows:
AuroraCertificateManager.addTrustedCertificate
method. See Example 6-4 on how to set a single trustpoint through JNDI.
AuroraCertificateManager.addTrustedCertificate
method.
If the client does not set up trust points, it does not hinder the authorization. That is, JServer assumes that the client trusts the server.
The following example shows how the client sets up its trustpoints through JNDI. The JNDI SECURITY_TRUSTED_CERT
property can take only a single certificate.
// setup the trust point
env.put(ServiceCtx.SECURITY_TRUSTED_CERT
, trustedCert);
The client retrieves the certificates to perform any authorization checks. In the past, you could retrieve the single issuer certificate. Now, you receive the entire issuer certificate chain. You must parse the certificate chain for the information that you need. You can parse the chain through the AuroraCurrent
object.
AuroraCurrent
contains three methods for retrieving and managing the certificate chain. For creating and parsing the certificate chain, you can use the X509Cert
class methods. For information on this class, see Sun Microsystems's JDK documentation. Note that the X509Cert
class manipulates the certificate chain differently in JDK 1.1 than in Java 2.
The AuroraCurrent
class methods are as follows:
getPeerDERCertChain
--obtain the peer's certificate chain, which enables you to verify that the peer is authorized to access your application methods.
getNegotiatedProtocolVersion
--obtain the SSL protocol version being used by the connection, to verify the versioning.
getNegotiatedCipherSuite
--obtain the cipher suite used to encrypt messages passed over the connection, to verify that the encryption is strong enough for your purposes.
When the handshake occurs, the protocol version and the type of encryption used is negotiated. The type of encryption can be full or limited encryption, which complies with the United States legal restrictions. After the handshake completes, the AuroraCurrent can retrieve what was resolved in the negotiation.
The following describes the methods contained within AuroraCurrent
. See Example 6-5 for a code example of these methods.
This method obtains the type of encryption negotiated in the handshake with the peer.
Syntax
String getNegotiatedCipherSuite(org.omg.CORBA.Object peer);
Parameter | Description |
---|---|
peer |
The peer from which you obtain the negotiated cipher. |
Returns
A string one of the following values:
Export ciphers:
Domestic ciphers
This method obtains the peer's certificate chain. After retrieving the chain, you can parse through the certificates within the chain, to authorize the peer to your application.
Syntax
byte [] [] getPeerDERCertificateChain(org.omg.CORBA.Object peer);
Parameter | Description |
---|---|
peer |
The peer from which you obtain its certificate chain. |
Returns
A byte array containing an array of certificates.
This method obtains the negotiated SSL protocol version of a peer.
Syntax
String getNegoriatedProtocolVersion(org.omg.CORBA.Object peer);
Parameter | Description |
---|---|
peer |
The peer from which you obtain the negotiated protocol version. |
Returns
A string with one of the following values:
This example shows how to authorize a peer by retrieving the certificate information using the AuroraCurrent
object.
AuroraCurrent
object, invoke the ORB.resolve_initial_references
method with AuroraSSLCurrent
as the argument.
AuroraCurrent
methods: getNegotiatedCipherSuite
, getNegotiatedProtocolVersion
, and getPeerDERCertChain
.
static boolean verifyPeerCert(org.omg.CORBA.Object obj) throws Exception { org.omg.CORBA.ORB orb = oracle.aurora.jndi.orb_dep.Orb.init(); // Get the SSL currentAuroraCurrent
current = AuroraCurrentHelper.narrow (orb.resolve_initial_references("AuroraSSLCurrent
")); // Check the cipher System.out.println("Negotiated Cipher: " + current.getNegotiatedCipherSuite
(obj)); // Check the protocol version System.out.println("Protocol Version: " + current.getNegotiatedProtocolVersion
(obj)); // Check the peer's certificate System.out.println("Peer's certificate chain : "); byte [] [] certChain = current.getPeerDERCertChain
(obj); //Parse through the certificate chain using the X509Certificate methods System.out.println("length : " + certChain.length); System.out.println("Certificates: "); CertificateFactory cf = CertificateFactory.getInstance("X.509"); //For each certificate in the chain for(int i = 0; i < certChain.length; i++) { ByteArrayInputStream bais = new ByteArrayInputStream(certChain[i]); Certificate xcert = cf.generateCertificate(bais); System.out.println(xcert); if(xcert instanceof X509Certificate) { X509Certificate x509Cert = (X509Certificate)xcert; String globalUser = x509Cert.getSubjectDN().getName(); System.out.println("DN out of the cert : " + globalUser); } } return true; }
|
Copyright © 1996-2000, Oracle Corporation. All Rights Reserved. |
|