BEA Logo BEA WebLogic Server Release 1.1

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy

   e-docs   |   Site Map   |   Search   |   Contact   |   Glossary   |   WebLogic Server Documentation

   Frequently Asked Questions:   Previous topic   |   Next topic   |   Contents   

 

WebLogic Frequently Asked Questions: Security

 

Expired sample security certificates

My sample security certificates have expired. Can they be updated?

You can download an updated set and install them in your myserver/ directory, or wherever in your distribution you had installed them.

The sample certificates let you test SSL with WebLogic Server. The certificates are issued by WebLogic and are not signed by a well-known certificate authority, so they are not useful in a production environment. To purchase your own certificates, you can generate a certificate request using the Certificate Request servlet described in Using WebLogic SSL.

Using RSA encryption

Does WebLogic offer RSA encryption algorithms so that developers can use the javax.crypto.* API to build applications?

No. WebLogic's RSA license does not permit end-users to use RSA classes directly. You must obtain your own license for the encryption libraries from RSA.

SSL and certificates

I am trying to use the certificate capture facility to provide two-way authentication. The servlet, however, only returns 'no certificate'. What's going on?

There could be several causes for this problem. To troubleshoot, please check the following:

  1. Does your browser have a personal certificate?

  2. Have you configured WebLogic SSL to require client authentication by specifying a valid root X509 certificate for the weblogic.security.clientRootCA property?

  3. Have you installed the certificates for WebLogic in the myserver/ directory (or named per-server directory)?

  4. Have you configured a port for SSL connection requests in the properties file?

  5. Are you using HTTPS rather than HTTP?

Using non-RSA style certificates

Does WebLogic support Diffie-Hellman or DSS/DSA public/private key digital certificates?

No. The exportable version of WebLogic supports only 512 bit RSA with 40 bit RC4. Additionally, browsers do not support these types of certificates, and there are no commercial issuers for DSA certificates.

Is it possible to have two certificates on the server, one RSA-based, and one non-RSA based?

No.

We have some client code that currently uses Diffie-Helman or DSS/DSA. We need to move HTTP-based to HTTPS-based, but we do not want to pay additional RSA licensing costs. Can you help?

WebLogic has licensed RSA for SSL between WebLogic Servers and clients. With WebLogic, no extra licensing for RSA is necessary, although different rules apply to VARs.

Can access to servlets be restricted?

Regarding ACLs on JSPs, is it possible to force HTTPS access? I know there is a way to subclass JSPs from a Servlet that checks the protocol. Is there a way to do this through configuration?

The Java Servlet API Specification v2.2 allows you to declaratively restrict access to specific Servlets and JSPs using the Web Application Deployment descriptor. Section 13.3.2 of the specification has an example deployment descriptor that uses declarative security. For more information, see Setting Up Security Restraints in Writing a Web Application.

 

 

Copyright © 2000 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.