![]() |
![]() |
|
WebLogic Frequently Asked Questions: Security
My sample security certificates have expired. Can they be updated?
You can download an updated set and install them in your myserver/ directory,
or wherever in your distribution you had installed them.
The sample certificates let you test SSL with WebLogic Server. The certificates are issued by WebLogic and are not signed by a well-known certificate authority, so they are not useful in a production environment. To purchase your own certificates, you can generate a certificate request using the Certificate Request servlet described in Using WebLogic SSL.
Does WebLogic offer RSA encryption algorithms so that developers can use the
javax.crypto.* API to build applications?
No. WebLogic's RSA license does not permit end-users to use RSA classes
directly. You must obtain your own license for the encryption libraries from RSA.
I am trying to use the certificate capture facility to provide two-way authentication.
The servlet, however, only returns 'no certificate'. What's going on?
There could be several causes for this problem. To troubleshoot, please check the
following:
Using non-RSA style certificates
Does WebLogic support Diffie-Hellman or DSS/DSA public/private key digital
certificates?
No. The exportable version of WebLogic supports only 512 bit RSA with 40 bit
RC4. Additionally, browsers do not support these types of certificates, and there are no
commercial issuers for DSA certificates.
Is it possible to have two certificates on the server, one RSA-based, and one
non-RSA based?
We have some client code that currently uses Diffie-Helman or DSS/DSA. We
need to move HTTP-based to HTTPS-based, but we do not want to pay additional RSA
licensing costs. Can you help?
WebLogic has licensed RSA for SSL between WebLogic Servers and clients. With
WebLogic, no extra licensing for RSA is necessary, although different rules apply to
VARs.
Can access to servlets be restricted?
Regarding ACLs on JSPs, is it possible to force HTTPS access? I know there is a
way to subclass JSPs from a Servlet that checks the protocol. Is there a way to do this
through configuration?
The Java Servlet API Specification v2.2 allows you to declaratively restrict access
to specific Servlets and JSPs using the Web Application Deployment descriptor.
Section 13.3.2 of the specification has an example deployment descriptor that uses
declarative security. For more information, see Setting Up Security Restraints in
Writing a Web Application.
|
Copyright © 2000 BEA Systems, Inc. All rights reserved.
|