edocs Home > BEA WebLogic Server 9.2 Documentation > Administration Console Online Help > Use X.509 certificates to establish identity

Administration Console Online Help

    Previous Next  Open TOC in new window 
Content starts here

Use X.509 certificates to establish identity

Before you begin

You must first create the Web Service security configuration that is associated with a Web Service before you can configure specific features.

See Create a Web Service security configuration for details about creating a security configuration.


The Default Identity Asserter of WebLogic Server is configured, by default, to use username/password tokens for authentication, and is not configured to accept X.509 certificates. Client applications that invoke a Web Service use the Default Identity Asserter for authentication, by default.

However, a programmer can specify (using security assertions in the WS-Policy file associated with a Web Service) that a client application invoking the service should use X.509 certificates as tokens to establish identity. To enable this functionality, you must configure the Web Service security configuration associated with the service, as well as configure the Default Identity Asserter.

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  2. In the left pane of the Administration Console, select the name of your domain. This is the top-level node of the navigation tree.
  3. In the right pane, select Web Service Security.
  4. In the table, click the name of the Web Service security configuration you want to update.

    Web Services programmers associate a Web Service security configuration using the @WssConfiguration JWS annotation; the value attribute specifies the associated configuration name. If the programmer does not specify the value attribute, the Web Service is associated with the default security configuration: default_wss.

  5. Select Token Handler.
  6. Click New.
  7. Enter the following values in the required fields:
    • Name: A name for your token handler. This can be anything you want.
    • Class Name: Enter the following exact value: weblogic.xml.crypto.wss.BinarySecurityTokenHandler.
    • Token Type: Enter the following exact value: x509.
    • Handling Order: Enter an integer to specify the order in which this token handler is handled.
  8. Click Finish.
  9. In the Token Handlers table, click on the name of the token handler you just created.
  10. At the bottom of the page in the Token Handler Properties table, click New.
  11. Enter the following values in the fields:
    • Name: Enter the following exact value: UseX509ForIdentity.
    • Value: Enter the following exact value: true.
  12. Click OK.
  13. Click Save.
  14. In the left pane of the Administration Console, select Security Realms.
  15. In the right pane, click on the myrealm security realm, displayed in the Realms table.
  16. Select Providers > Authentication.
  17. Click DefaultIdentityAsserter in the Authentication Providers table.
  18. Select Configuration > Provider Specific.
  19. Ensure that the Default User Name Mapper Attribute Type drop-down list is set to the name of the attribute from the subject DN to use when mapping from the X.509 certificate name token to the WebLogic user name.
  20. In the Active Types section, move X.509 from the Available to the Chosen box.
  21. Ensure that the Use Default User Name Mapper check box is checked.
  22. Click Save.
  23. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
    Not all changes take effect immediately—some require a restart (see Use the Change Center).

After you finish

You must redeploy any Web Service which is associated with this security configuration for the security changes to take effect.


  Back to Top