OTN Home > Oracle WebLogic Server 10.3.5.0 Documentation > Administration Console Online Help > Configure two-way SSL

Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Configure two-way SSL

Before you begin

Before configuring two-way SSL, ensure that the trust keystore for the server includes the certificate for the trusted certificate authority that signed the certificate for the client. See Configure identity and trust.


By default, WebLogic Server is configured to use one-way SSL (the server passes its identity to the client). When the server needs to authenticate the client, you use two-way SSL. In a two-way SSL connection, the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake. The server determines whether or not two-way SSL is used.

To configure two-way SSL:

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  2. In the left pane of the Console, expand Environment and select Servers.
  3. Click the name of the server for which you want to configure SSL.
  4. Select Configuration > SSL, and click Advanced at the bottom of the page.
  5. Set the Two Way Client Cert Behavior attribute. The following options are available:
    • Client Certs Not Requested: The default (meaning one-way SSL).
    • Client Certs Requested But Not Enforced: Requires a client to present a certificate. If a certificate is not presented, the SSL connection continues.
    • Client Certs Requested And Enforced: Requires a client to present a certificate. If a certificate is not presented, the SSL connection is terminated.
  6. Click Save.
  7. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
    Not all changes take effect immediately—some require a restart (see Use the Change Center).

After you finish

All the server SSL attributes are dynamic; when modified via the Console, they cause the corresponding SSL server or channel SSL server to restart and use the new settings for new connections. Old connections will continue to run with the old configuration. To ensure that all the SSL connections exist according to the specified configuration, you must reboot WebLogic Server.


Back to Top