OTN Home > Oracle WebLogic Server 12.2.1.0 Documentation > Administration Console Online Help > Channel: Configuration: Security

Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Channel: Configuration: Security

Configuration Options     Advanced Configuration Options     Related Tasks     Related Topics

This page allows you to define the security configuration of this network channel.

A network channel is a configurable resource that defines the attributes of a network connection to WebLogic Server. You can use network channels to manage quality of service, meet varying connection requirements, and improve utilization of your systems and network resources.

Configuration Options

Name Description
Two Way SSL Enabled

Specifies whether this network channel uses two way SSL.

MBean Attribute:
NetworkAccessPointMBean.TwoWaySSLEnabled

Secure value: true

Client Certificate Enforced

Specifies whether clients must present digital certificates from a trusted certificate authority to WebLogic Server on this channel.

MBean Attribute:
NetworkAccessPointMBean.ClientCertificateEnforced

Secure value: true

Channel Identity

Specifies the SSL identity for this channel.

MBean Attribute:
NetworkAccessPointMBean.ChannelIdentityCustomized

Server Private Key Alias

The string alias used to store and retrieve the server's private key in the keystore. This private key is associated with the server's digital certificate.

MBean Attribute:
SSLMBean.ServerPrivateKeyAlias

Changes take effect after you redeploy the module or restart the server.

Custom Channel Private Key Alias

The string alias used to store and retrieve the channel's private key in the keystore. This private key is associated with the server's digital certificate. A value of null indicates that the network channel uses the alias specified in the server's SSL configuration.

MBean Attribute:
NetworkAccessPointMBean.CustomPrivateKeyAlias

Custom Channel Private Key Pass Phrase

The passphrase used to retrieve the server's private key from the keystore. This passphrase is assigned to the private key when it is generated. A value of null indicates that the network channel uses the pass phrase specified in the server's SSL configuration.

MBean Attribute:
NetworkAccessPointMBean.CustomPrivateKeyPassPhrase

Advanced Configuration Options

Name Description
Custom Identity Keystore Type

The type of the keystore. Generally, this is JKS. If using the Oracle Key Store Service, this would be KSS

If empty or null, then the JDK's default keystore type (specified in java.security) is used. The custom identity key store type is only used if ServerMBean.KeyStores is CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST, CUSTOM_IDENTITY_AND_CUSTOM_TRUST or CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.

MBean Attribute:
NetworkAccessPointMBean.CustomIdentityKeyStoreType

Custom Identity Keystore

The source of the identity keystore. For a JKS keystore, the source is the path and file name. For an Oracle Key Store Service (KSS) keystore, the source is the KSS URI.

If using a JKS keystore, the keystore path name must either be absolute or relative to where the server was booted.

If using a KSS keystore, the keystore URI must be of the form:

kss://system/keystorename

where keystorename is the name of the keystore registered in KSS.

The value in this attribute is only used if ServerMBean.KeyStores is CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST, CUSTOM_IDENTITY_AND_CUSTOM_TRUST or CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.

MBean Attribute:
NetworkAccessPointMBean.CustomIdentityKeyStoreFileName

Custom Identity Keystore Pass Phrase

The encrypted custom identity keystore's passphrase. If empty or null, then the keystore will be opened without a passphrase.

This attribute is only used if ServerMBean.KeyStores is CUSTOM_IDENTITY_AND_JAVA_STANDARD_TRUST, CUSTOM_IDENTITY_AND_CUSTOM_TRUST or CUSTOM_IDENTITY_AND_COMMAND_LINE_TRUST.

When you get the value of this attribute, WebLogic Server does the following:

  1. Retrieves the value of the CustomIdentityKeyStorePassPhraseEncrypted attribute.

  2. Decrypts the value and returns the unencrypted password as a String.

When you set the value of this attribute, WebLogic Server does the following:

  1. Encrypts the value.

  2. Sets the value of the CustomIdentityKeyStorePassPhraseEncrypted attribute to the encrypted value.

Using this attribute (CustomIdentityKeyStorePassPhrase) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

Instead of using this attribute, use CustomIdentityKeyStorePassPhraseEncrypted.

MBean Attribute:
NetworkAccessPointMBean.CustomIdentityKeyStorePassPhrase

Hostname Verification

Specifies whether to ignore the installed implementation of the weblogic.security.SSL.HostnameVerifier interface (when this server is acting as a client to another application server).

MBean Attribute:
NetworkAccessPointMBean.HostnameVerificationIgnored

Custom Hostname Verifier

The name of the class that implements the weblogic.security.SSL.HostnameVerifier interface.

This class verifies whether the connection to the host with the hostname from URL should be allowed. The class is used to prevent man-in-the-middle attacks. The weblogic.security.SSL.HostnameVerifier has a verify() method that WebLogic Server calls on the client during the SSL handshake.

MBean Attribute:
NetworkAccessPointMBean.HostnameVerifier

Ciphersuites

Indicates the cipher suites being used on a particular WebLogic Server channel.

The strongest negotiated cipher suite is chosen during the SSL handshake. The set of cipher suites used by default by JSEE depends on the specific JDK version with which WebLogic Server is configured.

For a list of possible values, see Cipher Suites.

MBean Attribute:
NetworkAccessPointMBean.Ciphersuites

Unencrypted Null Ciphers

Test if the AllowUnEncryptedNullCipher is enabled

see setAllowUnencryptedNullCipher(boolean enable) for the NullCipher feature.

MBean Attribute:
NetworkAccessPointMBean.AllowUnencryptedNullCipher

Inbound Certificate Validation

Indicates the client certificate validation rules for inbound SSL.

This attribute only applies to ports and network channels using 2-way SSL.

MBean Attribute:
NetworkAccessPointMBean.InboundCertificateValidation

Outbound Certificate Validation

Indicates the server certificate validation rules for outbound SSL.

This attribute always applies to outbound SSL that is part of WebLogic Server (that is, an Administration Server talking to the Node Manager). It does not apply to application code in the server that is using outbound SSL unless the application code uses a weblogic.security.SSL.ServerTrustManager that is configured to use outbound SSL validation.

MBean Attribute:
NetworkAccessPointMBean.OutboundCertificateValidation

Related Tasks

Related Topics


Back to Top