Package weblogic.management.configuration

Interface SSLMBean

All Superinterfaces:

ConfigurationMBean, DescriptorBean, javax.management.DynamicMBean, javax.management.MBeanRegistration, javax.management.NotificationBroadcaster, SettableBean, WebLogicMBean

public interface SSLMBean
extends ConfigurationMBean

This MBean represents the configuration of the SSL protocol.

Field Summary

Fields

Modifier and Type	Field	Description
static java.lang.String	BUILTIN_SSL_VALIDATION_AND_CERT_PATH_VALIDATORS	Indicates that the built-in SSL certificate validation should be used to complete and validate the peer's certificate chain then the configured CertPathValidator security providers should be used to perform extra validation on the chain.
static java.lang.String	BUILTIN_SSL_VALIDATION_ONLY	Indicates that only the built-in SSL certificate validation should be used to complete and validate the peer's certificate chain.
static java.lang.String	IDENTITY_AND_TRUST_LOCATIONS_FILES_OR_KEYSTORE_PROVIDERS
static java.lang.String	IDENTITY_AND_TRUST_LOCATIONS_KEYSTORES

Fields inherited from interface weblogic.management.configuration.ConfigurationMBean

DEFAULT_EMPTY_BYTE_ARRAY

Method Summary

Modifier and Type	Method	Description
java.lang.String[]	getCiphersuites()	Indicates the cipher suites being used on a particular WebLogic Server.
java.lang.String	getClientCertAlias()	Determines the alias of the client SSL certificate to be used as identity for outbound SSL connections.
java.lang.String	getClientCertPrivateKeyPassPhrase()	The passphrase used to retrieve the private key for the client SSL certificate specified in getClientCertAlias() from the server configured keystore.
byte[]	getClientCertPrivateKeyPassPhraseEncrypted()	The encrypted passphrase used to retrieve the private key for the client SSL certificate specified in getClientCertAlias() from the server configured keystore.
int	getExportKeyLifespan()	Indicates the number of times WebLogic Server can use an exportable key between a domestic server and an exportable client before generating a new key.
java.lang.String	getHostnameVerifier()	The name of the class that implements the weblogic.security.SSL.HostnameVerifier interface.
java.lang.String	getIdentityAndTrustLocations()	Indicates where SSL should find the server's identity (certificate and private key) as well as the server's trust (trusted CAs).
java.lang.String	getInboundCertificateValidation()	Indicates the client certificate validation rules for inbound SSL.
int	getListenPort()	The TCP/IP port at which this server listens for SSL connection requests.
int	getLoginTimeoutMillis()	Specifies the number of milliseconds that WebLogic Server waits for an SSL connection before timing out.
java.lang.String	getMinimumTLSProtocolVersion()	Get the minimum SSL/TLS protocol version currently configured.
java.lang.String	getOutboundCertificateValidation()	Indicates the server certificate validation rules for outbound SSL.
java.lang.String	getOutboundPrivateKeyAlias()	The string alias used to store and retrieve the outbound private key in the keystore.
java.lang.String	getOutboundPrivateKeyPassPhrase()	The passphrase used to retrieve the outbound private key from the keystore.
byte[]	getOutboundPrivateKeyPassPhraseEncrypted()	The passphrase used to retrieve the encrypted outbound private key from the keystore.
java.lang.String	getServerCertificateChainFileName()	Deprecated. 7.0.0.0 server certificates (and chains) should be stored in keystores.
java.lang.String	getServerCertificateFileName()	Deprecated. 8.1.0.0 server certificates (and chains) should be stored in keystores.
java.lang.String	getServerKeyFileName()	Deprecated. 8.1.0.0 private keys should be stored in keystores.
java.lang.String	getServerPrivateKeyAlias()	The string alias used to store and retrieve the server's private key in the keystore.
java.lang.String	getServerPrivateKeyPassPhrase()	The passphrase used to retrieve the server's private key from the keystore.
byte[]	getServerPrivateKeyPassPhraseEncrypted()	The encrypted passphrase used to retrieve the server's private key from the keystore.
java.lang.String	getTrustedCAFileName()	Deprecated. 8.1.0.0 trusted CAs should be stored in keystores.
boolean	isAcceptKSSDemoCertsEnabled()
boolean	isAllowUnencryptedNullCipher()	Test if the AllowUnEncryptedNullCipher is enabled
boolean	isClientCertificateEnforced()	Indicates whether or not clients must present digital certificates from a trusted certificate authority to WebLogic Server.
boolean	isClientInitSecureRenegotiationAccepted()	Indicate whether TLS client initiated secure renegotiation is accepted.
boolean	isEnabled()	Indicates whether the server can be reached through the default SSL listen port.
boolean	isHostnameVerificationIgnored()	Specifies whether to ignore the installed implementation of the weblogic.security.SSL.HostnameVerifier interface (when this server is acting as a client to another application server).
boolean	isJSSEEnabled()	Determines whether the SSL implementation in Weblogic Server is JSSE based.
boolean	isSSLRejectionLoggingEnabled()	Indicates whether warning messages are logged in the server log when SSL connections are rejected.
boolean	isSSLv2HelloEnabled()	Indicate whether SSLv2Hello is enabled
boolean	isTwoWaySSLEnabled()	The form of SSL that should be used.
boolean	isUseClientCertForOutbound()	Determines whether to use the configured client SSL certificate as identity for outbound SSL connections.
boolean	isUseServerCerts()	Sets whether the client should use the server certificates/key as the client identity when initiating an outbound connection over https.
void	setAcceptKSSDemoCertsEnabled(boolean acceptKSSDemoCertsEnabled)	Sets whether the default Hostname Verifier accept KSS Demo SSL Certificates
void	setAllowUnencryptedNullCipher(boolean enable)	When a SSL server and a SSL client try to negotiate a commonly supported Cipher, there is a chance that they may end up with nothing in common.
void	setCertAuthenticator(java.lang.String classname)	Sets the value of the CertAuthenticator attribute.
void	setCiphersuites(java.lang.String[] ciphers)	Sets the value of the Ciphersuites attribute.
void	setClientCertAlias(java.lang.String alias)	Specifies the alias of the client SSL certificate to be used as identity for outbound SSL connections.
void	setClientCertificateEnforced(boolean enforce)	Sets the value of the ClientCertificateEnforced attribute.
void	setClientCertPrivateKeyPassPhrase(java.lang.String phrase)	Specifies the passphrase used to retrieve the private key for the client SSL certificate specified in getClientCertAlias() from the server configured keystore.
void	setClientCertPrivateKeyPassPhraseEncrypted(byte[] phraseEncrypted)	Specifies the encrypted passphrase used to retrieve the private key for the client SSL certificate specified in getClientCertAlias() from the server configured keystore.
void	setEnabled(boolean enable)
void	setExportKeyLifespan(int lifespan)	Sets the value of the ExportKeyLifespan attribute.
void	setHostnameVerificationIgnored(boolean ignoreFlag)	Sets the value of the HostnameVerificationIgnored attribute.
void	setHostnameVerifier(java.lang.String classname)	Sets the value of the HostnameVerifier attribute.
void	setIdentityAndTrustLocations(java.lang.String locations)	Sets the value of the IdentityAndTrustLocations attribute.
void	setInboundCertificateValidation(java.lang.String validationStyle)	Sets the value of the InboundCertificateValidation attribute.
void	setJSSEEnabled(boolean enabled)	Specifies whether the SSL implementation in Weblogic Server is JSSE based.
void	setListenPort(int port)	Set the value of the ListenPort attribute.
void	setLoginTimeoutMillis(int millis)	Sets the value of the LoginTimeoutMillis attribute.
void	setMinimumTLSProtocolVersion(java.lang.String minimumTLSProtocolVersion)	Set the minimum SSL/TLS protocol version
void	setOutboundCertificateValidation(java.lang.String validationStyle)	Sets the value of the OutboundCertificateValidation attribute.
void	setServerCertificateChainFileName(java.lang.String fileName)	Deprecated. 7.0.0.0 Server certificates (and chains) should be stored in keystores.
void	setServerCertificateFileName(java.lang.String fileName)	Deprecated. 8.1.0.0 server certificates (and chains) should be stored in keystores.
void	setServerKeyFileName(java.lang.String fileName)	Deprecated. 8.1.0.0 private keys should be stored in keystores.
void	setServerPrivateKeyAlias(java.lang.String alias)	Sets the value of the ServerPrivateKeyAlias attribute.
void	setServerPrivateKeyPassPhrase(java.lang.String phrase)	Sets the value of the ServerPrivateKeyPassPhrase attribute.
void	setServerPrivateKeyPassPhraseEncrypted(byte[] phraseEncrypted)	Sets the value of the ServerPrivateKeyPassPhrase attribute.
void	setSSLRejectionLoggingEnabled(boolean enabled)	Sets the value of the SSLRejectionLoggingEnabled attribute.
void	setTrustedCAFileName(java.lang.String fileName)	Deprecated. 8.1.0.0 trusted CAs should be stored in keystores.
void	setTwoWaySSLEnabled(boolean enabled)	Sets the value of the TwoWaySSLEnabled attribute.
void	setUseClientCertForOutbound(boolean enabled)	Specifies whether to use the configured client SSL certificate as identity for outbound SSL connections.
void	setUseServerCerts(boolean enabled)	Indicates that an https client running within WebLogic server should use the server's certificate and key as the client identity.

Methods inherited from interface weblogic.management.configuration.ConfigurationMBean

freezeCurrentValue, getId, getInheritedProperties, getName, getNotes, isDynamicallyCreated, isInherited, isSet, restoreDefaultValue, setComments, setDefaultedMBean, setName, setNotes, setPersistenceEnabled, unSet

Methods inherited from interface weblogic.descriptor.DescriptorBean

addPropertyChangeListener, createChildCopyIncludingObsolete, getParentBean, isEditable, removePropertyChangeListener

Methods inherited from interface javax.management.DynamicMBean

getAttribute, getAttributes, invoke, setAttribute, setAttributes

Methods inherited from interface javax.management.MBeanRegistration

postDeregister, postRegister, preDeregister, preRegister

Methods inherited from interface javax.management.NotificationBroadcaster

addNotificationListener, getNotificationInfo, removeNotificationListener

Methods inherited from interface weblogic.management.WebLogicMBean

getMBeanInfo, getObjectName, getParent, getType, isCachingDisabled, isRegistered, setParent

Field Detail

IDENTITY_AND_TRUST_LOCATIONS_KEYSTORES

static final java.lang.String IDENTITY_AND_TRUST_LOCATIONS_KEYSTORES

See Also:

Constant Field Values

IDENTITY_AND_TRUST_LOCATIONS_FILES_OR_KEYSTORE_PROVIDERS

static final java.lang.String IDENTITY_AND_TRUST_LOCATIONS_FILES_OR_KEYSTORE_PROVIDERS

See Also:

Constant Field Values

BUILTIN_SSL_VALIDATION_ONLY

static final java.lang.String BUILTIN_SSL_VALIDATION_ONLY

Indicates that only the built-in SSL certificate validation should be used to complete and validate the peer's certificate chain.

See Also:

Constant Field Values

BUILTIN_SSL_VALIDATION_AND_CERT_PATH_VALIDATORS

static final java.lang.String BUILTIN_SSL_VALIDATION_AND_CERT_PATH_VALIDATORS

Indicates that the built-in SSL certificate validation should be used to complete and validate the peer's certificate chain then the configured CertPathValidator security providers should be used to perform extra validation on the chain.

See Also:

Constant Field Values

Method Detail

isEnabled

boolean isEnabled()

Indicates whether the server can be reached through the default SSL listen port.

If the administration port is enabled for the WebLogic Server domain, then administrative traffic travels over the administration port and application traffic travels over the Listen Port and SSL Listen Port. If the administration port is disabled, then all traffic travels over the Listen Port and SSL Listen Port.

Returns:

The enabled value

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setEnabled

void setEnabled(boolean enable)
         throws javax.management.InvalidAttributeValueException

Parameters:

enable - The new enabled value

Throws:

javax.management.InvalidAttributeValueException

See Also:

isEnabled()

getCiphersuites

java.lang.String[] getCiphersuites()

Indicates the cipher suites being used on a particular WebLogic Server.

The strongest negotiated cipher suite is chosen during the SSL handshake. The set of cipher suites used by default by JSEE depends on the specific JDK version with which WebLogic Server is configured.

For a list of possible values, see Cipher Suites .

Returns:

The ciphersuites value

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setCiphersuites

void setCiphersuites(java.lang.String[] ciphers)
              throws javax.management.InvalidAttributeValueException

Sets the value of the Ciphersuites attribute.

Parameters:

ciphers - The new ciphersuites value

Throws:

javax.management.InvalidAttributeValueException - if the array is null or contains null elements.

See Also:

getCiphersuites()

setCertAuthenticator

void setCertAuthenticator(java.lang.String classname)
                   throws javax.management.InvalidAttributeValueException

Sets the value of the CertAuthenticator attribute.

Parameters:

classname - The new certAuthenticator value

Throws:

javax.management.InvalidAttributeValueException

See Also:

getCertAuthenticator()

getHostnameVerifier

java.lang.String getHostnameVerifier()

The name of the class that implements the weblogic.security.SSL.HostnameVerifier interface.

This class verifies whether the connection to the host with the hostname from URL should be allowed. The class is used to prevent man-in-the-middle attacks. The weblogic.security.SSL.HostnameVerifier has a verify() method that WebLogic Server calls on the client during the SSL handshake.

Returns:

The hostnameVerifier value

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setHostnameVerifier

void setHostnameVerifier(java.lang.String classname)
                  throws javax.management.InvalidAttributeValueException

Sets the value of the HostnameVerifier attribute.

Parameters:

classname - The new hostnameVerifier value

Throws:

javax.management.InvalidAttributeValueException

See Also:

getHostnameVerifier()

isHostnameVerificationIgnored

boolean isHostnameVerificationIgnored()

Specifies whether to ignore the installed implementation of the weblogic.security.SSL.HostnameVerifier interface (when this server is acting as a client to another application server).

Returns:

The hostnameVerificationIgnored value

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setHostnameVerificationIgnored

void setHostnameVerificationIgnored(boolean ignoreFlag)
                             throws javax.management.InvalidAttributeValueException

Sets the value of the HostnameVerificationIgnored attribute.

Parameters:

ignoreFlag - The new hostnameVerificationIgnored value

Throws:

javax.management.InvalidAttributeValueException

See Also:

isHostnameVerificationIgnored()

getTrustedCAFileName

@Deprecated
java.lang.String getTrustedCAFileName()

Deprecated.

8.1.0.0 trusted CAs should be stored in keystores.

The full directory location of the file that specifies the certificate authorities trusted by the server.

The pathname should either be absolute or relative to the directory from which the server is booted. This field provides backward compatibility for security configurations that store trusted certificate authorities in files.

The file specified in this attribute can contain a single digital certificate or multiple digital certificates. The file extension ( .der or .pem) tells WebLogic Server how to read the contents of the file.

Returns:

The trustedCAFileName value

Default Value:

"trusted-ca.pem"

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setTrustedCAFileName

@Deprecated
void setTrustedCAFileName(java.lang.String fileName)
                   throws javax.management.InvalidAttributeValueException

Deprecated.

8.1.0.0 trusted CAs should be stored in keystores.

Sets the value of the TrustedCAFileName attribute.

Parameters:

fileName - The new trustedCAFileName value

Throws:

javax.management.InvalidAttributeValueException

See Also:

getTrustedCAFileName()

isAcceptKSSDemoCertsEnabled

boolean isAcceptKSSDemoCertsEnabled()

Returns:

true if the default Hostname Verifier accepts KSS Demo SSL Certificates, false otherwise.

Default Value:

true

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setAcceptKSSDemoCertsEnabled

void setAcceptKSSDemoCertsEnabled(boolean acceptKSSDemoCertsEnabled)

Sets whether the default Hostname Verifier accept KSS Demo SSL Certificates

Parameters:

acceptKSSDemoCertsEnabled - whether to accept KSS Demo SSL certificates

getExportKeyLifespan

int getExportKeyLifespan()

Indicates the number of times WebLogic Server can use an exportable key between a domestic server and an exportable client before generating a new key. The more secure you want WebLogic Server to be, the fewer times the key should be used before generating a new key.

Returns:

The exportKeyLifespan value

Default Value:

500

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

Maximum Value:

java.lang.Integer.MAX_VALUE

Minimum Value:

1

setExportKeyLifespan

void setExportKeyLifespan(int lifespan)
                   throws javax.management.InvalidAttributeValueException

Sets the value of the ExportKeyLifespan attribute.

Parameters:

lifespan - The new exportKeyLifespan value

Throws:

javax.management.InvalidAttributeValueException

See Also:

getExportKeyLifespan()

isClientCertificateEnforced

boolean isClientCertificateEnforced()

Indicates whether or not clients must present digital certificates from a trusted certificate authority to WebLogic Server.

Returns:

The clientCertificateEnforced value

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setClientCertificateEnforced

void setClientCertificateEnforced(boolean enforce)

Sets the value of the ClientCertificateEnforced attribute.

Parameters:

enforce - The new clientCertificateEnforced value

See Also:

isClientCertificateEnforced()

getServerCertificateFileName

@Deprecated
java.lang.String getServerCertificateFileName()

Deprecated.

8.1.0.0 server certificates (and chains) should be stored in keystores.

The full directory location of the digital certificate file (.der or .pem) for the server.

The pathname should either be absolute or relative to the directory from which the server is booted. This field provides backward compatibility for security configurations that stored digital certificates in files.

The file extension ( .der or .pem) tells WebLogic Server how to read the contents of the file.

Returns:

The serverCertificateFileName value

Default Value:

"server-cert.der"

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setServerCertificateFileName

@Deprecated
void setServerCertificateFileName(java.lang.String fileName)

Deprecated.

8.1.0.0 server certificates (and chains) should be stored in keystores.

Sets the value of the ServerCertificateFileName attribute.

Parameters:

fileName - The new serverCertificateFileName value

See Also:

getServerCertificateFileName()

getListenPort

int getListenPort()

The TCP/IP port at which this server listens for SSL connection requests.

Returns:

The listenPort value

See Also:

isEnabled(), ServerTemplateMBean.getListenPort(), ServerTemplateMBean.getAdministrationPort(), NetworkAccessPointMBean.getListenPort()

Default Value:

7002

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

Maximum Value:

65535

Minimum Value:

1

setListenPort

void setListenPort(int port)

Set the value of the ListenPort attribute.

Parameters:

port - The new listenPort value

See Also:

getListenPort()

getServerCertificateChainFileName

@Deprecated
java.lang.String getServerCertificateChainFileName()

Deprecated.

7.0.0.0 server certificates (and chains) should be stored in keystores.

The full directory location and name of the file containing an ordered list of certificate authorities trusted by WebLogic Server.

The .pem file extension indicates that method that should be used to read the file. Note that as of WebLogic Server version 7.0, the digital certificate for WebLogic Server should not be stored in a file.

Returns:

The serverCertificateChainFileName value

Default Value:

"server-certchain.pem"

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setServerCertificateChainFileName

@Deprecated
void setServerCertificateChainFileName(java.lang.String fileName)

Deprecated.

7.0.0.0 Server certificates (and chains) should be stored in keystores.

Sets the value of the ServerCertificateChainFileName attribute.

Parameters:

fileName - The new serverCertificateChainFileName value

See Also:

getServerCertificateChainFileName()

getLoginTimeoutMillis

int getLoginTimeoutMillis()

Specifies the number of milliseconds that WebLogic Server waits for an SSL connection before timing out. SSL connections take longer to negotiate than regular connections.

If clients are connecting over the Internet, raise the default number to accommodate additional network latency.

Returns:

The loginTimeoutMillis value

See Also:

ServerTemplateMBean.getLoginTimeoutMillis(), NetworkChannelMBean.getLoginTimeoutMillisSSL()

Default Value:

25000

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

Maximum Value:

java.lang.Integer.MAX_VALUE

Minimum Value:

1

setLoginTimeoutMillis

void setLoginTimeoutMillis(int millis)

Sets the value of the LoginTimeoutMillis attribute.

Parameters:

millis - The new loginTimeoutMillis value

See Also:

getLoginTimeoutMillis()

getServerKeyFileName

@Deprecated
java.lang.String getServerKeyFileName()

Deprecated.

8.1.0.0 private keys should be stored in keystores.

The full directory location of the private key file (.der or .pem) for the server.

The pathname should either be absolute or relative to the directory from which the server is booted. This field provides backward compatibility for security configurations that store private keys in files. For a more secure deployment, Oracle recommends saving private keys in keystores.

The file extension (.der or .pem) indicates the method that should be used to read the file.

Returns:

The serverKeyFileName value

Default Value:

"server-key.der"

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setServerKeyFileName

@Deprecated
void setServerKeyFileName(java.lang.String fileName)

Deprecated.

8.1.0.0 private keys should be stored in keystores.

Sets the value of the ServerKeyFileName attribute.

Parameters:

fileName - The new serverKeyFileName value

See Also:

getServerKeyFileName()

isTwoWaySSLEnabled

boolean isTwoWaySSLEnabled()

The form of SSL that should be used.

By default, WebLogic Server is configured to use one-way SSL (implied by the Client Certs Not Requested value). Selecting Client Certs Requested But Not Enforced enables two-way SSL. With this option, the server requests a certificate from the client, but the connection continues if the client does not present a certificate. Selecting Client Certs Requested And Enforced also enables two-way SSL and requires a client to present a certificate. However, if a certificate is not presented, the SSL connection is terminated.

Returns:

The twoWaySSLEnabled value

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setTwoWaySSLEnabled

void setTwoWaySSLEnabled(boolean enabled)

Sets the value of the TwoWaySSLEnabled attribute.

Parameters:

enabled - The new twoWaySSLEnabled value

See Also:

isTwoWaySSLEnabled()

getServerPrivateKeyAlias

java.lang.String getServerPrivateKeyAlias()

The string alias used to store and retrieve the server's private key in the keystore. This private key is associated with the server's digital certificate.

Returns:

The serverPrivateKeyAlias value

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setServerPrivateKeyAlias

void setServerPrivateKeyAlias(java.lang.String alias)

Sets the value of the ServerPrivateKeyAlias attribute.

Parameters:

alias - The new serverPrivateKeyAlias value

See Also:

getServerPrivateKeyAlias()

getServerPrivateKeyPassPhrase

java.lang.String getServerPrivateKeyPassPhrase()

The passphrase used to retrieve the server's private key from the keystore. This passphrase is assigned to the private key when it is generated.

Returns:

The serverPrivateKeyPassPhrase value

setServerPrivateKeyPassPhrase

void setServerPrivateKeyPassPhrase(java.lang.String phrase)

Sets the value of the ServerPrivateKeyPassPhrase attribute.

As of 8.1 sp4, when you get the value of this attribute, WebLogic Server does the following:

1. Retrieves the value of the ServerPrivateKeyPassPhraseEncrypted attribute.
2. Decrypts the value and returns the unencrypted passphrase as a String.

When you set the value of this attribute, WebLogic Server does the following:

1. Encrypts the value.
2. Sets the value of the ServerPrivateKeyPassPhraseEncrypted attribute to the encrypted value.

Using this attribute (ServerPrivateKeyPassPhrase) is a potential security risk because the String object (which contains the unencrypted passphrase) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

Instead of using this attribute, use getServerPrivateKeyPassPhraseEncrypted.

Parameters:

phrase - The new serverPrivateKeyPassPhrase value

See Also:

getServerPrivateKeyPassPhrase(), setServerPrivateKeyPassPhraseEncrypted(byte[])

getServerPrivateKeyPassPhraseEncrypted

byte[] getServerPrivateKeyPassPhraseEncrypted()

The encrypted passphrase used to retrieve the server's private key from the keystore. This passphrase is assigned to the private key when it is generated.

To set this attribute, use weblogic.management.EncryptionHelper.encrypt() to encrypt the value. Then set this attribute to the output of the encrypt() method.

To compare a password that a user enters with the encrypted value of this attribute, go to the same WebLogic Server instance that you used to set and encrypt this attribute and use weblogic.management.EncryptionHelper.encrypt() to encrypt the user-supplied password. Then compare the encrypted values.

Returns:

The encrypted serverPrivateKeyPassPhrase value

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setServerPrivateKeyPassPhraseEncrypted

void setServerPrivateKeyPassPhraseEncrypted(byte[] phraseEncrypted)

Sets the value of the ServerPrivateKeyPassPhrase attribute.

Parameters:

phraseEncrypted - The new encrypted serverPrivateKeyPassPhrase value

See Also:

getServerPrivateKeyPassPhraseEncrypted()

isSSLRejectionLoggingEnabled

boolean isSSLRejectionLoggingEnabled()

Indicates whether warning messages are logged in the server log when SSL connections are rejected.

Returns:

The sSLRejectionLoggingEnabled value

Default Value:

true

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setSSLRejectionLoggingEnabled

void setSSLRejectionLoggingEnabled(boolean enabled)

Sets the value of the SSLRejectionLoggingEnabled attribute.

Parameters:

enabled - The new sSLRejectionLoggingEnabled value

See Also:

isSSLRejectionLoggingEnabled()

getIdentityAndTrustLocations

java.lang.String getIdentityAndTrustLocations()

Indicates where SSL should find the server's identity (certificate and private key) as well as the server's trust (trusted CAs).

• If set to KEYSTORES, then SSL retrieves the identity and trust from the server's keystores (that are configured on the Server).

• If set to FILES_OR_KEYSTORE_PROVIDERS, then SSL first looks in the deprecated KeyStore providers for the identity and trust. If not found, then it looks in the flat files indicated by the SSL Trusted CA File Name, Server Certificate File Name, and Server Key File Name attributes.

Domains created in WebLogic Server version 8.1 or later, default to KEYSTORES. Domains created before WebLogic Server version 8.1, default to FILES_OR_KEYSTORE_PROVIDERS.

Returns:

The identityAndTrustLocations value

Default Value:

SSLMBean.IDENTITY_AND_TRUST_LOCATIONS_KEYSTORES

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

Valid Values:

SSLMBean.IDENTITY_AND_TRUST_LOCATIONS_KEYSTORES, SSLMBean.IDENTITY_AND_TRUST_LOCATIONS_FILES_OR_KEYSTORE_PROVIDERS

setIdentityAndTrustLocations

void setIdentityAndTrustLocations(java.lang.String locations)

Sets the value of the IdentityAndTrustLocations attribute.

Parameters:

locations - The new identityAndTrustLocations value

See Also:

getIdentityAndTrustLocations()

getInboundCertificateValidation

java.lang.String getInboundCertificateValidation()

Indicates the client certificate validation rules for inbound SSL.

This attribute only applies to ports and network channels using 2-way SSL.

Returns:

a String containing the validation style.

Default Value:

SSLMBean.BUILTIN_SSL_VALIDATION_ONLY

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

Valid Values:

SSLMBean.BUILTIN_SSL_VALIDATION_ONLY, SSLMBean.BUILTIN_SSL_VALIDATION_AND_CERT_PATH_VALIDATORS

setInboundCertificateValidation

void setInboundCertificateValidation(java.lang.String validationStyle)

Sets the value of the InboundCertificateValidation attribute.

Parameters:

validationStyle - the new validation style

See Also:

getInboundCertificateValidation()

getOutboundCertificateValidation

java.lang.String getOutboundCertificateValidation()

Indicates the server certificate validation rules for outbound SSL.

This attribute always applies to outbound SSL that is part of WebLogic Server (that is, an Administration Server talking to the Node Manager). It does not apply to application code in the server that is using outbound SSL unless the application code uses a weblogic.security.SSL.ServerTrustManager that is configured to use outbound SSL validation.

Returns:

a String containing the validation style.

Default Value:

SSLMBean.BUILTIN_SSL_VALIDATION_ONLY

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

Valid Values:

SSLMBean.BUILTIN_SSL_VALIDATION_ONLY, SSLMBean.BUILTIN_SSL_VALIDATION_AND_CERT_PATH_VALIDATORS

setOutboundCertificateValidation

void setOutboundCertificateValidation(java.lang.String validationStyle)

Sets the value of the OutboundCertificateValidation attribute.

Parameters:

validationStyle - the new validation style

See Also:

getOutboundCertificateValidation()

setAllowUnencryptedNullCipher

void setAllowUnencryptedNullCipher(boolean enable)

When a SSL server and a SSL client try to negotiate a commonly supported Cipher, there is a chance that they may end up with nothing in common. A NullCipher is a cipher providing no encryption for the SSL message between the client and server, and it may temporarily be used in the development environment if the SSL server and client share no common cipher for some reason. This is not a standard SSL feature, some SSL provider supports this feature

The AllowUnEncryptedNullCipher flag is used to control whether the NullCipher feature is enabled or not, if true, the SSL message may be unencrypted when SSL server and client shares no common cipher.

This AllowUnEncryptedNullCipher flag is only effective to SSL providers which support the NullCipher feature.

Warning: this NullCipher feature should NOT be enabled for a production environment, it may leads to unencrypted SSL message

By default, the AllowUnEncryptedNullCipher is false

Parameters:

enable - true to allow NullCipher feature

isAllowUnencryptedNullCipher

boolean isAllowUnencryptedNullCipher()

Test if the AllowUnEncryptedNullCipher is enabled

see setAllowUnencryptedNullCipher(boolean enable) for the NullCipher feature.

Returns:

true if NullCipher feature is allowed. If the SSL provider does not support NullCipher feature, it always return false.

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

isUseServerCerts

boolean isUseServerCerts()

Sets whether the client should use the server certificates/key as the client identity when initiating an outbound connection over https.

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setUseServerCerts

void setUseServerCerts(boolean enabled)

Indicates that an https client running within WebLogic server should use the server's certificate and key as the client identity.

Parameters:

enabled - Uses the server identity for the client

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setJSSEEnabled

void setJSSEEnabled(boolean enabled)

Specifies whether the SSL implementation in Weblogic Server is JSSE based.

Parameters:

enabled - true to select the JSSE-based SSL implementation

isJSSEEnabled

boolean isJSSEEnabled()

Determines whether the SSL implementation in Weblogic Server is JSSE based.

Returns:

true if the selected Weblogic Server SSL implementation is JSSE based, otherwise false.

Default Value:

true

Changes to this property take effect after you redeploy the module or restart the server. If the resource is in a partition, restart the partition.

setUseClientCertForOutbound

void setUseClientCertForOutbound(boolean enabled)

Specifies whether to use the configured client SSL certificate as identity for outbound SSL connections.

Note that to use a client SSL certificate, one must be specified in setClientCertAlias(java.lang.String).

Parameters:

enabled - true to enable use of the configured client SSL certificate for outbound connections, otherwise false.

See Also:

isUseClientCertForOutbound(), setClientCertAlias(java.lang.String)

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

isUseClientCertForOutbound

boolean isUseClientCertForOutbound()

Determines whether to use the configured client SSL certificate as identity for outbound SSL connections.

Note that to use a client SSL certificate, one must be specified in setClientCertAlias(java.lang.String).

Returns:

true if use of the configured client SSL certificate for outbound SSL connections is enabled.

See Also:

setUseClientCertForOutbound(boolean), getClientCertAlias()

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setClientCertAlias

void setClientCertAlias(java.lang.String alias)

Specifies the alias of the client SSL certificate to be used as identity for outbound SSL connections. The certificate is assumed to be stored in the server configured keystore.

Note that to use the client SSL certificate, setUseClientCertForOutbound(boolean) must be enabled.

Parameters:

alias - Alias of the client SSL certificate in the server configured keystore

See Also:

getClientCertAlias(), setUseClientCertForOutbound(boolean)

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getClientCertAlias

java.lang.String getClientCertAlias()

Determines the alias of the client SSL certificate to be used as identity for outbound SSL connections. The certificate is assumed to be stored in the server configured keystore.

Note that to use the client SSL certificate, setUseClientCertForOutbound(boolean) must be enabled.

Returns:

Alias of the client SSL certificate in the server configured keystore for use in outbound SSL connections, null if none.

See Also:

setClientCertAlias(java.lang.String), isUseClientCertForOutbound()

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getClientCertPrivateKeyPassPhrase

java.lang.String getClientCertPrivateKeyPassPhrase()

The passphrase used to retrieve the private key for the client SSL certificate specified in getClientCertAlias() from the server configured keystore. This passphrase is assigned to the private key when the private key is generated.

Note that this attribute is usually used when outbound SSL connections specify a client SSL certificate identity.

Note that when you get the value of this attribute, WebLogic Server does the following:

1. Retrieves the value of the ClientCertPrivateKeyPassPhraseEncrypted attribute.
2. Decrypts the value and returns the unencrypted passphrase.

Returns:

The client SSL certificate private key pass phrase.

See Also:

setClientCertPrivateKeyPassPhrase(java.lang.String), isUseClientCertForOutbound(), getClientCertAlias()

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setClientCertPrivateKeyPassPhrase

void setClientCertPrivateKeyPassPhrase(java.lang.String phrase)

Specifies the passphrase used to retrieve the private key for the client SSL certificate specified in getClientCertAlias() from the server configured keystore. This passphrase is assigned to the private key when the private key is generated.

Note that this attribute is usually used when outbound SSL connections specify a client SSL certificate identity.

Note that when you set the value of this attribute, WebLogic Server does the following:

1. Encrypts the value.
2. Sets the value of the ClientCertPrivateKeyPassPhraseEncrypted attribute to the encrypted value.

Parameters:

phrase - The client SSL certificate private key pass phrase.

See Also:

getClientCertPrivateKeyPassPhrase(), setUseClientCertForOutbound(boolean), setClientCertAlias(java.lang.String)

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getClientCertPrivateKeyPassPhraseEncrypted

byte[] getClientCertPrivateKeyPassPhraseEncrypted()

The encrypted passphrase used to retrieve the private key for the client SSL certificate specified in getClientCertAlias() from the server configured keystore. This passphrase is assigned to the private key when the private key is generated.

To compare a password that a user enters with the encrypted value of this attribute, go to the same WebLogic Server instance that you used to set and encrypt this attribute, and use weblogic.management.EncryptionHelper.encrypt() to encrypt the user-supplied password. Then compare the encrypted values.

Note that this attribute is usually used when outbound SSL connections specify a client SSL certificate identity.

Returns:

The encrypted ClientCertPrivateKeyPassPhrase value

See Also:

setClientCertPrivateKeyPassPhraseEncrypted(byte[]), isUseClientCertForOutbound(), getClientCertAlias(), getClientCertPrivateKeyPassPhrase()

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setClientCertPrivateKeyPassPhraseEncrypted

void setClientCertPrivateKeyPassPhraseEncrypted(byte[] phraseEncrypted)

Specifies the encrypted passphrase used to retrieve the private key for the client SSL certificate specified in getClientCertAlias() from the server configured keystore. This passphrase is assigned to the private key when the private key is generated.

Note that to set this attribute, use weblogic.management.EncryptionHelper.encrypt() to encrypt the value. Then set this attribute to the output of the encrypt() method.

Note that this attribute is usually used when outbound SSL connections specify a client SSL certificate identity.

Parameters:

phraseEncrypted - The encrypted ClientCertPrivateKeyPassPhrase value

See Also:

getClientCertPrivateKeyPassPhraseEncrypted(), setUseClientCertForOutbound(boolean), setClientCertAlias(java.lang.String), setClientCertPrivateKeyPassPhrase(java.lang.String)

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getOutboundPrivateKeyAlias

java.lang.String getOutboundPrivateKeyAlias()

The string alias used to store and retrieve the outbound private key in the keystore. This private key is associated with either a server or a client digital certificate. This attribute value is derived from other settings and cannot be physically set.

The returned value is determined as follows:

• If the isUseClientCertForOutbound() returns true, the value from getClientCertAlias() is returned.
• Otherwise, the value from getServerPrivateKeyAlias() is returned.

Returns:

The OutboundPrivateKeyAlias value

See Also:

isUseClientCertForOutbound(), getClientCertAlias(), getServerPrivateKeyAlias()

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getOutboundPrivateKeyPassPhrase

java.lang.String getOutboundPrivateKeyPassPhrase()

The passphrase used to retrieve the outbound private key from the keystore. This passphrase is assigned to the private key when it is generated. This attribute value is derived from other settings and cannot be physically set.

The returned value is determined as follows:

• If the isUseClientCertForOutbound() returns true, the value from getClientCertPrivateKeyPassPhrase() is returned.
• Otherwise, the value from getServerPrivateKeyPassPhrase() is returned.

Returns:

The OutboundPrivateKeyPassPhrase value

See Also:

isUseClientCertForOutbound(), getClientCertPrivateKeyPassPhrase(), getServerPrivateKeyPassPhrase()

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getOutboundPrivateKeyPassPhraseEncrypted

byte[] getOutboundPrivateKeyPassPhraseEncrypted()

The passphrase used to retrieve the encrypted outbound private key from the keystore. This passphrase is assigned to the private key when it is generated. This attribute value is derived from other settings and cannot be physically set.

The returned value is determined as follows:

• If the isUseClientCertForOutbound() returns true, the value from getClientCertPrivateKeyPassPhraseEncrypted() is returned.
• Otherwise, the value from getServerPrivateKeyPassPhraseEncrypted() is returned.

Returns:

The OutboundPrivateKeyPassPhrase value

See Also:

getClientCertPrivateKeyPassPhraseEncrypted(), isUseClientCertForOutbound(), getClientCertPrivateKeyPassPhrase(), getServerPrivateKeyPassPhraseEncrypted(), getServerPrivateKeyPassPhrase()

Default Value:

null

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

getMinimumTLSProtocolVersion

java.lang.String getMinimumTLSProtocolVersion()

Get the minimum SSL/TLS protocol version currently configured.

Returns:

the minimum TLS protocol version. The return value should always be passed to the internal APIs to correctly get back a set of enabled protocol versions.

See Also:

setMinimumTLSProtocolVersion(String)

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

setMinimumTLSProtocolVersion

void setMinimumTLSProtocolVersion(java.lang.String minimumTLSProtocolVersion)
                           throws javax.management.InvalidAttributeValueException

Set the minimum SSL/TLS protocol version

Parameters:

minimumTLSProtocolVersion - the new minimum SSL/TLS protocol version

Throws:

javax.management.InvalidAttributeValueException

isSSLv2HelloEnabled

boolean isSSLv2HelloEnabled()

Indicate whether SSLv2Hello is enabled

Returns:

whether SSLv2Hello is enabled(only applicable if the configured JSSE provider supports SSLv2Hello).

Default Value:

true

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.

isClientInitSecureRenegotiationAccepted

boolean isClientInitSecureRenegotiationAccepted()

Indicate whether TLS client initiated secure renegotiation is accepted.

Returns:

whether TLS client initiated secure renegotiation is accepted by the TLS server. This setting is ignored if the system property -Djdk.tls.rejectClientInitiatedRenegotiation is configured.

Default Value:

false

Changes to this property are dynamic and thus take effect immediately without restarting the server or partition.