4 SSL in WebLogic

WebLogic Server supports Secured Sockets Layer (SSL) on a dedicated listen port which defaults to 7002. To establish an SSL connection over HTTP, a Web browser connects to WebLogic Server by supplying the SSL listen port and the HTTPs protocol in the connection URL, for example, https://myserver:7002.

SSL can be configured one-way or two-way. With one-way SSL, the server must present a certificate to the client, but the client is not required to present a certificate to the server. The client must authenticate the server, but the server accepts a connection from any client. With two-way SSL (SSL with client authentication), the server presents a certificate to the client and the client presents a certificate to the server. WebLogic Server can be configured to require clients to submit valid and trusted certificates before completing the SSL connection.

A host name verifier ensures the host name in the URL to which the client connects matches the host name in the digital certificate that the server sends back as part of the SSL connection. A host name verifier is useful when an SSL client (for example, WebLogic Server acting as an SSL client) connects to an application server on a remote host. It helps to prevent man-in-the-middle attacks. WebLogic Server includes two host name verifiers - Default WebLogic Server Host Name Verifier and Wildcarded Host Name Verifier.

As an alternative to the host name verifiers available from WebLogic Server, you can also use a custom host name verifier. The default WebLogic Server Host Name Verifier is enabled by default. If you are using the default WebLogic Server host name verifier, host name verification passes if both of the following conditions exist:
  • The host name in the certificate matches the local machine's host name.
  • The URL specifies localhost, 127.0.0.1, or the default IP address of the local machine.
WebLogic Server ensures that each certificate in a certificate chain was issued by a certificate authority. All X509 V3 CA certificates used with WebLogic Server must have the Basic Constraint extension defined as CA, thus ensuring that all certificates in a certificate chain were issued by a certificate authority. By default, any certificates for certificate authorities not meeting this criterion are rejected. WebLogic Server SSL has built-in certificate validation. Given a set of trusted CAs, this validation:
  • Verifies that the last certificate in the chain is either a trusted CA or is issued by a trusted CA.
  • Completes the certificate chain with trusted CAs.
  • Verifies the signatures in the chain.
  • Ensures that the chain has not expired.

It is important to protect passwords that are used to access resources in a WebLogic domain. In the past, usernames and passwords were stored in clear text in a WebLogic security realm. Now all the passwords in a WebLogic domain are hashed. If the file containing the hashes for passwords is destroyed or is corrupted, you must reconfigure the WebLogic domain. Therefore it is essential that the file is backed up in a safe location and appropriate permissions are set on the file such that the system administrator of a WebLogic Server deployment has write and read privileges and no other users have any privileges.

WebLogic Server defines a set of configuration options to protect user accounts from intruders. In the default security configuration, these options are set for maximum protection. Documaker Enterprise Edition uses web application server security frameworks for authentication and authorization of users. The web application servers typically utilize frameworks that include support for external user and group repositories that can be accessed via industry-standard protocols, such as LDAP. The ODEE installation process includes the deployment of a user and group data store that works with the demonstration library.

To configure WebLogic for external user/group data stores, you will need access to the Documaker domain within the WebLogic web console. Note that it is possible to complete this configuration using WebLogic Scripting Tool (WLST) – see online documentation to do this.

WebLogic Server includes the following Authentication providers:
  • Oracle Internet Directory Authentication provider
  • Oracle Virtual Directory Authentication provider
  • iPlanet Authentication provider
  • Active Directory Authentication provider
  • Open LDAP Authentication provider
  • Novell Authentication provider
  • Generic LDAP Authentication provider
Each LDAP Authentication provider stores user and group information in an external LDAP server. WebLogic Server does not support or certify any particular LDAP server. Any LDAP v2 or v3 compliant LDAP server should work with WebLogic Server. The following LDAP directory servers have been tested:
  • Oracle Internet Directory
  • Oracle Virtual Directory
  • Sun iPlanet version 4.1.3
  • Open LDAP version 2.0.7
  • Novell NDS version 8.5.1

Note:

The term "SSL" is used generically in this document to denote secure transport mechanisms including Transport Layer Security (TLS).

If your configuration has only one configured Authentication provider for the security realm used by Documaker, then the user that is configured for starting WebLogic Server (the “boot user”) must meet the following requirements:
  • Exist in the LDAP directory.
  • Be a member of a group that has the Admin role

By default, the Admin role is granted to the Administrators group so you may create this group in the LDAP directory if it does not exist. If you wish to use a different group, include the WebLogic Server boot user in the group and grant the Admin role to the group.