This chapter includes the following sections:
Developing Clients that use JAAS
JAAS enforces access controls based on user identity and is the preferred method of authentication for most WebLogic Server clients. A typical use case is providing authentication to read or write to a file.
For more information about how to implement JAAS authentication, see Using JAAS Authentication in Java Clients in Developing Applications with the WebLogic Security Service.
The WLS-IIOP client does not support JAAS. See Developing Clients that use JNDI Authentication.
Developing Clients that use JNDI Authentication
Learn how to develop certificate authentication (also referred to as two-way SSL authentication) using JNDI authentication.
See Using JNDI Authentication in Developing Applications with the WebLogic Security Service.
Developing Clients that use SSL
WebLogic Server provides Secure Sockets Layer (SSL) support for encrypting data transmitted between WebLogic Server clients and servers, Java clients, Web browsers, and other servers. All SSL clients need to specify trust. Trust is a set of CA certificates that specify which trusted certificate authorities are trusted by the client.
In order to establish an SSL connection, RMI clients need to trust the certificate authorities that issued the server's digital certificates. The location of the server's trusted CA certificate is specified when starting the RMI client.
WebLogic Server's integration with Java Secure Socket Extension (JSSE) does not use the default
javax.net.ssl.SSLContext instance or any of the following JVM system properties that define keystore settings:
By default, all trusted certificate authorities available from the JDK (
...\jre\lib\security\cacerts) are trusted by RMI clients. However, if the server's trusted CA certificate is stored in one of the following trust keystores, you need to specify certain command line arguments in order to use the keystore:
Demo Trust—The trusted CA certificates in the demonstration Trust keystore (
DemoTrust.jks) are located in the
\server\libdirectory. In addition, the trusted CAs in the JDK cacerts keystore are trusted. To use the Demo Trust, specify the following command-line argument:
Optionally, use the following command-line argument to specify a password for the JDK cacerts trust keystore:
passwordis the password for the Java Standard Trust keystore. This password is defined when the keystore is created.
Custom Trust—A trust keystore you create. To use Custom Trust, specify the following command-line arguments.
Specify the fully qualified path to the trust keystore:
Specify the type of the keystore:
Optionally, specify the password defined when creating the keystore:
Oracle's keytool utility can also be used to generate a private key, a self-signed digital certificate for WebLogic Server, and a Certificate Signing Request (CSR). For more information about Oracle's keytool utility, see the keytool-Key and Certificate Management Tool description at
For a tutorial on using keytool to create a client certificate, see section "Creating a Client Certificate for Mutual Authentication" in The Java EE Tutorial, at
When using the keytool utility, the default key pair generation algorithm is DSA. WebLogic Server does not support the use of the Digital Signature Algorithm (DSA). Specify another key pair generation and signature algorithm when using WebLogic Server.
Although JSSE supports Server Name Indication (SNI) in its SSL implementation, WebLogic Server does not support SNI.
Thin-Client Restrictions for JAAS and SSL
WebLogic thin-clients only support two-way SSL by requiring the
SSLContext to be provided by the
WebLogic thin-client applications only support JAAS authentication through the following methods:
To understand how thin-clients support two-way SSLusing
SSLContext, see the sample client code below:
Example 14-1 Client Code with sslcontext
. . . System.out.println("Getting initial context"); Hashtable props = new Hashtable(); props.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory"); props.put(Context.PROVIDER_URL,"corbaloc:iiops:" + host + ":" + port +"/NameService"); props.put(Context.SECURITY_PRINCIPAL,"weblogic"); props.put(Context.SECURITY_CREDENTIALS, "password"); //Set the ssl properties through system property //set the path to the keystore file (one key inside the store) System.setProperty("javax.net.ssl.keyStore", YOUR-KEY_STORE_FILE_PATH); //set the keystore pass phrase System.setProperty("javax.net.ssl.keyStorePassword",YOUR_KEY_STORE_PASS_PHRASE); //Set the trust store //set the path to the trust store file System.setProperty("javax.net.ssl.trustStore",YOUR-TRUST_STORE_FILE_PATH); //set the trust store pass phrase System.setProperty("javax.net.ssl.trustStorePassword",YOUR_TRUST_STORE_PASS_PHRASE); Context ctx = new InitialContext(props); . . .
Security Code Examples
Security samples are optionally provided with the WebLogic Server product. A description of each sample and instructions on how to build, configure, and run a sample, are provided in the
The samples are located in the
\wlserver\samples\server\examples\src\examples\security directory. You can modify these code examples and reuse them. See Sample Applications and Code Examples in Understanding Oracle WebLogic Server.