31 Specifying a Client Certificate for an Outbound Two-Way SSL Connection

When making an outbound two-way SSL connection, Oracle WebLogic Server, by default, uses its server certificate to establish its identity as a client. However, you can alternatively specify a separate client certificate to establish identity instead. This capability is particularly useful when WebLogic Server is acting as a client making two-way SSL connection. Learn how to specify a client certificate when making an outbound two-way SSL connection.

To use a client certificate for specifying an outbound two-way SSL connection, complete the steps described in the following sections:

• Add a Client Certificate to the Identity Keystore

• Initiate the Outbound Two-Way SSL Connection

• Restore the Use of the Server Identity Certificate

Note:

Switching WebLogic Server's identity to a client certificate is supported only when making an outbound two-way SSL connection. For inbound SSL connections, where Weblogic Server is acting as an SSL server, the server certificate is always used for identity.

Add a Client Certificate to the Identity Keystore

Add a client certificate to WebLogic Server's identity keystore and define the name of the alias under which the private key and public certificate are stored. This task only needs to be done once. After completing the configuration steps, the ability to use a client identity for making an outbound two-way SSL connection is always available for the current WebLogic Server instance.

To add a client certificate to the identity keystore, complete the following steps:

1. Create a client key pair (a public key and associated private key) and an alias for the private key and store it the WebLogic Server identity keystore. You can do this using the keytool utility.
2. Generate a Certificate Signing Request (CSR) and submit it to a certificate authority (CA), who returns the CA-signed client certificate. Oracle recommends using the same CA as for the server certificate so that both certificates have the same trusted root CA.
3. Store the CA-signed client certificate in the identity keystore. (If the client certificate is signed by the same CA as the server certificate, you can skip the step of storing the root CA certificate in the trust keystore because it is already there.

Initiate the Outbound Two-Way SSL Connection

Learn how to write a WLST script to initiate an outbound two-way SSL connection using the client certificate.

To initiate an outbound two-way SSL connection using the client certificate, create a WLST script that does the following:

1. Connects to the WebLogic Server instance.
2. Sets the SSLMBean.UseServerCerts attribute to true, which establishes the server identity for the outbound connection.
3. Switches to the identity of the client certificate by setting the SSLMBean.UseClientCertForOutbound attribute to true.
4. Specifies the client certificate private key passphrase, using the SSLMBean.ClientCertPrivateKeyPassPhrase attribute, and the client certificate keystore alias, using the SSLMBean.ClientCertAlias attribute.

Example 31-1 Sample WLST Script that Initiates an Outbound Two-Way SSL Connection Using a Client Identity

url="t3://localhost:7001"
adminUsername="weblogic"
adminPassword="password"
connect(adminUsername, adminPassword, url)
edit()
server=cmo.lookupServer('myserver')
cd('Servers')
cd('myserver')
startEdit()
cd('SSL')
cd('myserver')
ssl = server.getSSL()
ssl.setUseServerCerts(true)
ssl.setUseClientCertForOutbound(true)
ssl.setClientCertAlias("myClientCert")
ssl.setClientCertPrivateKeyPassPhrase("myClientCertPrivateKeyPassPhrase")
save()
activate()
disconnect()
exit()

Example 31-1 shows a WLST script that initiates an outbound two-way SSL connection using a client certificate from the identity keystore configured with WebLogic Server.

Note:

For clarity, this WLST example script shows the username and password in clear text. However, you should avoid entering clear-text passwords in WLST commands in general, and you should especially avoid saving on disk WLST scripts that include clear-text passwords. In these instances you should use a mechanism for passing encrypted passwords instead. See Security for WLST in Understanding the WebLogic Scripting Tool.

Restore the Use of the Server Identity Certificate

To restore use of the server identity certificate for outbound SSL connections, specify a WLST command that sets the SSLMBean.UseClientCertForOutbound attribute to false.

Note the following:

• Note that the values of the SSLMBean.ClientCertPrivateKeyPassPhrase and SSLMBean.ClientCertAlias attributes are persisted and are used the next time an outbound two-way SSL connection using a client identity is made (that is, the next time the SSLMBean.UseClientCertForOutbound attribute is set to true).

• The SSLMBean attributes used for specifying a client certificate for outbound SSL connections are not available from the WebLogic Server Administration Console.