Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Configure two-way SSL

Before you begin

  • Before configuring two-way SSL, ensure that the trust keystore for the server includes the certificate for the trusted certificate authority that signed the certificate for the client. See Configure identity and trust.
  • If automatic realm restart is enabled in the default realm, you do not need to restart WebLogic Server after activating non-dynamic changes to the SSL configuration. See Enable automatic realm restart and Using Automatic Realm Restart.

By default, WebLogic Server is configured to use one-way SSL (the server passes its identity to the client). When the server needs to authenticate the client, you use two-way SSL. In a two-way SSL connection, the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake. The server determines whether or not two-way SSL is used.

To configure two-way SSL:

  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  2. In the left pane of the Console, expand Environment and select Servers.
  3. Click the name of the server for which you want to configure SSL.
  4. Select Configuration > SSL, and click Advanced at the bottom of the page.
  5. Set the Two Way Client Cert Behavior attribute. The following options are available:
    • Client Certs Not Requested: The default (meaning one-way SSL).
    • Client Certs Requested But Not Enforced: Requires a client to present a certificate. If a certificate is not presented, the SSL connection continues.
    • Client Certs Requested And Enforced: Requires a client to present a certificate. If a certificate is not presented, the SSL connection is terminated.
  6. Click Save.
  7. In the Change Center, click Activate Changes.

After you finish

All the server SSL attributes are dynamic; when modified via the Console, they cause the corresponding SSL server or channel SSL server to restart and use the new settings for new connections. Old connections will continue to run with the old configuration. If automatic realm restart is not enabled in the default realm, you must reboot WebLogic Server to ensure that all the SSL connections exist according to the specified configuration.

Back to Top