Server: Administration: SSL
Configuration Options Advanced Configuration Options
This page lets you view and define various Secure Sockets Layer (SSL) settings for this server instance. These settings help you to manage the security of message transmissions.
For purposes of backward compatibility, WebLogic Server lets you store private keys and trusted certificates authorities in files or in the WebLogic Keystore provider. If you use either of these mechanisms for identity and trust, choose the Files or Keystore Providers (Deprecated) option.
Note: When you use the WebLogic Keystore provider, you store the digital certificates in files.
Name Description Identity and Trust Locations
Indicates where SSL should find the server's identity (certificate and private key) as well as the server's trust (trusted CAs).
If set to
KEYSTORES, then SSL retrieves the identity and trust from the server's keystores (that are configured on the Server).
If set to
FILES_OR_KEYSTORE_PROVIDERS, then SSL first looks in the deprecated KeyStore providers for the identity and trust. If not found, then it looks in the flat files indicated by the SSL Trusted CA File Name, Server Certificate File Name, and Server Key File Name attributes.
Domains created in WebLogic Server version 8.1 or later, default to
KEYSTORES. Domains created before WebLogic Server version 8.1, default to
Name Description Private Key Location
The keystore attribute that defines the location of the private key file.
Private Key Alias
The keystore attribute that defines the string alias used to store and retrieve the server's private key.
Private Key Passphrase
The keystore attribute that defines the passphrase used to retrieve the server's private key.
The keystore attribute that defines the location of the trusted certificate.
Name Description Trusted Certificate Authorities
The keystore attribute that defines the location of the certificate authorities.
Advanced Configuration Options
Name Description Hostname Verification
Specifies whether to ignore the installed implementation of the
weblogic.security.SSL.HostnameVerifierinterface (when this server is acting as a client to another application server).
Custom Hostname Verifier
The name of the class that implements the
This class verifies whether the connection to the host with the hostname from URL should be allowed. The class is used to prevent man-in-the-middle attacks. The
verify()method that WebLogic Server calls on the client during the SSL handshake.
Export Key Lifespan
Indicates the number of times WebLogic Server can use an exportable key between a domestic server and an exportable client before generating a new key. The more secure you want WebLogic Server to be, the fewer times the key should be used before generating a new key.
Use Server Certs
Sets whether the client should use the server certificates/key as the client identity when initiating an outbound connection over https.
Two Way Client Cert Behavior
The form of SSL that should be used.
By default, WebLogic Server is configured to use one-way SSL (implied by the
Client Certs Not Requestedvalue). Selecting
Client Certs Requested But Not Enforcedenables two-way SSL. With this option, the server requests a certificate from the client, but the connection continues if the client does not present a certificate. Selecting
Client Certs Requested And Enforcedalso enables two-way SSL and requires a client to present a certificate. However, if a certificate is not presented, the SSL connection is terminated.
The name of the Java class that implements the
weblogic.security.acl.CertAuthenticatorclass, which is deprecated in this release of WebLogic Server. This field is for Compatibility security only, and is only used when the Realm Adapter Authentication provider is configured.
weblogic.security.acl.CertAuthenticatorclass maps the digital certificate of a client to a WebLogic Server user. The class has an
authenticate()method that WebLogic Server calls after validating the digital certificate presented by the client.
SSL Rejection Logging Enabled
Indicates whether warning messages are logged in the server log when SSL connections are rejected.
Allow Unencrypted Null Cipher
Test if the AllowUnEncryptedNullCipher is enabled
setAllowUnencryptedNullCipher(boolean enable)for the NullCipher feature.
Inbound Certificate Validation
Indicates the client certificate validation rules for inbound SSL.
This attribute only applies to ports and network channels using 2-way SSL.
Outbound Certificate Validation
Indicates the server certificate validation rules for outbound SSL.
This attribute always applies to outbound SSL that is part of WebLogic Server (that is, an Administration Server talking to the Node Manager). It does not apply to application code in the server that is using outbound SSL unless the application code uses a
weblogic.security.SSL.ServerTrustManagerthat is configured to use outbound SSL validation.