weblogic.security.SSL.CertificateCallback interface, which you can implement to create a certificate callback handler. When configured with WebLogic Server, this callback handler is invoked automatically whenever a client request is received over a secure RMI connection; for example, one that uses the T3s or IIOPS protocols.To configure a certificate callback handler so that it is in effect for all secure inbound RMI connections, you define it as a WebLogic Server system property that is passed in the server startup command.
This chapter includes the following topics:
When a client makes a secure RMI connection to a WebLogic Server instance that is configured with a certificate callback handler, WebLogic Server invokes the callback handler. The callback evaluates details about the end user that are contained in the connection request, then returns a boolean value indicating whether authentication is successful.
The CertificateCallback interface calls the validate method on an CertificateCallbackInfo instance, which contains methods to obtain the following information from the end user that is contained in the RMI connection request:
Client host name, IP address, and port
Client domain name
Destination host name, IP address, and port
Authenticated Subject
Client certificate
The callback implementation includes the logic that evaluates the client data that is obtained and returns true or false as follows:
If the callback returns true, authentication succeeds and the client connection to WebLogic Server is made.
If the callback returns false, a RemoteException is thrown containing the "Authentication denied" message.
Note:
If you use a certificate callback implementation in WebLogic Server, a callback is generated whenever a request is received over a secure port. As a result, using certificate callbacks may impose a performance overhead that should be taken into consideration.
The weblogic.security.SSL.CertificateCallback interface contains a single invocation on the validate method on a weblogic.security.SSL.CertificateCallbackInfo instance. The CertificateCallbackInfo instance contains methods to obtain details about the end user that are passed over the secure RMI connection.
You implement logic that evaluates the data that is returned and returns a true or false. The logic does not need to evaluate all data that is returned. Typically, only the certificate is evaluated; for example, obtaining the common name (cn) or distinguished name (dn).
For more information, see the following Javadoc in the Java API Reference for Oracle WebLogic Server:
To configure the callback with WebLogic Server, specify the callback implementation as a system property in the WebLogic Server start command. The property should point to the callback implementation class that is on the server's classpath. For example, if the callback implementation class is MyCertificateCallback.java in the package com.mycompany.security, and MyCertificateCallback.class is in the server's classpath, the following command sets the callback implementation property in WebLogic Server:
java weblogic.Server -Dweblogic.security.SSL.CertificateCallback=com.mycompany.security.MyCertificateCallback
Note that if WebLogic Server is configured for one-way SSL, a client certificate is never sent to the server. Oracle recommends using certificate callbacks handlers only when WebLogic Server is configured for two-way SSL. For more information, see Configure two-way SSL in Oracle WebLogic Server Administration Console Online Help.