Oracle8i Enterprise JavaBeans Developer's Guide and Reference
Release 3 (8.1.7)

Part Number A83725-01

Library

Product

Contents

Index

Go to previous page Go to beginning of chapter Go to next page

Server-Side Authentication

The server can require a different type of authentication depending on its role. If you are utilizing the database as a server in a typical client/server environment, you use certificates that are set within a wallet for the database for server-side authentication. However, if you are using the server to callout to another object or callback to an object on the client, the server is now acting as a client and so requires its own identifying certificates. That is, in a callout or callback scenario, the server cannot use the wallet generated for database server-side authentication.

Server activity   Authentication method  

Typical client/server  

Use database wallet generated by Oracle Wallet Manager  

Callout to another object  

Set identifying certificates using either JNDI properties or AuroraCurrentManager class.  

Callback to client object  

Set identifying certificates using AuroraCurrentManager class.  

The following sections describe this in more detail:

Typical Client/Server

Server-side authentication takes place when the server provides certificates for authentication to the client. When requested, the server will authenticate itself to the client, also known as server-side authentication, by providing certificates to the client. The SSL layer authenticates both peers during the connection handshake. The client requests server-side authentication by setting any of the SSL_* values in the JNDI property. See "Using JNDI for Authentication" for more information on these JNDI values.

For server-side authentication, you must set up a database wallet with the appropriate certificates, using the Wallet Manager. See the Oracle Advanced Security Administrator's Guide for information on how to create a wallet.


Note:

If the client wants to verify the server against trustpoints or authorize the server, it is up to the client to set up its trustpoints and parse the server's certificates for authorization. See "Authorization" for more information.  


Callouts using Security

A callout is when a Java object loaded within the database invokes a method within another Java object. If the original call from the client required a certain level of security--certificate-based or username/password security--the server object is also required to provide the same level of security information for itself before invoking the method on the second server object.

Figure 6-2 Server callout requires security


Callbacks using Security

A callback is when the client passes the server object an object reference to an object that exists on the client. As shown in Figure 6-3, the server object receives the object reference and invokes methods. This effectively calls out of the server and back to an object located in the client. See "Debugging Techniques" for more information on callbacks.

Figure 6-3 Server callout requires security


The type of security you can use for callbacks is certificate-based security over SSL. When you add SSL security to callbacks, you can have one of two situations:

  1. Server-side authentication only


    1. The client is not required to authenticate itself with a certificate. However, it must still authenticate itself to the database using a username/password combination.

    2. The server, since server-side authentication is always required with SSL, authenticates itself to the client by providing certificates contained in the database wallet.

    3. When the server calls back to the client, it acts as a client; thus, it is not required to provide certificates for authentication.

    4. The called object, although contained in the client, is the server object in the callback scenario. Thus, since server-side authentication rules hold, the callback object must provide certificates to authenticate itself.

      Example 6-2 Callback code with server-side authentication only

    The following code shows the client code that performs (a) and (d) steps above. The first half of the client code sets up a username and password for authenticating itself to the database. It retrieves the server object. However, before it invokes the server's method, the last half of the code sets up the client callback object by setting certificates, initializing the BOA, and instantiating the callback object. Finally, the server method is invoked.

    public static void main (String[] args) throws Exception {
    String serviceURL = args [0];
    String objectName = args [1];
    String user = args [2];
    String password = args [3];
    
    //set up username/password for authentication to database. Set up
    //security to be SSL_LOGIN - login authentication for client and server-side
    //authentication.
    Hashtable env = new Hashtable ();
    env.put (Context.URL_PKG_PREFIXES, "oracle.aurora.jndi");
    env.put (Context.SECURITY_PRINCIPAL, user);
    env.put (Context.SECURITY_CREDENTIALS, password);
    env.put (Context.SECURITY_AUTHENTICATION, ServiceCtx.SSL_LOGIN);
    Context ic = new InitialContext (env);
    
    // Get the server object before preparing the client object.
    // You have to do it in this order to get the ORB initialized correctly
    Server server = (Server)ic.lookup (serviceURL + objectName);
    
    // Create the client object and export it to the ORB in the client
    // First, set up the ORB properties for the callback object
    java.util.Properties props = new java.util.Properties();
    props.put("ORBservices", "oracle.aurora.ssl");
    
    // Initialize the ORB.
    com.visigenic.vbroker.orb.ORB orb = (com.visigenic.vbroker.orb.ORB)
           oracle.aurora.jndi.orb_dep.Orb.init(args, props);
    
    // Get the certificate manager
    AuroraCertificateManager certificateManager =
    AuroraCertificateManagerHelper.narrow( orb.resolve_initial_references("AuroraSSLCertificateManager")); // Set up client callback certificate chain, ordered from user to CA. byte[] testCert = new byte[testCert_base64.length()]; testCert_base64.getBytes(0, testCert_base64.length(), testCert, 0); byte[] caCert = new byte[caCert_base64.length()]; caCert_base64.getBytes(0, caCert_base64.length(), caCert, 0); // Set my certificate chain, ordered from user to CA. byte[][] certificates = { testCert, caCert }; certificateManager.setCertificateChain(certificates); // Set client callback object's private key. byte[] encryptedPrivateKey = new byte[encryptedPrivateKey_base64.length()]; encryptedPrivateKey_base64.getBytes(0, encryptedPrivateKey_base64.length(), encryptedPrivateKey, 0); certificateManager.setEncryptedPrivateKey(encryptedPrivateKey,"welcome12"); // Initialize the BOA with SSL org.omg.CORBA.BOA boa = orb.BOA_init("AuroraSSLTSession", null); //Instantiate the client callback object ClientImpl client = new ClientImpl (); //register callback object with BOA boa.obj_is_ready (client); // Invoke the server method, passing the client to call us back System.out.println (server.hello (client)); } }
  2. Client-side and Server-side authentication


    1. The client is required to authenticate itself with a certificate.

    2. The server, since server-side authentication is always required with SSL, authenticates itself to the client by providing certificates contained in the database wallet.

    3. When the server calls back to the client, it acts as a client; thus, it is required to provide its own certificates for authentication.

    4. The called object, although contained in the client, is the server object in the callback scenario. Thus, since server-side authentication rules hold, the callback object must provide certificates to authenticate itself.

      The code for the client shown in Example  6-2 is the same for this scenario, except 
      that instead of providing a username and password, the client provides certificates. 
      
      Since client-side authentication is required and because the server is acting as a 
      client, the server code sets up identifying certificates for itself before invoking the 
      callback object. The server must create and send its own certificates, it cannot 
      forward on the client's certificates for authentication. You set up your server object 
      certificates using either the appropriate JNDI properties or the 
      AuroraCertificateManager as discussed in "Using Certificates for Client 
      Authentication". 
      
      
      

      Example 6-3 Server code in callback with client-side authentication

The following server code does the following:

  1. Retrieve the Oracle8i ORB reference by invoking the init method.

  2. Retrieve the AuroraCertificateManager

  3. Set certificates and key through AuroraCertificateManager methods.

  4. Invoke the client callback method, hello.

    public String hello (Client client) {
    BASE64Decoder decoder = new BASE64Decoder();
    com.visigenic.vbroker.orb.ORB orb = (com.visigenic.vbroker.orb.ORB)
                             oracle.aurora.jndi.orb_dep.Orb.init();
    
    try  {
    // Get the certificate manager
         AuroraCertificateManager cm = AuroraCertificateManagerHelper.narrow(
               orb.resolve_initial_references("AuroraSSLCertificateManager"));
    
          byte[] userCert = decoder.decodeBuffer(testCert_base64); 
          byte[] caCert = decoder.decodeBuffer(caCert_base64);
    
        // Set my certificate chain, ordered from CA to user.
          byte[][] certificates = { caCert, userCert };
          cm.setCertificateChain(certificates);
    
          // Set my private key.
          byte[] encryptedPrivateKey =
    decoder.decodeBuffer(encryptedPrivateKey_base64); cm.setEncryptedPrivateKey(encryptedPrivateKey, "welcome12"); } catch (Exception e) { e.printStackTrace(); throw new org.omg.CORBA.INITIALIZE( "Couldn't initialize SSL context"); } return "I Called back and got: " + client.helloBack (); }


Go to previous page
Go to beginning of chapter
Go to next page
Oracle
Copyright © 1996-2000, Oracle Corporation.

All Rights Reserved.

Library

Product

Contents

Index