Developing Security-Aware Clients

You can develop Weblogic clients that use the Java Authentication and Authorization Service (JAAS) and Secure Sockets Layer (SSL). The following sections provide information on security-aware clients:

Developing Clients That Use JAAS

JAAS enforces access controls based on user identity and is the preferred method of authentication for WebLogic Server clients. A typical use case is providing authentication to read or write to a file. Users requiring client certificate authentication (also referred to as two-way SSL authentication) should use JNDI authentication. For more information on how to implement JAAS authentication, see Using JAAS Authentication in Java Clients.

Developing Clients That Use SSL

BEA WebLogic Server provides Secure Sockets Layer (SSL) support for encrypting data transmitted between WebLogic Server clients and servers, Java clients, Web browsers, and other servers.

All SSL clients need to specify trust. Trust is a set of CA certificates that specify which trusted certificate authorities are trusted by the client. In order to establish an SSL connection, RMI clients need to trust the certificate authorities that issued the server's digitial certificates. The location of the server’s trusted CA certificate is specified when starting the RMI client.

By default, all trusted certificate authorities available from the JDK (...\jre\lib\security\cacerts) are trusted by RMI clients. However, if the server’s trusted CA certificate is stored in one of the following types of trust keystores, you need to specify certain command line arguments in order to use the keystore:

Demo Trust—The trusted CA certificates in the demonstration Trust keystore (DemoTrust.jks) are located in the WL_HOME\server\lib directory. In addition, the trusted CAs in the JDK cacerts keystore are trusted. To use the Demo Trust, specify the following command-line argument:

-Dweblogic.security.TrustKeyStore=DemoTrust

Optionally, use the following command-line argument to specify a password for the JDK cacerts trust keystore:

-Dweblogic.security.JavaStandardTrustKeystorePassPhrase=password

where password is the password for the Java Standard Trust keystore. This password is defined when the keystore is created.

Custom Trust—A trust keystore you create. To use Custom Trust, specify the following command-line arguments.

Specify the fully qualified path to the trust keystore:

-Dweblogic.security.CustomTrustKeystoreFileName=filename

Specify the type of the keystore:

-Dweblogic.security.TrustKeystoreType=CustomTrust

Optionally, specify the password defined when creating the keystore:

-Dweblogic.security.CustomTrustKeystorePassPhrase=password

Sun Microsystem's keytool utility can also be used to generate a private key, a self-signed digital certificate for WebLogic Server, and a Certificate Signing Request (CSR). The keytool utility is a product of Sun Microsystems. Therefore, BEA Systems does not provide complete documentation on the utility. For more information about Sun's keytool utility, see the keytool-Key and Certificate Management Tool description at http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html. Sun Microsystems provides a tutorial Installing and Configuring SSL Support which includes a section “Creating a Client Certificate for Mutual Authentication”.

Thin-Client Restrictions for JAAS and SSL

WebLogic thin-client applications only support JAAS authentication through the following classes:

WebLogic thin-clients only support two-way SSL by requiring the SSLContext to be provided by the SECURITY_CREDENTIALS property. For example, see the client code below:

.
.
.
System.out.println("Getting initial context");
Hashtable props = new Hashtable();
props.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
props.put(Context.PROVIDER_URL,"corbaloc:iiops:" + host + ":" + port +"/NameService");

props.put(Context.SECURITY_PRINCIPAL,"weblogic");
props.put(Context.SECURITY_CREDENTIALS, "weblogic");


//Set the ssl properties through system property

//set the path to the keystore file (one key inside the store)
System.setProperty("javax.net.ssl.keyStore", YOUR-KEY_STORE_FILE_PATH);

//set the keystore pass phrase
System.setProperty("javax.net.ssl.keyStorePassword",YOUR_KEY_STORE_PASS_PHRASE);

//Set the trust store

//set the path to the trust store file
System.setProperty("javax.net.ssl.trustStore",YOUR-TRUST_STORE_FILE_PATH);
//set the trust store pass phrase
System.setProperty("javax.net.ssl.trustStorePassword",YOUR_TRUST_STORE_PASS_PHRASE);

Context ctx = new InitialContext(props);
.
.
.

Security Code Examples

Security samples are provided with the WebLogic Server product. The samples are located in the SAMPLES_HOME\server\examples\src\examples\security directory. A description of each sample and instructions on how to build, configure, and run a sample, are provided in the package-summary.html file. You can modify these code examples and reuse them.

Programming Stand-alone Clients

Developing Security-Aware Clients

Developing Clients That Use JAAS

Developing Clients That Use SSL

Thin-Client Restrictions for JAAS and SSL

Security Code Examples