5-18 Programming Security for Oracle WebLogic Server NulledHostnameVerifier class which always returns true for the comparison. The sample allows the WebLogic SSL client to connect to any SSL server regardless of the servers hostname and digital certificate SubjectDN comparison. Example 5–6 Hostname Verifier Sample Code Fragment public class NulledHostnameVerifier implements weblogic.security.SSL.HostnameVerifier { public boolean verifyString urlHostname, javax.net.ssl.SSLSession session { return true; } }

5.4.5 Using a Trust Manager

The weblogic.security.SSL.TrustManager interface provides the ability to: ■ Ignore specific certificate validation errors ■ Perform additional validation on the peer certificate chain When an SSL client connects to an instance of WebLogic Server, the server presents its digital certificate chain to the client for authentication. That chain could contain an invalid digital certificate. The SSL specification says that the client should drop the SSL connection upon discovery of an invalid certificate. You can use a custom implementation of the TrustManager interface to control when to continue or discontinue an SSL handshake. Using a trust manager, you can ignore certain validation errors, optionally perform custom validation checks, and then decide whether or not to continue the handshake. Use the weblogic.security.SSL.TrustManager interface to create a trust manager. The interface contains a set of error codes for certificate verification. You can also perform additional validation on the peer certificate and interrupt the SSL handshake if need be. After a digital certificate has been verified, the weblogic.security.SSL.TrustManager interface uses a callback function to override the result of verifying the digital certificate. You can associate an instance of a trust manager with an SSL context through the setTrustManager method. You can only set up a trust manger programmatically; its use cannot be defined through the Administration Console or on the command-line. Example 5–7 shows code fragments from the NulledTrustManager example; the complete example is located at SAMPLES_ HOME\server\examples\src\examples\security\sslclient directory in the NulledTrustManager.java file. The SSLSocketClient example uses the custom trust manager. The SSLSocketClient shows how to set up a new SSL connection by using an SSL context with the trust manager. Note: This interface takes new style certificates and replaces the weblogic.security.SSL.TrustManagerJSSE interface, which is deprecated. Note: Depending on the checks performed, use of a trust manager may potentially impact performance. Using SSL Authentication in Java Clients 5-19 Example 5–7 NulledTrustManager Sample Code Fragments package examples.security.sslclient; import weblogic.security.SSL.TrustManager; import java.security.cert.X509Certificate; ... public class NulledTrustManager implements TrustManager{ public boolean certificateCallbackX509Certificate[] o, int validateErr { System.out.println --- Do Not Use In Production ---\n + By using this NulledTrustManager, the trust in + the servers identity is completely lost.\n + --------------------------------; for int i=0; io.length; i++ System.out.println certificate + i + -- + o[i].toString; return true; } }

5.4.6 Using the CertPath Trust Manager