12-2 Securing Oracle WebLogic Server WebLogic Server supports SSL on a dedicated listen port which defaults to 7002. To establish an SSL connection over HTTP, a Web browser connects to WebLogic Server by supplying the SSL listen port and the HTTPs protocol in the connection URL, for example, https:myserver:7002. Using SSL is compute intensive and adds overhead to a connection. Avoid using SSL in development environments when it is not necessary. However, always use SSL in a production environment.

12.2 One-Way and Two-Way SSL

SSL can be configured one-way or two-way: ■ With one-way SSL, the server must present a certificate to the client, but the client is not required to present a certificate to the server. The client must authenticate the server, but the server accepts a connection from any client. One-way SSL is common on the Internet where customers want to create secure connections before they share personal data. Often, clients will also use SSL to log on in order that the server can authenticate them. ■ With two-way SSL SSL with client authentication, the server presents a certificate to the client and the client presents a certificate to the server. WebLogic Server can be configured to require clients to submit valid and trusted certificates before completing the SSL connection.

12.3 Java Secure Socket Extension JSSE SSL Implementation Supported

This release of WebLogic Server augments the Certicom SSL implementation in Weblogic Server with an SSL implementation based on Java Secure Socket Extension JSSE. JSSE is the Java standard framework for SSL and TLS and includes both blocking-IO and non-blocking-IO APIs, and a reference implementation including several commonly-trusted CAs. The JSSE-based SSL implementation interoperates over SSL with instances of Weblogic Server version 8.1 and later using the Certicom SSL implementation. That is, when WebLogic Server with JSSE SSL is used as either an SSL client or as the SSL server, it can communicate via SSL with instances of WebLogic Server version 8.1 and later that use the Certicom SSL implementation. See Section 12.12, Using the JSSE-Based SSL Implementation, for information about using JSSE. See the Java Secure Socket Extension JSSE Reference Guide http:download.oracle.comjavase6docstechnotesguidessecur ityjsseJSSERefGuide.html for complete information on JSSE. Note: WebLogic Server does not support SSL 2.0. Note: Support for the Certicom SSL implementation is deprecated and will eventually be removed. For this purpose, this release of WebLogic Server continues to support the Certicom SSLPlus Java version 4.0 SSL implementation. Configuring SSL 12-3

12.4 Setting Up SSL: Main Steps

To set up SSL: 1. Obtain an identity private key and digital certificates and trust certificates of trusted certificate authorities for WebLogic Server. Use the digital certificates, private keys, and trusted CA certificates provided by WebLogic Server, the CertGen utility, the keytool utility, or a reputable vendor such as Entrust or Verisign to perform this step. 2. Store the identity and trust. Private keys and trusted CA certificates which specify identity and trust are stored in a keystore. 3. Configure the identity and trust keystores for WebLogic Server in the WebLogic Server Administration Console. See Configure keystores in the Oracle WebLogic Server Administration Console Help. 4. Set SSL configuration options for the private key alias and password in the WebLogic Server Administration Console. Optionally, set configuration options that require the presentation of client certificates for two-way SSL. See Servers: Configuration: SSL and Configure two-way SSL in the Oracle WebLogic Server Administration Console Help. For information about configuring identity and trust for WebLogic Server, see the following sections: ■ Section 11.4.1, Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authority Certificates Note: If you use the CertGen utility to generate certificates, see Section 11.4.1.2.2, Limitation on CertGen Usage, for information about limitations on its use. Certificates generated by CertGen are for demo purposes only and should not be used in a production environment. Note: This release of WebLogic Server supports private keys and trusted CA certificates stored in files, or in the WebLogic Keystore provider for the purpose of backward compatibility only. Note: JSSE in FIPS mode is not supported in this release. To enable a WebLogic Server instance to use a FIPS-compliant FIPS 140-2 crypto module in the servers SSL implementation, make sure that the server start script for example, startWebLogic.cmdsh contains the following: ■ cryptojFIPS.jar is added to the PRE_CLASSPATH variable. Weblogic Server includes and supports RSA Crypto-J 4.1. ■ The command line argument -Dweblogic.security.SSL.nojce=true is specified. FIPS 140-2 is a standard that describes U.S. Federal government requirements for sensitive, but unclassified use. 12-4 Securing Oracle WebLogic Server ■ Section 11.4.2, Storing Private Keys, Digital Certificates, and Trusted Certificate Authority Certificates

12.5 Using Host Name Verification