Using SSL Authentication in Java Clients 5-7
5.3.2 SSL Client Application Components
At a minimum, an SSL client application includes the following components:
■
Java client Typically, a Java client performs these functions:
weblogic.security.SSL.Hostnam eVerifier
During an SSL handshake, hostname verification establishes that the hostname in the URL matches
the hostname in the servers identification; this verification is necessary to prevent
man-in-the-middle attacks.
WebLogic Server provides a certificate-based implementation of HostnameVerifier which is used
by default, and which verifies that the URL hostname matches the CN field value of the server
certificate.
You can replace this default hostname verifier with a custom hostname verifier by using the Advanced
Options pane under the Administration Console SSL tab; this will affect the default for SSL clients
running on the server using the WebLogic SSL APIs. In addition, WebLogic SSL APIs such as
HttpsURLConnection, and SSLContext allow the explicit setting of a custom HostnameVerifier.
weblogic.security.SSL.TrustMa nager
This interface permits the user to override certain validation errors in the peers certificate chain and
allow the handshake to continue. This interface also permits the user to perform additional validation on
the peer certificate chain and interrupt the handshake if need be.
weblogic.security.SSL.CertPath TrustManager
This class makes use of the configured CertPathValidation providers to perform extra
validation; for example, revocation checking. By default, CertPathTrustManager is installed but
configured not to call the CertPathValidators controlled by the SSLMBean attributes
InboundCertificateValidation and OutboundCertificateValidation.
Applications that install a custom TrustManager will replace CertPathTrustManager. An application that
wants to use a custom TrustManager, and call the CertPathProviders at the same time, can delegate to
a CertPathTrustManager from its custom TrustManager.
weblogic.security.SSL.SSLCont ext
This class holds all of the state information shared across all sockets created under that context.
weblogic.security.SSL.SSLSocke tFactory
This class provides the API for creating SSL sockets. weblogic.security.SSL.SSLValid
ationConstants This class defines context element names. SSL
performs some built-in validation before it calls one or more CertPathValidator objects to perform
additional validation. A validator can reduce the amount of validation it must do by discovering
what validation has already been done.
Table 5–3 Cont. WebLogic Certificate APIs
WebLogic Certificate APIs Description
5-8 Programming Security for Oracle WebLogic Server
– Initializes an SSLContext with client identity, trust, a HostnameVerifier,
and a TrustManager.
– Loads a keystore and retrieves the private key and certificate chain
– Uses an SSLSocketFactory
– Uses HTTPS to connect to a JSP served by an instance of WebLogic Server
■
HostnameVerifier The HostnameVerifier implements the
weblogic.security.SSL.HostnameVerifier interface.
■
HandshakeCompletedListener The HandshakeCompletedListener implements the
javax.net.ssl.HandshakeCompletedListener interface. It is used by the SSL client to receive notifications about the completion of an SSL handshake on a
given SSL connection.
■
TrustManager The TrustManager implements the weblogic.security.SSL.TrustManager
interface. For a complete working SSL authentication client that implements the components
described here, see the SSLClient sample application in the SAMPLES_ HOME\server\examples\src\examples\security\sslclient directory
provided with WebLogic Server.
For more information on JSSE authentication, see Suns Java Secure Socket Extension JSSE Reference Guide available at
http:java.sun.comjavase6docstechnotesguidessecurityjsse JSSERefGuide.html
.
5.4 Writing Applications that Use SSL