Using SSL Authentication in Java Clients 5-7

5.3.2 SSL Client Application Components

At a minimum, an SSL client application includes the following components: ■ Java client Typically, a Java client performs these functions: weblogic.security.SSL.Hostnam eVerifier During an SSL handshake, hostname verification establishes that the hostname in the URL matches the hostname in the servers identification; this verification is necessary to prevent man-in-the-middle attacks. WebLogic Server provides a certificate-based implementation of HostnameVerifier which is used by default, and which verifies that the URL hostname matches the CN field value of the server certificate. You can replace this default hostname verifier with a custom hostname verifier by using the Advanced Options pane under the Administration Console SSL tab; this will affect the default for SSL clients running on the server using the WebLogic SSL APIs. In addition, WebLogic SSL APIs such as HttpsURLConnection, and SSLContext allow the explicit setting of a custom HostnameVerifier. weblogic.security.SSL.TrustMa nager This interface permits the user to override certain validation errors in the peers certificate chain and allow the handshake to continue. This interface also permits the user to perform additional validation on the peer certificate chain and interrupt the handshake if need be. weblogic.security.SSL.CertPath TrustManager This class makes use of the configured CertPathValidation providers to perform extra validation; for example, revocation checking. By default, CertPathTrustManager is installed but configured not to call the CertPathValidators controlled by the SSLMBean attributes InboundCertificateValidation and OutboundCertificateValidation. Applications that install a custom TrustManager will replace CertPathTrustManager. An application that wants to use a custom TrustManager, and call the CertPathProviders at the same time, can delegate to a CertPathTrustManager from its custom TrustManager. weblogic.security.SSL.SSLCont ext This class holds all of the state information shared across all sockets created under that context. weblogic.security.SSL.SSLSocke tFactory This class provides the API for creating SSL sockets. weblogic.security.SSL.SSLValid ationConstants This class defines context element names. SSL performs some built-in validation before it calls one or more CertPathValidator objects to perform additional validation. A validator can reduce the amount of validation it must do by discovering what validation has already been done. Table 5–3 Cont. WebLogic Certificate APIs WebLogic Certificate APIs Description 5-8 Programming Security for Oracle WebLogic Server – Initializes an SSLContext with client identity, trust, a HostnameVerifier, and a TrustManager. – Loads a keystore and retrieves the private key and certificate chain – Uses an SSLSocketFactory – Uses HTTPS to connect to a JSP served by an instance of WebLogic Server ■ HostnameVerifier The HostnameVerifier implements the weblogic.security.SSL.HostnameVerifier interface. ■ HandshakeCompletedListener The HandshakeCompletedListener implements the javax.net.ssl.HandshakeCompletedListener interface. It is used by the SSL client to receive notifications about the completion of an SSL handshake on a given SSL connection. ■ TrustManager The TrustManager implements the weblogic.security.SSL.TrustManager interface. For a complete working SSL authentication client that implements the components described here, see the SSLClient sample application in the SAMPLES_ HOME\server\examples\src\examples\security\sslclient directory provided with WebLogic Server. For more information on JSSE authentication, see Suns Java Secure Socket Extension JSSE Reference Guide available at http:java.sun.comjavase6docstechnotesguidessecurityjsse JSSERefGuide.html .

5.4 Writing Applications that Use SSL