Configuring Two-Way SSL for a Client Application

Configuring Transport-Level Security 3-11 The reason clientgen cannot generate the stubs from the dynamic WSDL in this case is that when you specify the UserDataConstraint annotation, all client applications are required to specify a truststore, including clientgen. However, there is currently no way for clientgen to specify a truststore, thus the Ant task must generate its client components from a static WSDL that describes the Web service in the same way as the dynamic WSDL. 5. When you run the client application that invokes the Web service, specify certain properties to indicate the SSL implementation that your application should use. In particular: ■ To specify the Certicom SSL implementation, use the following properties -Djava.protocol.handler.pkgs=weblogic.net -Dweblogic.security.SSL.trustedCAKeyStore=trustStore where trustStore specifies the name of the client-side truststore that contains the list of trusted certificates one of which should be the servers certificate.To disable host name verification, also specify the following property: -Dweblogic.security.SSL.ignoreHostnameVerification=true ■ To specify Suns SSL implementation, use the following properties: -Djavax.net.ssl.trustStore=trustStore where trustStore specifies the name of the client-side truststore that contains the list of trusted certificates one of which should be the servers certificate. To disable host name verification, also specify the following property: -Dweblogic.wsee.client.ssl.stricthostchecking=false See Section 3.6, Configuring Two-Way SSL for a Client Application for details about two-way SSL.

3.6 Configuring Two-Way SSL for a Client Application

If you configured two-way SSL for WebLogic Server, the client application must present a certificate to WebLogic Server, in addition to WebLogic Server presenting a certificate to the client application as required by one-way SSL. You must also follow these requirements: ■ Create a client-side keystore that contains the clients private key and X.509 certificate pair. The SSL package of J2SE requires that the password of the clients private key must be the same as the password of the clients keystore. For this reason, the client keystore can include only one private key and X.509 certificate pair. Note: Web services using asynchronous or reliable messaging will automatically use the servers SSL certificate when establishing a new connection back from the receiving service to the sending service for the purposes of sending asynchronous responses, acknowledgments, and so forth. 3-12 Securing WebLogic Web Services for Oracle WebLogic Server ■ Configure the core WebLogic Servers security subsystem, mapping the clients X.509 certificate in the client keystore to a user. See Configuring a User Name Mapper in Securing Oracle WebLogic Server. ■ Create a truststore which contains the certificates that the client trusts; the client application uses this truststore to validate the certificate it receives from WebLogic Server. Because of the J2SE password requirement described in the preceding bullet item, this truststore must be different from the keystore that contains the key pair that the client presents to the server. You can use the Cert Gen utility or Sun Microsystems keytool http:java.sun.comjavase6docstooldocssolariskeytool.h tml utility to perform this step. For development purposes, the keytool utility is the easiest way to get started. See Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authorities in Securing Oracle WebLogic Server. ■ When you run the client application that invokes the Web service, specify the following properties: – -Djavax.net.ssl.trustStore=trustStore – -Djavax.net.ssl.trustStorePassword=trustStorePassword where trustStore specifies the name of the client-side truststore that contains the list of trusted certificates one of which should be the servers certificate and trustStorePassword specifies the truststores password. The preceding properties are in addition to the standard properties you must set to specify the client-side keystore: – -Djavax.net.ssl.keyStore=keyStore – -Djavax.net.ssl.keyStorePassword=keyStorePassword

3.7 Using a Custom SSL Adapter with Reliable Messaging