3-22 Understanding Security for Oracle WebLogic Server

3.7.3 SSL Tunneling

WebLogic Server tunnels the HTTP, T3, and IIOP protocols over SSL. SSL can be used by Web browsers and Java clients as follows: ■ A Web browser makes an SSL connection to a server over HTTPS. The browser then sends HTTP requests and receives HTTP responses over this SSL connection. For example: https:myserver.commypage.html WebLogic Server supports SSL versioning which means it can communicate with any clients over this protocol including Web browsers. ■ Java clients using HTTPT3 protocols are tunnelled over SSL. For example: t3s:myserver.com:7002mypage.html Java clients running in WebLogic Server can establish either T3S connections to other WebLogic Servers, or HTTPS connections to other servers that support SSL, such as Web servers or secure proxy servers.

3.7.4 One-wayTwo-way SSL Authentication

WebLogic Server supports one-way and two-way SSL authentication. With one-way SSL authentication, the target the server is required to present a digital certificate to the initiator the client to prove its identity. The client performs two checks to validate the digital certificate: 1. The client verifies that the certificate is trusted meaning, it was issued by the clients trusted CA, is valid not expired, and satisfies the other certificate constraints. 2. The client checks that the certificate Subjects common name CN field value matches the host name of the server to which the client is trying to connect If both of the above checks return true, the SSL connection is established. TLS_RSA_WITH_RC4_128_MD5 128 TLS_RSA_WITH_DES_CBC_SHA 56 TLS_RSA_EXPORT_WITH_RC4_40_MD5 40 TLS_RSA_EXPORT_WITH_DES_40_CBC_SHA 1 40 TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 40 TLS_RSA_WITH_3DES_EDE_CBC_SHA 168 TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_MD5 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 56 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 56 TLS_RSA_WITH_AES_128_CBC_SHA 128 TLS_RSA_WITH_AES_256_CBC_SHA 256 1 This cipher suite is an alias for TLS_RSA_EXPORT_WITH_DES40_CBC_SHA Table 3–2 Cont. Certicom Cipher Suites Cipher Suite Symmetric Key Strength Bits Security Fundamentals 3-23 With two-way SSL authentication, both the client and the server must present digital certificates before the SSL connection is enabled between the two. Thus, in this case, WebLogic Server not only authenticates itself to the client which is the minimum requirement for certificate authentication, but it also requires authentication from the requesting client. Two-way SSL authentication is useful when you must restrict access to trusted clients only. Figure 3–3 illustrates WebLogic Server SSL connections and shows which connections support one-way SSL, two-way SSL, or both. The Web browser client, Web Server, Fat client, Web services client, and SSL server connections can be configured for either one-way or two-way SSL. WebLogic Server determines whether an SSL connection is configured for one-way or two-way. Use the Administration Console to configure SSL. Figure 3–3 How WebLogic Server Supports SSL Connections

3.7.5 Configuring SSL