Security Fundamentals 3-21 ■ Confidentiality - All client requests and server responses are encrypted to maintain the confidentiality of data exchanged over the network. ■ Data Integrity - Each SSL message contains a message digest computed from the original data. On the receiving end, a new digest is computed from the de-crypted data and then compared with the digest that came with the message. If the data is altered, the digests dont match and tampering is detected. If you are using a Web browser to communicate with WebLogic Server, you can use the Hyper-Text Transfer Protocol with SSL HTTPS to secure network communications.

3.7.2 Cipher Suites

A cipher suite is a combination of cryptographic parameters that define the security algorithms and key sizes used for authentication, key agreement, encryption, and integrity protection. Cipher suites protect the integrity of a communication. For example, the cipher suite called RSA_WITH_RC4_128_MD5 uses RSA for key exchange, RC4 with a 128-bit key for bulk encryption, and MD5 for message digest. The set of cipher suites supported by WebLogic Server depends upon the SSL implementation with which WebLogic Server is configured, as follows: ■ The set of cipher suites supported by the JDK default JSSE provider, SunJSSE, is available in the Java™ Secure Socket Extension JSSE Reference Guide at the following location: http:download.oracle.comjavase6docstechnotesguidessec uritySunProviders.htmlSunJSSEProvider For information about configuring WebLogic Server to use the JSSE-based SSL implementation, see Using the JSSE-Based SSL Implementation in Securing Oracle WebLogic Server. ■ Earlier releases of WebLogic Server used the Certicom SSL implementation, which is still available in WebLogic Server and may be used but is currently deprecated. The cipher suites supported by the Certicom SSL implementation, including their symmetric key strength, are listed in Table 3–2 . Table 3–2 Certicom Cipher Suites Cipher Suite Symmetric Key Strength Bits TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 168 TLS_DHE_RSA_WITH_DES_CBC_SHA 56 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 40 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 168 TLS_DH_anon_WITH_RC4_128_MD5 128 TLS_DH_anon_WITH_DES_CBC_SHA 56 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 40 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 40 TLS_DHE_RSA_EXPORT_WITH_DES_40_CBC_SHA 40 TLS_DH_anon_EXPORT_WITH_DES_40_CBC_SHA 40 TLS_RSA_WITH_RC4_128_SHA 128 3-22 Understanding Security for Oracle WebLogic Server

3.7.3 SSL Tunneling

WebLogic Server tunnels the HTTP, T3, and IIOP protocols over SSL. SSL can be used by Web browsers and Java clients as follows: ■ A Web browser makes an SSL connection to a server over HTTPS. The browser then sends HTTP requests and receives HTTP responses over this SSL connection. For example: https:myserver.commypage.html WebLogic Server supports SSL versioning which means it can communicate with any clients over this protocol including Web browsers. ■ Java clients using HTTPT3 protocols are tunnelled over SSL. For example: t3s:myserver.com:7002mypage.html Java clients running in WebLogic Server can establish either T3S connections to other WebLogic Servers, or HTTPS connections to other servers that support SSL, such as Web servers or secure proxy servers.

3.7.4 One-wayTwo-way SSL Authentication