6-38 Oracle Fusion Middleware Administrators Guide ■ It is recommended that components at least in the Web tier use certificates that have the system hostname or virtual host or site name as the DN. This allows browsers to connect in SSL mode without giving unsettling warning messages. ■ A minimum key size of 1024 bits is recommended for certificates used for SSL. Higher key size provides more security but at the cost of reduced performance. Pick an appropriate key size value depending on your security and performance requirements. ■ Lack of trust is one of the most common reasons for SSL handshake failures. Ensure that the client trusts the server by importing the server CA certificate into the client keystore before starting SSL handshake. If client authentication is also required, then the reverse should also be true.

6.8.2 Best Practices for Application Developers

The following practices are recommended: ■ Use Java Key Store JKS to store certificates for your Java EE applications. ■ Externalize SSL configuration parameters like keystore path, truststore path, and authentication type in a configuration file, rather than embedding these values in the application code. This allows you the flexibility to change SSL configuration without having to change the application itself.

6.9 WLST Reference for SSL

Starting with 11g Release 1 11.1.1, WLST commands have been added to manage Oracle wallets and JKS keystores and to configure SSL for Oracle Fusion Middleware components. Use the commands listed in Table 6–1 , Table 6–2 , and Table 6–3 for this task. You can obtain help for each command by issuing: helpcommand_name Certain commands require parameters like instance name, ias-component and process type. You can obtain this information with the command: ORACLE_INSTANCEbinopmnctl status See Also: Section 8.2, Command-Line Interface for Keystores and Wallets for important instructions on how to launch the WLST shell to run SSL-related commands. Do not launch the WLST interface from any other location. Note: All WLST commands for SSL configuration must be run in online mode. Table 6–1 WLST Commands for SSL Configuration Use this command... To... Use with WLST... configureSSL Set the SSL attributes for a component listener. Online getSSL Display the SSL attributes for a component listener. Online Configuring SSL in Oracle Fusion Middleware 6-39 Table 6–2 WLST Commands for Oracle Wallet Management Use this command... To... Use with WLST... addCertificateRequest Generate a certificate signing request in an Oracle wallet. Online addSelfSignedCertificate Add a self-signed certificate to an Oracle wallet. Online changeWalletPassword Change the password to an Oracle wallet. Online createWallet Create an Oracle wallet. Online deleteWallet Delete an Oracle wallet. Online exportWallet Export an Oracle wallet to a file. Online exportWalletObject Export an object for example, a certificate from an Oracle wallet to a file. Online getWalletObject Display a certificate or other object present in an Oracle wallet. Online importWallet Import an Oracle wallet from a file. Online importWalletObject Import a certificate or other object from a file to an Oracle wallet. Online listWalletObjects List all objects such as certificates present in an Oracle wallet. Online listWallets List all Oracle wallets configured for a component instance. Online removeWalletObject Remove a certificate or other object from a component instances Oracle wallet. Online Table 6–3 WLST Commands for Java Keystore JKS Management Use this command... To... Use with WLST... changeKeyStorePassword Change the password to a JKS keystore. Online createKeyStore Create a JKS keystore. Online deleteKeyStore Delete a JKS keystore. Online exportKeyStore Export a JKS keystore to a file. Online exportKeyStoreObject Export an object for example, a certificate from a JKS keystore to a file. Online generateKey Generate a keypair in a JKS keystore. Online getKeyStoreObject Display a certificate or other object present in a JKS keystore. Online importKeyStore Import a JKS keystore from a file. Online importKeyStoreObject Import a certificate or other object from a file to a JKS keystore. Online listKeyStoreObjects List all objects for example, certificates present in a JKS keystore. Online listKeyStores List all JKS keystores configured for a component instance. Online removeKeyStoreObject Remove a certificate or other object from a component instances JKS keystore. Online