3-12 Securing WebLogic Web Services for Oracle WebLogic Server ■ Configure the core WebLogic Servers security subsystem, mapping the clients X.509 certificate in the client keystore to a user. See Configuring a User Name Mapper in Securing Oracle WebLogic Server. ■ Create a truststore which contains the certificates that the client trusts; the client application uses this truststore to validate the certificate it receives from WebLogic Server. Because of the J2SE password requirement described in the preceding bullet item, this truststore must be different from the keystore that contains the key pair that the client presents to the server. You can use the Cert Gen utility or Sun Microsystems keytool http:java.sun.comjavase6docstooldocssolariskeytool.h tml utility to perform this step. For development purposes, the keytool utility is the easiest way to get started. See Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authorities in Securing Oracle WebLogic Server. ■ When you run the client application that invokes the Web service, specify the following properties: – -Djavax.net.ssl.trustStore=trustStore – -Djavax.net.ssl.trustStorePassword=trustStorePassword where trustStore specifies the name of the client-side truststore that contains the list of trusted certificates one of which should be the servers certificate and trustStorePassword specifies the truststores password. The preceding properties are in addition to the standard properties you must set to specify the client-side keystore: – -Djavax.net.ssl.keyStore=keyStore – -Djavax.net.ssl.keyStorePassword=keyStorePassword

3.7 Using a Custom SSL Adapter with Reliable Messaging

You can use a custom SSLAdapter implementation to provide client certificates and other services needed to establish SSL connections between client and server when using reliable messaging or buffering. The reliable messaging and buffering subsystems persist the state of a request over an SSL connection. In doing so, they persist the instance of the custom SSLAdapter used to establish the connection. When the request is restored from persistence, the persistence facility must have access to the custom SSLAdapter class in order to properly restore the custom SSLAdapter object saved with the request. To allow for this, you must provide your custom SSLAdapter class via the servers system CLASSPATH and not within an application deployed to the server. The custom SSLAdapter must extend SSLAdapter, and is installed and enabled via the following procedure: Note: All objects placed into Stub and MessageContext properties must be serializable and externalizable, and must have their implementations available on the server system CLASSPATH. This section describes the specific case of a custom SSLAdapter implementation. Configuring Transport-Level Security 3-13 1. Create an instance of weblogic.wsee.connection.transport.https.HttpsTransportInfo. 2. Set the custom SSL adapter on that transport info by calling HttpsTransportInfo.setSSLAdapterSSLAdapter adapter. 3. Set the transport info on the web services stub instance stub of type javax.xml.rpc.Stub by calling stub._setPropertyweblogic.wsee.connection.soap.SoapClientConnection.TRANSPORT_ INFO_PROPERTY,ti; Where stub is the Web services stub, and ti is the HttpsTransportInfo you configured. If you do not follow this procedure and provide the custom SSLAdapter class on the system CLASSPATH, a ClassNotFoundException exception is generated: java.io.IOException: java.lang.ClassNotFoundException: examples.webservices.client.ServiceBaseTestSSLAdapter 3-14 Securing WebLogic Web Services for Oracle WebLogic Server 4 Configuring Access Control Security JAX-RPC Only 4-1 4 Configuring Access Control Security JAX-RPC Only The following sections describe how to configure security for your Web service: ■ Section 4.1, Configuring Access Control Security: Main Steps