Configuring SSL 12-7

12.8 Configuring RMI over IIOP with SSL

Use SSL to protect Internet Interop-Orb-Protocol IIOP connections to Remote Method Invocation RMI remote objects. SSL secures connections through authentication and encrypts the data exchanged between objects. To use SSL to protect RMI over IIOP connections: 1. Configure WebLogic Server to use SSL. 2. Configure the client Object Request Broker ORB to use SSL. Refer to the product documentation for your client ORB for information about configuring SSL. 3. Use the host2ior utility to print the WebLogic Server IOR to the console. The host2ior utility prints two versions of the interoperable object reference IOR, one for SSL connections and one for non-SSL connections. The header of the IOR specifies whether or not the IOR can be used for SSL connections. 4. Use the SSL IOR when obtaining the initial reference to the CosNaming service that accesses the WebLogic Server JNDI tree. For more information about using RMI over IIOP, see Programming RMI for Oracle WebLogic Server.

12.9 SSL Certificate Validation

WebLogic Server ensures that each certificate in a certificate chain was issued by a certificate authority. All X509 V3 CA certificates used with WebLogic Server must have the Basic Constraint extension defined as CA, thus ensuring that all certificates in a certificate chain were issued by a certificate authority. By default, any certificates for certificate authorities not meeting this criteria are rejected. This section describes the command-line argument that controls the level of certificate validation.

12.9.1 Controlling the Level of Certificate Validation

By default WebLogic Server rejects any certificates in a certificate chain that do not have the Basic Constraint extension defined as CA. However, you may be using certificates that do not meet this requirement or you may want to increase the level of security to conform to the IETF RFC 2459 standard. Use the following command-line argument to control the level of certificate validation performed by WebLogic Server: -Dweblogic.security.SSL.enforceConstraints=option Table 12–1 describes the options for the command-line argument. Notes: Note the following: ■ Weblogic Server uses RSA Cert-J 3.1 for certain certificate processing. ■ If WebLogic Server is booted with a certificate chain that will not pass the certificate validation, an information message is logged noting that clients could reject it. 12-8 Securing Oracle WebLogic Server

12.9.2 Accepting Certificate Policies in Certificates

WebLogic Server offers limited support for Certificate Policy Extensions in X.509 certificates. Use the weblogic.security.SSL.allowedcertificatepolicyids argument to provide a comma separated list of Certificate Policy IDs. When WebLogic Server receives a certificate with a critical Certificate Policies Extension, it verifies whether any Certificate Policy is on the list of allowed certificate policies and whether there are any unsupported policy qualifiers. This release of WebLogic Server supports Certification Practice Statement CPS Policy qualifiers and does not support User Notice qualifiers. A certificate is also accepted if it contains a special policy anyPolicy with the ID 2.5.29.32.0, which indicates that the CA does not wish to limit the set of policies for this certificate. Table 12–1 Options for -Dweblogic.security.SSL.enforceConstraints Option Description strong or true Use this option to ensure that the Basic Constraints extension on the CA certificate is defined as CA. For example: -Dweblogic.security.SSL.enforceConstraints=strong or -Dweblogic.security.SSL.enforceConstraints=true By default, WebLogic Server performs this level of certificate validation. strong_nov1cas Functions the same as the strong option, described in the preceding row, with the additional constraint that X509 version 1 CA certificates are rejected. For example: -Dweblogic.security.SSL.enforceConstraints=strong_nov1cas strict Use this option to ensure the Basic Constraints extension on the CA certificate is defined as CA and set to critical. This option enforces the IETF RFC 2459 standard. For example: -Dweblogic.security.SSL.enforceConstraints=strict This option is not the default because a number of commercially available CA certificates do not conform to the IETF RFC 2459 standard. strict_nov1cas Functions the same as the strict option, described in the preceding row, with the additional constraint that X509 version 1 CA certificates are rejected. For example: -Dweblogic.security.SSL.enforceConstraints=strict_nov1cas off Use this option to turn off checking for the Basic Constraints extension. The rest of the certificate is still validated. For example: -Dweblogic.security.SSL.enforceConstraints=off Oracle does not recommend using this option in a production environment. Instead, purchase new CA certificates that comply with the IETF RFC 2459 standard. CA certificates from most commercial certificate authorities should work with the default strong option. Configuring SSL 12-9 To enable acceptance of Certificate Policies, start WebLogic Server with the following argument: -Dweblogic.security.SSL.allowedcertificatepolicyids identifier1,identifier2,... This argument should contain a comma-separated list of Certificate Policy identifiers for all the certificates with critical extensions that might be present in the certificate chain, back to the root certificate, in order for WebLogic Server to accept such a certificate chain.

12.9.3 Checking Certificate Chains