5-20 Programming Security for Oracle WebLogic Server Example 5–8 MyListener HandshakeCompletedListener Sample Code Fragments package examples.security.sslclient; import java.io.File; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.io.FileInputStream; import javax.net.ssl.HandshakeCompletedListener; import java.util.Hashtable; import javax.net.ssl.SSLSession; ... public class MyListener implements HandshakeCompletedListener { public void handshakeCompletedjavax.net.ssl.HandshakeCompletedEvent event { SSLSession session = event.getSession; System.out.printlnHandshake Completed with peer + session.getPeerHost; System.out.println cipher: + session.getCipherSuite; Certificate[] certs = null; try { certs = session.getPeerCertificates; } catch SSLPeerUnverifiedException puv { certs = null; } if certs = null { System.out.println peer certificates:; for int z=0; zcerts.length; z++ System.out.println certs[+z+]: + certs[z]; } else { System.out.printlnNo peer certificates presented; } } }

5.4.8 Using an SSLContext

The SSLContext class is used to programmatically configure SSL and to retain SSL session information. Each instance can be configured with the keys, certificate chains, and trusted CA certificates that will be used to perform authentication. SSL sockets created with the same SSLContext and used to connect to the same SSL server could potentially reuse SSL session information. Whether the session information is actually reused depends on the SSL server. For more information on session caching see SSL Session Behavior in Securing Oracle WebLogic Server. To associate an instance of a trust manager class with its SSL context, use the weblogic.security.SSL.SSLContext.setTrustManager method. You can only set up an SSL context programmatically; not by using the Administration Console or the command line. A Java new expression or the getInstance method Using SSL Authentication in Java Clients 5-21 of the SSLContext class can create an SSLContext object. The getInstance method is static and it generates a new SSLContext object that implements the specified secure socket protocol. An example of using the SSLContext class is provided in the SSLSocketClient.java sample in the SAMPLES_ HOME\server\examples\src\examples\security\sslclient directory. The SSLSocketClient example shows how to create a new SSL socket factory that will create a new SSL socket using SSLContext. Example 5–9 shows a sample instantiation using the getInstance method. Example 5–9 SSL Context Code Example import weblogic.security.SSL.SSLContext; SSLcontext sslctx = SSLContext.getInstance https

5.4.9 Using URLs to Make Outbound SSL Connections

You can use a URL object to make an outbound SSL connection from a WebLogic Server instance acting as a client to another WebLogic Server instance. WebLogic Server supports both one-way and two-way SSL authentication for outbound SSL connections. For one-way SSL authentication, you use the java.net.URL, java.net.URLConnection, and java.net.HTTPURLConnection classes to make outbound SSL connections using URL objects. Example 5–10 shows a simpleURL class that supports both HTTP and HTTPS URLs and that only uses these Java classes that is, no WebLogic classes are required. To use the simpleURL class for one-way SSL authentication HTTPS on WebLogic Server, all that is required is that weblogic.net be defined in the system property for java.protocols.handler.pkgs. Example 5–10 One-Way SSL Authentication URL Outbound SSL Connection Class That Uses Java Classes Only import java.net.URL; import java.net.URLConnection; import java.net.HttpURLConnection; import java.io.IOException; public class simpleURL { public static void main String [] argv { if argv.length = 1 { System.out.printlnPlease provide a URL to connect to; System.exit-1; } setupHandler; connectToURLargv[0]; } private static void setupHandler Note: Because the simpleURL sample shown in Example 5–10 defaults trust and hostname checking, this sample requires that you connect to a real Web server that is trusted and that passes hostname checking by default. Otherwise, you must override trust and hostname checking on the command line. 5-22 Programming Security for Oracle WebLogic Server { java.util.Properties p = System.getProperties; String s = p.getPropertyjava.protocol.handler.pkgs; if s == null s = weblogic.net; else if s.indexOfweblogic.net == -1 s += |weblogic.net; p.putjava.protocol.handler.pkgs, s; System.setPropertiesp; } private static void connectToURLString theURLSpec { try { URL theURL = new URLtheURLSpec; URLConnection urlConnection = theURL.openConnection; HttpURLConnection connection = null; if urlConnection instanceof HttpURLConnection { System.out.printlnThe URL is not using HTTPHTTPS: + theURLSpec; return; } connection = HttpURLConnection urlConnection; connection.connect; String responseStr = \t\t + connection.getResponseCode + -- + connection.getResponseMessage + \n\t\t + connection.getContent.getClass.getName + \n; connection.disconnect; System.out.printlnresponseStr; } catch IOException ioe { System.out.printlnFailure processing URL: + theURLSpec; ioe.printStackTrace; } } } For two-way SSL authentication, the weblogic.net.http.HttpsURLConnection class provides a way to specify the security context information for a client, including the digital certificate and private key of the client. Instances of this class represent an HTTPS connection to a remote object. The SSLClient sample code demonstrates using the WebLogic URL object to make an outbound SSL connection see Example 5–11 . The code example shown in Example 5–11 is excerpted from the SSLClient.java file in the SAMPLES_ HOME\server\examples\src\examples\security\sslclient directory. Example 5–11 WebLogic Two-Way SSL Authentication URL Outbound SSL Connection Code Example wlsUrl = new URLhttps, host, Integer.valueOfsport.intValue, query; weblogic.net.http.HttpsURLConnection sconnection = new weblogic.net.http.HttpsURLConnectionwlsUrl; ... InputStream [] ins = new InputStream[2]; ins[0] = new FileInputStreamclientkey.pem; Using SSL Authentication in Java Clients 5-23 ins[1] = new FileInputStreamclient2certs.pem; String pwd = clientkey; sconnection.loadLocalIdentityins[0], ins[1], pwd.toCharArray;

5.5 SSL Client Code Examples

A complete working SSL authentication sample is provided with the WebLogic Server product. The sample is located in the SAMPLES_ HOME\server\examples\src\examples\security\sslclient directory. For a description of the sample and instructions on how to build, configure, and run this sample, see the package.html file in the sample directory. You can modify this code example and reuse it.