Configuring SSL 12-15 void setJSSEEnabledboolean enabled; boolean isJSSEEnabled; The change takes effect on the next server restart. See SSLMBean in the Oracle WebLogic Server MBean Reference for complete information on the SSLMBean.

12.12.1.4 Enable and Disable the JSSE-Based SSL Implementation for a Standalone Client

On standalone clients, use the weblogic.security.SSL.enableJSSE=true|false system property to enable and disable the JSSE-based SSL implementation. The default is false.

12.12.2 System Property Differences Between the JSSE-Based and Certicom SSL Implementations

Table 12–2 shows the differences in how the JSSE-based SSL implementation handles the WebLogic system properties. Table 12–2 System Properties Differences System Property JSSE Applicability Description weblogic.security.SSL.ignoreHost nameVerification This property continues to work and is not affected by the JSSE integration. Does not verify the hostname in the URL to the hostname in the certificate. weblogic.ReverseDNSAllowed This property continues to work and is not affected by the JSSE integration. If set to true then use reverse DNS lookup to figure out if urlhostname is a loopback address “localhost” or “127.0.0.1”, or the IPV6 equivalent. weblogic.security.SSL.trustedCAK eyStore This property continues to work and is not affected by the JSSE integration. Loads the trusted CA certificates from that keystore. weblogic.security.SSL.verbose Use this property in combination with javax.net.debug=all to get verbose debug output from the SSL calling code and the JSSE-based implementation. 1 For additional SSL debugging when -Dssl.debug=true is used. ssl.debug=true Use this property in combination with javax.net.debug=ssl to get debug output from the SSL calling code and the JSSE-based implementation. 1 Displays SSL debug information to the console or logs. This property is for the calling WebLogic code. The JSSE-based SSL implementation has its own logging system, which is activated by the javax.net.debug property. Note: You can set JSSE logging javax.net.debug independently of WebLogic SSL logging ssl.debug. 12-16 Securing Oracle WebLogic Server weblogic.security.SSL.disableJss eCipherSuiteAliases=true|false The default is false. Disables the conversion of Certicom cipher suite names to SunJSSE cipher suite names, where applicable. By default, Certicom cipher suite names are converted to JSSE cipher suite names when JSSE is used for SSL. For a list of Certicom cipher suite names and their SunJSSE equivalents, see Table 12–3 . weblogic.security.SSL.ignoreHost nameVerify This property continues to work and is not affected by the JSSE integration. See weblogic.security.SSL.ignor eHostnameVerification weblogic.security.SSL.HostnameVe rifier=classname This property continues to work and is not affected by the JSSE integration. Specifies the class name of a custom hostname verification class. weblogic.security.SSL.protocolVe rsion=protocol This property continues to work and is not affected by the JSSE integration. The supported protocol values are mapped to the corresponding protocols supported by JSSE. See Section 12.11, Specifying the Version of the SSL Protocol. One of the following: ■ weblogic.security.SSL.allow UnencryptedNullCipher ■ SSLMBean. SetAllowUnencryptedNullC ipherboolean ■ weblogic.security.disableNu llCipher SunJSSE supports the following two null ciphers, but they are not enabled by default: ■ SSL_RSA_WITH_NULL_MD5 ■ SSL_RSA_WITH_NULL_SHA If this setting is enabled, these two null ciphers are added to the cipher list. By default, this control is not set and the use of a null cipher is not allowed on the server. In such a configuration, if the SSL clients want to use the null cipher suite by indicating SSL_RSA_ WITH_NULL_MD5 as the only supported cipher suite, the SSL handshake will fail. If you set this control, the null cipher suite for example, SSL_RSA_WITH_ NULL_MD5 is added to the list of supported cipher suites by the server. The SSL connection has a chance to use the null cipher suite if the client wants to do so. If the null cipher suite is used, the message will be unencrypted. Caution : Do not set this control in a production environment unless you are aware of the implications and consequences of doing so. weblogic.security.SSL.enforceCon straints=option Off is not supported, but other options are supported. Ensures that the Basic Constraints extension on the CA certificate is defined as CA. See Section 12.9.1, Controlling the Level of Certificate Validation. weblogic.security.SSL.allowedcer tificatepolicyids Not supported. WebLogic Server offers limited support for Certificate Policy Extensions in X.509 certificates. See Section 12.9.2, Accepting Certificate Policies in Certificates. weblogic.security.SSL.nojce Not supported. See Section 12.4, Setting Up SSL: Main Steps. Table 12–2 Cont. System Properties Differences System Property JSSE Applicability Description Configuring SSL 12-17

12.12.3 Supported Cipher Suites