|
| WebLogic Server 6.0 Code Examples, BEA Systems, Inc. |
Package examples.security.cert
This package demonstrates taking a digital certificate presented by a client during mutual authentication
and returning an authenticated WebLogic Server User.
See:
Description
Package examples.security.cert Description
This package demonstrates taking a digital certificate presented by a client during mutual authentication
and returning an authenticated WebLogic Server User. The code example is based on the SimpleCertAuthenticator.java class which implements the weblogic.security.acl.CertAuthenticator
interface.
The SimpleCertAuthenticator class maps
the e-mail name (the portion preceding the @ symbol) in the digital certificate for the client
to a User in a WebLogic Server security realm. The SimpleCertAuthenticator class calls the realm.getUser() method to look up the e-mail name in the security realm in
WebLogic Server. Other implementations of the CertAuthenticator
interface could map a digital certificate to a User by
looking up the holder of the digital certificate in a LDAP directory or in a RDBMS database.
Perform the following steps in order to build and run the examples:
- Build the example
- Configure the server
- Run the example
- Set up your development shell as described in
Setting up your environment.
-
Compile the example by executing the following command or by executing the build script
in the samples/examples/security/cert directory.
javac -d %SERVER_CLASSES% SimpleCertAuthenticator.java
- Copy the demonstration digital certificate and private key for WebLogic Server and the digital certificate for the certificate authority from the \weblogic600\config\examples directory to the
directory in which you are running the cert code example.
- The name of the digital certificate is democert.pem.
- The name of the digital certificate for the certificate authority is ca.pem.
- The name of the private key file is demokey.pem.
When using mutual authentication with a Java client, you can use the demonstration digital certificate and private key for both the client and the server.
You can also use digital certificate and private key you obtain with the cert code example. Copy the
digital certificates and the private key file into
the directory in which you are running the cert code example.
Configure the Server
- Bring up the
Administration Console in a browser.
- Click to expand the Servers node in the left pane of the Administration Console.
- Select the exampleServer node in the left pane of the Administration Console.
- Verify the SSL protocol is enabled.
-
On the SSL tab in the Server Configuration window for the
examplesServer verify that the Enabled
checkbox is checked.
-
Enter 7002 in the Listen Port field.
-
Define the following information about the digital certificate and private key for examplesServer
on the SSL tab in the Server Configuration window:
- In the Server Key File Name field, enter the full directory location and name of the private key file for examplesServer (for example, ./config/examples/demokey.pem).
- In the Server Certificate File Name field, enter the full directory location and name of the digital certificate for examplesServer (for example, ./config/examples/democert.pem).
- If you are using mutual authentication with the AltClient client, check the Client Certificate Enforced checkbox to enable mutual authentication.
- In the Trusted CA File Name field, enter the full directory location and name of the digital certificate for the certificate authority trusted by examplesServer (for example, ./config/examples/ca.pem).
- If you are using a PKCS-8 password protected private key, check the Key Encrypted checkbox. The demonstration private key is not password protected.
- Enter SimpleCertAuthenticator in the CertAuthenticator field.
-
Define support as a User in the WebLogic Server security
realm:
- Click to expand the Security node in the left pane of the Administration Console.
- Select the Users node.
- Add the User support with the password anything.
- Create an ACL that grants permission for User
support to an existing resource in WebLogic Server.
- Select the Access Control Lists node in the left pane.
- Create a new ACL.
- In the Grant to User field, enter support.
Run the Example
- Restart webLogic Server.
If you are using a PKCS-8 password protected private key, add the following command line option when starting WebLogic Server:
-Dweblogic.management.pkpassword=password
password specifies the password used to protect the private key.
- Connect to WebLogic Server using mutual authentication.
- From a web brower, request an HTTPS connection to the resource
you protected with an ACL. When using a web browser, users install their digital
certificates in the web browser. If you use the demonstration certificate, you cannot
use a web browser to test the CertAuthenticator class.
If you use an HTTP port to connect from a web browser to a protected resource in WebLogic Server, the
web browser should request a username and
password. However, when you connect using the HTTPS port,
SimpleCertAuthenticator
establishes your identity without your having to log in.
- From a Java client, specify the following properties on a JNDI
environment object:
- In the INITIAL_CONTEXT_FACTORY property, enter
weblogic.jndi.WLInitialContextFactory.
- In the Context.PROVIDER_URL property,
specify the T3S protocol and the host and port of the WebLogic Server to which you want to connect.
For example, t3s://localhost:7002.
-
In the Context.SECURITY_AUTHENTICATION property, specify
Strong.
Use an InputStream array in the Context.SECURITY_CREDENTIALS
property to pass the name of the files for the digital certificate file and private key file for the client.
See AltClient.java
in the security.acl for an example
of mutual authentication from a Java client.
There's More...
Read more about mutual authentication and security in Programming WebLogic Security and Managing Security.
Copyright © 2000 BEA Systems, Inc. All Rights Reserved.