Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network connection to authenticate the other's identity and by encrypting the data exchanged between the applications. So, while authentication allows a server (and optionally a client) to verify the identity of an user, encryption makes data transmitted over the network intelligible only to the intended recipient.
SSL can be configured one-way or two-way:
- one-way SSL: the server is required to present a certificate to the client in order to verify its identity. To successfully negotiate an SSL connection, the client must authenticate the server, but the server will accept a connection from any client.
- two-way SSL: the server presents a certificate to the client and the client presents a certificate to the server. WebLogic Server can be configured to require clients to submit valid and trusted certificates before completing the SSL connection.
In order to configure SSL, we will use the Java Keytool to generate the certificates required for both the one-way SSL communication and the two-way SSL communication.
A step-by-step guide for creating the certificates using keytool has been included in the Appendix of this book. Therefore, in order to proceed, follow these steps:
- Start by creating the required keystores (for one-way SSL) and truststore file (if you need two-way SSL) as indicated in the Appendix.
- In order to use the certificates, log into the Admin Console and, for each server that needs to be secured, click on its Keystore tab. By default it points to the Demo Certificates.
- Click on the Change button:
- In the next screen, select as Keystores the option “Custom Identity and Custom Trust” :
- Click on Save. This will return to the Keystore subtab.
- Now enter the details of your KeyStore (and in case of two-way SSL the truststore too ). Specify as Custom KeyStore Type “JKS”, which is the keystore type generated with JDK’s keytool utility.
- Click on Save. Now move on the Configuration | SSL tab and enter the alias of the Private Key Alias and its password, as shown by the following screen:
- The last step, which needs also to be repeated in every secured server, is Enabling SSL and setting a Listen Port for your https requests. This can be achieved through the Configuration | General Sub Tab as shown by this picture: