Configuring SSL on BEA WebLogic Server 8.1
If you're planning to build a business web site, security is extremely important, regardless of whether you're creating a corporate intranet or a public site. One of the easiest ways to ensure basic security for users is to configure your web server to use the Secure Sockets Layer (SSL) protocol. SSL ensures that network traffic between the browser and the web server is encrypted, preventing eavesdroppers from snooping network traffic and discovering passwords, credit card numbers, and even usernames. (Of course, SSL alone won't keep your application totally secure. The major concepts and techniques of security are beyond the scope of this article; fortunately, InformIT has a whole section devoted to the topic.)
Configuring BEA WebLogic Server to use SSL is very easy, even if you've never done an SSL configuration. The WebLogic console allows novice users to configure SSL quickly and easily. You'll need the following items before we get started:
- Copy of BEA WebLogic for your environment. You can download a trial version from BEA's web site.
- Keystore containing your private key and public certificate. I'll describe keystores shortly.
- Keystore to act as your trust. Optional; you'll need this only if you don't plan to use the default provided in the Java Development Kit (JDK) for your setup.
In WebLogic 8.1, we frequently talk about two keystores:
- The identity keystore contains the certificates and keys related to the server's identity. This is generally the certificate information that your server will share with clients.
- The trust keystore is used whenever the server will accept or make two-way SSL calls—that is, when both the server and client present certificates. In most cases, web applications use one-way SSL; the server presents a certificate, and the browser chooses to accept or reject the certificate. In two-way SSL, the server presents its certificate and asks the client to present a certificate as well. This is where the trust comes into play. When the server receives the client's certificate, it uses the trust to determine whether to trust the issuer of the client certificate. We'll examine trusts shortly.