Package examples.security.sslclient

These examples demonstrate how to make an outbound SSL connections and two-way SSL connections from a WebLogic Server that is acting as a client to another WebLogic Server or application server.

See:

 

Class Summary

MyListener MyListener implements the interface javax.net.ssl.HandshakeCompletedListener and shows the user how to receive notifications about the completion of an SSL protocol handshake on a given SSL connection.
NulledHostnameVerifier HostnameVerifierJSSE provides a callback mechanism so that implementers of this interface can supply a policy for handling the case where the host that's being connected to and the server name from the certificate SubjectDN must match.
NulledTrustManager Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return true if it can be validated and is trusted for client SSL authentication.
SSLClient SSLClient is a short example of how to use the SSL library of WebLogic to make outgoing SSL connections.
SSLClientServlet SSLClientServlet is a simple servlet wrapper of examples.security.sslclient.SSLClient
SSLSocketClient A Java client demonstrates connecting to a JSP served by WebLogic Server using the secure port and displays the results of the connection.
 

Package examples.security.sslclient Description

These examples demonstrate how to make an outbound SSL connections and two-way SSL connections from a WebLogic Server that is acting as a client to another WebLogic Server or application server. In the SSLClient example, the connection is made using the URL specified in a WebLogic Server application programming interface (API) in the client code. In addition, the examples use a Host Name verifier to validate that the host to which the SSL connection is made is the intended or authorized party, and private keys and certificates to validate that the peer can be trusted for SSL communication.

The following table describes the files used in the sslclient examples.

 

build.xml The build script for the SSLClient example.
CertGenCA.der Certgen Certificate Authority's (CA's) certificate in Definite Encoding Rules (DER) format.
CertGenCA.pem Certgen CA's certificate in Privacy Enhanced Mail (PEM) format.
CertGenCAKey.der The private key of the CertGenCA.
 

Description

SSLClient Example

The sslclient example demonstrates connecting to a JSP served by WebLogic Server. This connection is established using the weblogic.net.http.HttpsURLConnection class. The SSLClient makes connections using HTTP and HTTPS and can be run using either ant or from the command line. Use of certificates can be turned on using the Administration Console. The sslclient example also includes a dummy implementation of the weblogic.security.SSL.HostnameVerifierJSSE class to verify that the server the example connects to is running on the desired host.

The files in the sample application should be run in the following combinations:

Client API

Server


WebLogic Server

WebLogic Server

ant run.sslclient

The sslclient code example provides an SSLClient, a Java client that can be run using either ant or from the command line.

The ant run.sslclient commands include target parameters which specify the following information:

  • The WebLogic API used to connect to the server.
  • The server to which to connect.
  • A non-secure port and secure port on the server.
  • A target object to which to connect (SnoopServlet)(optional).

SSLSocketClient Example

The SSLSocketclient example demonstrates initializing an SSLContext with client identity, a HostnameVerifierJSSE, and a NulledTrustManager, using an SSLSocketFactory, and using HTTPs to connect to a JSP served by WebLogic Server. The SSLSocketclient example also includes a dummy implementation of the weblogic.security.SSL.HostnameVerifierJSSE class to verify that the server the example connects to is running on the desired host.

The files in the sample application should be run in the following combinations:

Client API

Server


WebLogic Server

WebLogic Server

ant run.sslsocketclient

The ant run.sslsocketclient includes target parameters which specify the following information:

  • The server to which to connect.
  • An HTTPs port on the server.

Building and Running the Examples

Perform the following steps to build and run the examples:

  1. Build the SSLClient, SSLSocketClient, and SSLClientServlet examples
  2. Run the SSLClient example
  3. Run the SSLSocketClient example
  4. Run the SSLClientServlet example

Build the SSLClient, SSLSocketClient, and SSLClientServlet examples

  1. Set up your development shell as described in Setting up your environment.

  2. Compile the example by executing an ant build script.

    An ant build script is available in the SAMPLES_HOME\server\examples\src\examples\security\sslclient directory. Enter the following command to execute the build script:

    The ant command builds, creates and deploys the files needed by the SSLClient, SSLSocketClient, and SSLClientServlet examples as follows:

    • Runs Clean to remove from the local directory any keystore and certs that were created in previous builds.
    • Compiles server classes and client classes into the SAMPLES_HOME\server\examples\build\serverclasses and clientclasses directories respectively.
    • Deploys the SnoopServlet.jsp to the SAMPLES_HOME\server\examples\build\examplesWebApp directory.
    • The target mycerts creates certificates in the local directory which are used by the SSLCLient & SSLClientServlet examples.
    • Creates mykeystore in local directory.
    • Deploys the client2certs.pem and clientkey.pem files to the SAMPLES_HOME\domains\examples directory. The SSLClientServlet example uses them.

Run the SSLClient Example

You can run the SSLClient example in either of two modes, one-way authentication or mutual authentication. In one-way authentication, the server presents a certificate to the client to identify itself. With mutual authentication, both the server and the client present certificates to each other to identify themselves. A separate procedure is provided for each mode.

When the SSLClient runs, it constructs a URL with which to make the connection. First the client will try to connect to the non-secure port (i.e., 7001 on WebLogic Server) on the server and then the client will try to connect using a secure port (i.e., 7002 on WebLogic Server). The response to the connection is displayed on the screen.

The SSLClient displays the following data on the screen or in the browser:

  • The protocol handling package (i.e., the SSL package being used to make the secure connection). The SSL package is dependent upon the API being used. In the SSLClient, wls is specified, so the WebLogic SSL implementation is used.

  • The registered providers (i.e., the security providers registered with the Java Security object).

  • A message stating the HTTP connection attempt to the non-secure port and the result of that attempt. A successful attempt result shows the URL the client connected to, the response status code and messages, and the name of the class which serviced the request.

  • A message stating the HTTPS connection attempt to the secure port and the result of that attempt. A successful attempt result shows the URL the client connected to, the response status code and messages, and the name of the class which serviced the request.

Additionally, when you run the SSLClient example in the mutual authentication mode, it demonstrates how the certificates that were generated using CertGen are presented to the server as the Client's identity.

Run the SSLClient Example with One-way Authentication

To run the SSLClient with one-way authentication on WebLogic Server using the WebLogic Server API, execute the following command

ant run.sslclient

Here is a sample output. 

D:\bea\weblogic81\samples\server\examples\src\examples\security\sslclient>ant run.sslclient
Buildfile: build.xml

run.sslclient:
     [java] ----
     [java]  JDK Protocol Handlers and Security Providers:
     [java]    java.protocol.handler.pkgs - weblogic.net
     [java]    provider[0] - SUN - SUN (DSA key/parameter generation; DSA signing; SH
A-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValida
tor; PKIX CertPathBuilder; LDAP, Collection CertStores)
     [java]    provider[1] - SunJSSE - Sun JSSE provider(implements RSA Signatures, P
KCS12, SunX509 key/trust factories, SSLv3, TLSv1)
     [java]    provider[2] - SunRsaSign - SUN's provider for RSA signatures
     [java]    provider[3] - SunJCE - SunJCE Provider (implements DES, Triple DES, Bl
owfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
     [java]    provider[4] - SunJGSS - Sun (Kerberos v5)
     [java]
     [java]  Trying a new HTTP connection using WLS client classes -
     [java]     http://www.setgetweb.com:7001/examplesWebApp/SnoopServlet.jsp
     [java]             200 -- OK
     [java]             weblogic.net.http.KeepAliveStream
     [java]  Trying a new HTTPS connection using WLS client classes -
     [java]     https://www.setgetweb.com:7002/examplesWebApp/SnoopServlet.jsp
     [java]             200 -- OK
     [java]             weblogic.net.http.KeepAliveStream
     [java] ----

BUILD SUCCESSFUL

Total time: 14 seconds

Run the SSLClient Example with Mutual Authentication

To run the SSLClient with mutual authentication on WebLogic Server using the WebLogic Server API, proceed as follows:

  1. Bring up the Administration Console in a browser, click on the examples->Servers->examplesServer in the left-hand pane to display the examplesServer control panel in the right-hand pane, select the Keystores & SSL tab, select Advanced Options, scroll down to Server Attributes and in the Two Way Client Cert Behavior field select the Client Certificate Requested and Enforced option and click Apply.
  2. Stop and restart the server so the changes take effect.
  3. Execute the following command:

    ant run.sslclient

  4. The sample output is the same as for one-way authentication.

Run the SSLSocketClient Example

To run the SSLSocket Client, execute the following command

ant run.sslsocketclient

The SSLSocketClient constructs a URL with which to make the secure connection. The response to the connection is displayed on the screen.

The SSLSocketClient displays the following data on the screen:

  • A description of the SSLSocket creation process, which includes creating the SSLContext, initializing the SSLContext with client identity (certificates and private key), HostnameVerifierJSSE, and NulledTrustManager, creating a new SSLSocketFactory with SSLContext, and creating and opening a new SSLSocket with SSLSocketFactory.

  • The output from the SnoopServlet.jsp.

The output is similar to the following: 

D:\bea\weblogic81\samples\server\examples\src\examples\security\sslclient>ant run.ssl
socketclient
Buildfile: build.xml

run.sslsocketclient:
     [java]
     [java] https://www.setgetweb.com:7002
     [java]  Creating the SSLContext
     [java]  Initializing the SSLContext with client
     [java]   identity (certificates and private key),
     [java]   HostnameVerifierJSSE, AND NulledTrustManager
     [java]  Creating new SSLSocketFactory with SSLContext
     [java]  Creating and opening new SSLSocket with SSLSocketFactory
     [java]  SSLSocket created
     [java]  --- Do Not Use In Production ---
     [java]  By using this NulledTrustManager, the trust in the server's identity is completely lost.
     [java]  --------------------------------
     [java]  certificate 0 -- [
     [java] [
     [java]   Version: V1
     [java]   Subject: CN=pcwiz, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
     [java]   Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
     [java]
     [java]   Key:  com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffc8c
     [java]   Validity: [From: Mon Jan 27 14:49:05 EST 2003,
     [java]                To: Sun Jan 28 14:49:05 EST 2018]
     [java]   Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
     [java]   SerialNumber: [   -2b2b7c4c 4b13f881 e0b0014d a2865015]
     [java]
     [java] ]
     [java]   Algorithm: [MD5withRSA]
     [java]   Signature:
     [java] 0000: 20 3D D5 59 A8 78 94 B9   10 C0 92 C1 D8 1E F0 69   =.Y.x.........i

     [java] 0010: 61 3B EA 3B 67 4B 14 6E   64 93 76 B4 52 10 1B 37  a;.;gK.nd.v.R..7

     [java] 0020: A4 BC EB 19 4A 8F 0D 3A   40 B6 B7 A0 4A B4 AD 0F  ....J..:@...J...

     [java] 0030: 81 1E FA 49 4C 02 10 1B   8E 56 D9 05 AA 6C 8B AF  ...IL....V...l..

     [java]
     [java] ]
     [java]  certificate 1 -- [
     [java] [
     [java]   Version: V3
     [java]   Subject: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
     [java]   Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
     [java]
     [java]   Key:  com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffefa
     [java]   Validity: [From: Thu Oct 24 11:54:45 EDT 2002,
     [java]                To: Tue Oct 25 11:54:45 EDT 2022]
     [java]   Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
     [java]   SerialNumber: [    234b5559 d1fa0f3f f5c82bdf ed032a87]
     [java]
     [java] Certificate Extensions: 2
     [java] [1]: ObjectId: 2.5.29.15 Criticality=true
     [java] KeyUsage [
     [java]   Key_CertSign
     [java] ]
     [java]
     [java] [2]: ObjectId: 2.5.29.19 Criticality=true
     [java] BasicConstraints:[
     [java] CA:true
     [java] PathLen:1
     [java] ]
     [java]
     [java] ]
     [java]   Algorithm: [MD5withRSA]
     [java]   Signature:
     [java] 0000: 42 38 2B 10 F5 05 AF 1A   F0 22 92 30 41 3A 3A D3  B8+......".0A::.

     [java] 0010: 16 A6 41 34 96 09 B2 FE   7E 99 56 7D D2 95 70 9B  ..A4......V...p.

     ...
     [java]   Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
     [java]
     [java]   Key:  com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffc8c
     [java]   Validity: [From: Mon Jan 27 14:49:05 EST 2003,
     [java]                To: Sun Jan 28 14:49:05 EST 2018]
     [java]   Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
     [java]   SerialNumber: [   -2b2b7c4c 4b13f881 e0b0014d a2865015]
     [java]
     [java] ]
     [java]   Algorithm: [MD5withRSA]
     [java]   Signature:
     [java] 0000: 20 3D D5 59 A8 78 94 B9   10 C0 92 C1 D8 1E F0 69   =.Y.x.........i

     [java] 0010: 61 3B EA 3B 67 4B 14 6E   64 93 76 B4 52 10 1B 37  a;.;gK.nd.v.R..7

     [java] 0020: A4 BC EB 19 4A 8F 0D 3A   40 B6 B7 A0 4A B4 AD 0F  ....J..:@...J...

     [java] 0030: 81 1E FA 49 4C 02 10 1B   8E 56 D9 05 AA 6C 8B AF  ...IL....V...l..

     [java]
     [java] ]
     [java] HTTP/1.1 200 OK
     [java] Date: Thu, 13 Feb 2003 19:33:29 GMT
     [java] Server: WebLogic WebLogic Server 8.1  Tue Jan 28 03:43:10 PST 2003 234551

     [java] Content-Length: 3159
     [java] Content-Type: text/html
     [java] Set-Cookie: JSESSIONID=2LzJg8r5yqlVtOR6wb1jIwp2rxy1BXzJ5WFiGQO0T1pKQ4WVbp8q!654852218; path=/
     [java] Refresh: 5
     [java] Connection: Close
     \\
     \\The output of the SnoopServlet.jsp is shown here. The text is formatted in html for browser display.
     \\See your output for actual text.
     \\
     [java]  SSLSocket closed 
  
BUILD SUCCESSFUL

Total time: 12 seconds

Run the SSLClientServlet Example

To run the SSLClientServlet, point your browser to: http://www.setgetweb.com:7001/examplesWebApp/SSLClientServlet.

Here is a sample of the output displayed in the browser.

ssl client test

wls ssl client classes 


java SSLClient wls www.setgetweb.com 7001 7002 /examplesWebApp/SnoopServlet.jsp

 JDK Protocol Handlers and Security Providers:
   java.protocol.handler.pkgs - weblogic.utils|weblogic.utils|weblogic.net
   provider[0] - SUN - SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
   provider[1] - SunJSSE - Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
   provider[2] - SunRsaSign - SUN's provider for RSA signatures
   provider[3] - SunJCE - SunJCE Provider (implements DES, Triple DES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
   provider[4] - SunJGSS - Sun (Kerberos v5)

 Trying a new HTTP connection using WLS client classes - 
        http://www.setgetweb.com:7001/examplesWebApp/SnoopServlet.jsp
                200 -- OK
                weblogic.net.http.KeepAliveStream
 Trying a new HTTPS connection using WLS client classes - 
        https://www.setgetweb.com:7002/examplesWebApp/SnoopServlet.jsp
                200 -- OK
                weblogic.net.http.KeepAliveStream

 

Read more about: