I am new to weblogic security configuration and currently in the process of configuring the internet X509 PKI authentication mechanism. Can someone guide me how to do that?
Basically i have a question what is the different between two way ssl and the iPKI? is two way ssl the implementation of iPKI?
I manage to do the two way ssl and verified with the sample application. During the login the client cert is passed and default identity asserter verified with the weblogic user. Is that mean for this we need to have the user in the identity store?
Looking forward your guidelines.
Edited by: user1022639 on Jul 12, 2011 3:56 AM
Information on SSL can be found here: http://www.evsslcertificate.com/ssl/description-ssl.html and http://www.tech-faq.com/understanding-ssl-secure-sockets-layer.html
The WebLogic security guide can be found here: http://download.oracle.com/docs/cd/E17904_01/web.1111/e13707/toc.htm
A step-by-step example on how to set-up SSL/TLS can be found here: http://download.oracle.com/docs/cd/E17904_01/web.1111/e13707/toc.htm
especially the 'Setting-up SSL/TLS' section
Thanks Rane for pointing out the documentation. It helps me a lot.
In the i509 cert the container takes out the user id from the identity Asserter and try to find a mapping inside the weblogic user store. So my question is do we need to have all the users in weblogic (either from LDAP authenticator or local LDAP or ....) I couldn't clearly find the answer from that documents. May be i might be beating around the wrong bush. :)
So that means the client certificate is not sufficient also the user should be presented in the system.
In WebLogic you create an LDAP (or other) authenticator in which you keep your users/groups.
When you are using certificates you also need an asserter, which provides a mechanism to extract a username (or something similar).
Now when a user tries to login, he/she provides some form of authentication, be it by using a certificate or explicitly enter a username and password.
WebLogic uses (possibly through an asserter) the authenticator to see if the user is 'registered'. So the authenticator provides your 'database'
that contains users.
I hope I am a little clear , because it does not sound like it (but forgive me it is still early).
An example and background information can be found here: http://middlewaremagic.com/weblogic/?p=6479
The example uses single sign on and OID.