Oracle8i Enterprise JavaBeans and CORBA Developer's Guide
Release 8.1.5

A64683-01

Library

Product

Contents

Index

Prev  Chap Top Next

Using the Secure Socket Layer

The Secure Socket Layer (SSL) is a secure networking protocol, originally defined by Netscape Communications Inc.

Oracle8i JServer supports SSL communications over the IIOP protocol used for the ORB. In the current JServer release only server-side SSL authentication is supported. There is no means in this release for a server to authenticate a client.

SSL Protocol Version Numbers

The default SSL version number in a VisiBroker client ORB is "Undetermined". Table 4-2 shows the combinations that are expected to work. X indicates cases in which the handshake will fail.

The server side (dispatcher) default is "Undetermined", so that it will work with all client versions and also with "out of the box" Visigenics clients. However, you can set a specific server version number in the SQLNET.ORA file, using the SSL_VERSION parameter. For example, SSL_VERSION = 3.0.

To set the SSL client version number in the JNDI ServiceCtx object on the client side, set the environment property as follows:

environment.put("CLIENT_SSL_VERSION", ServiceCtx.SSL_30);
Table 4-2 SSL Version Numbers
 

Server Setting  

Client Setting  

Undetermined

 

3.0 W/2.0 Hello

 

3.0

 

2.0 (not supported)

 

Undetermined
or not set

 

3.0

 

3.0

 

X

 

N/A

 

3.0 W/2.0 Hello

 

3.0

 

3.0

 

X

 

N/A

 

3.0

 

3.0

 

3.0

 

3.0

 

N/A

 

2.0

 

2.0

 

X

 

X

 

N/A

 

Using SSL on the Client Side

When you use an SSL-based connection in client code, you must set the service context to SSL_CREDENTIAL (or SSL_LOGIN, if you are using login authentication rather than credential-based authentication). You do this as follows:

// Tell sess_iiop to use credential authentication
environment.put(InitialContext.SECURITY_AUTHENTICATION,
    ServiceCtx.SECURE_CREDENTIAL);

Then, after initializing the ORB:

org.omg.CORBA.ORB  orb = org.omg.CORBA.ORB.init();

Determining SSL Certificate Information

It is up to the client to verify that the certificate chain is correct. The following is a client-side code example that shows how to get the information from the server. This example simply prints the information, but client code can use the return values as needed.

First you must look up an object on the server. This example uses the manager object from the bank example (see "bank") as the base server object to get the protocol version and the negotiated cipher.

import java.util.Hashtable;
import javax.naming.*;
import oracle.aurora.jndi.sess_iiop.ServiceCtx;
import oracle.aurora.AuroraServices.*;
import com.visigenic.vbroker.ssl.*;

// Set up the environment for the JNDI initial context:
Context ic = new InitialContext(environment);
AccountManager manager =
  (AccountManager) ic.lookup("sess_iiop://localhost:2481:ORCL/test/myBank");

// initialize the ORB
org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init();

// get the SSLCertificateManager pseudo-object
CertificateManager certificateManager = 
  CertificateManagerHelper.narrow(
     orb.resolve_initial_references("SSLCertificateManager"));

// Get the SSL current
Current current = CurrentHelper.narrow
  (orb.resolve_initial_references("SSLCurrent"));

// Check the cipher
System.out.println("Negotiated Cipher:  " + 
  CipherSuite.toString(current.getNegotiatedCipher(manager)));

// Check the protocol version
System.out.println("Protocol Version:   " + 
  current.getProtocolVersion(manager));

// Check the peer's distinguished name
System.out.println("The server's distingushed name: " + 
  current.getPeerCertificateChain(manager).distinguishedName());

// Check the peer's certificate
System.out.println("The server's certificate: " + 
  current.getPeerCertificateChain(manager));

Using SSL on the Server Side

The object implementation does not need any special code to use SSL. However, be aware that listeners need to be configured to listen on IIOP SSL ports. Also, the LISTENER.ORA and SQLNET.ORA files must be configured to specify a wallet location. For example, these files must have entries such as:

oss.source.my_wallet= 
      (SOURCE=(METHOD=FILE)(METHOD_DATA= 
        (DIRECTORY=/private/scott/oss))) 

where /private/scott/oss is a directory specifying the location of an SSO wallet. The directory name is arbitrary.

The following are not supported for SSL in this release of Oracle8i JServer:




Prev

Top

Next
Oracle
Copyright © 1999 Oracle Corporation.

All Rights Reserved.

Library

Product

Contents

Index