Release 8.1.5
A64683-01
 Library |
 Product |
 Contents |
 Index |
| Oracle8i Enterprise JavaBeans and CORBA Developer's Guide Release 8.1.5 A64683-01 |
|
The Secure Socket Layer (SSL) is a secure networking protocol, originally defined by Netscape Communications Inc.
Oracle8i JServer supports SSL communications over the IIOP protocol used for the ORB. In the current JServer release only server-side SSL authentication is supported. There is no means in this release for a server to authenticate a client.
The default SSL version number in a VisiBroker client ORB is "Undetermined". Table 4-2 shows the combinations that are expected to work. X indicates cases in which the handshake will fail.
The server side (dispatcher) default is "Undetermined", so that it will work with all client versions and also with "out of the box" Visigenics clients. However, you can set a specific server version number in the SQLNET.ORA file, using the SSL_VERSION parameter. For example, SSL_VERSION = 3.0.
To set the SSL client version number in the JNDI ServiceCtx object on the client side, set the environment property as follows:
environment.put("CLIENT_SSL_VERSION", ServiceCtx.SSL_30);
|
Server Setting |
||||
|---|---|---|---|---|
| Client Setting | ||||
When you use an SSL-based connection in client code, you must set the service context to SSL_CREDENTIAL (or SSL_LOGIN, if you are using login authentication rather than credential-based authentication). You do this as follows:
// Tell sess_iiop to use credential authentication environment.put(InitialContext.SECURITY_AUTHENTICATION, ServiceCtx.SECURE_CREDENTIAL);
Then, after initializing the ORB:
org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init();
It is up to the client to verify that the certificate chain is correct. The following is a client-side code example that shows how to get the information from the server. This example simply prints the information, but client code can use the return values as needed.
First you must look up an object on the server. This example uses the manager object from the bank example (see "bank") as the base server object to get the protocol version and the negotiated cipher.
import java.util.Hashtable; import javax.naming.*; import oracle.aurora.jndi.sess_iiop.ServiceCtx; import oracle.aurora.AuroraServices.*; import com.visigenic.vbroker.ssl.*; // Set up the environment for the JNDI initial context: Context ic = new InitialContext(environment); AccountManager manager = (AccountManager) ic.lookup("sess_iiop://localhost:2481:ORCL/test/myBank"); // initialize the ORB org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init(); // get the SSLCertificateManager pseudo-object CertificateManager certificateManager = CertificateManagerHelper.narrow( orb.resolve_initial_references("SSLCertificateManager")); // Get the SSL current Current current = CurrentHelper.narrow (orb.resolve_initial_references("SSLCurrent")); // Check the cipher System.out.println("Negotiated Cipher: " + CipherSuite.toString(current.getNegotiatedCipher(manager))); // Check the protocol version System.out.println("Protocol Version: " + current.getProtocolVersion(manager)); // Check the peer's distinguished name System.out.println("The server's distingushed name: " + current.getPeerCertificateChain(manager).distinguishedName()); // Check the peer's certificate System.out.println("The server's certificate: " + current.getPeerCertificateChain(manager));
The object implementation does not need any special code to use SSL. However, be aware that listeners need to be configured to listen on IIOP SSL ports. Also, the LISTENER.ORA and SQLNET.ORA files must be configured to specify a wallet location. For example, these files must have entries such as:
oss.source.my_wallet= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/private/scott/oss)))
where /private/scott/oss is a directory specifying the location of an SSO wallet. The directory name is arbitrary.
The following are not supported for SSL in this release of Oracle8i JServer:
