Using SSL with WebLogic Server

When using SSL with WebLogic Server, use keystores; storing identity (private keys and certs) and trust (CA) in files is deprecated. Migrating from an earlier version might require you to create keystores from private keys, certs, or trust files.

If the network that connects WebLogic Server in a domain is not trusted, enable SSL on each server in the domain, so that LDAP replication between the admin server and managed servers uses SSL connections. Enabling an administration port in the domain requires that all servers use SSL.

The default WebLogic installation represents exportable-strength SSL implementation (the maximum SSL strength is 512-bit keys with 40-bit bulk encryption). Key lengths longer than 512 bits require a domestic-strength SSL license key from BEA. If you use SSL in your production environment, use high-strength SSL. Key lengths of less than 1024 bits are generally considered weak.

SSL hardware accelerators:

Running SSL on the WebLogic servers is a tremendous drain on server resources. By offloading SSL processing, the resources can be applied to WebLogic functions. Web servers, load balancers, firewalls, or switches can handle SSL processing.
Filtering them can control incoming connections in WebLogic Server. WebLogic Server provides a default implementation of connection filter that you can configure in the admin console.

Tips

1. In production, do not use the sample SSL certificates that are provided with WebLogic.

2. To avoid compromising application security, install and configure server-specific SSL
certificates and enable hostname verification on production servers.

3. Use SSL with WebLogic Server only if it is necessary. SSL degrade performance.

4. To control the types of connections accepted by WebLogic Server instances, use connection filters.

5. Use load balancer with built-in secure sockets layer (SSL) support, or run WebLogic Server on a machine that has SSL hardware, with Java Cryptography Extension (JCE)