Friday, April 26, 2013

Host Name Verification

A host name verifier ensures the host name in the URL to which the client connects matches the host name in the digital certificate that the server sends back as part of the SSL connection. A host name verifier is useful when an SSL client (or a WebLogic Server acting as an SSL client) connects to an application server on a remote host. It helps to prevent man-in-the-middle attacks.
By default, WebLogic Server has host name verification enabled. As a function of the SSL handshake, WebLogic Server compares the common name in the SubjectDN in the SSL server’s digital certificate with the host name of the SSL server used to initiate the SSL connection. If these names do not match, the SSL connection is dropped. The SSL client is the actual party that drops the SSL connection if the names do not match.
If anything other than the default behavior is desired, either turn off host name verification or configure a custom host name verifier. Turning off host name verification leaves WebLogic Server vulnerable to man-in-the-middle attacks. Oracle recommends leaving host name verification on in production environments.


Verify host name verification is enabled



To verify that host name verification is enabled:
  1. In the left pane of the Console, expand Environment and select Servers.
  2. Click the name of the server for which you want to configure host name verification.
  3. At the bottom of the page, click Advanced.
  4. Verify that the Hostname Verification field is set to BEA Hostname Verifier.
    If you want anything other than the default behavior, either turn off host name verification or configure a custom host name verifier. Oracle recommends leaving host name verification on in production environments.

Disable host name verification

Turn off host name verification in one of the following ways:
  • On the command line of an SSL client, enter the following argument:
    -Dweblogic.security.SSL.ignoreHostnameVerification=true
    Note: When using stand alone SSL clients, host name verification must be set on the command line or via the API.
  • In the WebLogic Server Administration Console:
  1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit
  2. In the left pane of the Console, expand Environment and select Servers.
  3. Click the name of the server for which you want to disable host name verification.
  4. Select Configuration > SSL , and click Advanced at the bottom of the page.
  5. Set the Hostname Verification field to None.
    Oracle recommends leaving host name verification on in production environments.
  6. Click Save.
  7. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
    Not all changes take effect immediately—some require a restart 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)