Comments on: The WebLogic Administration Port http://monduke.com/2008/03/21/the-weblogic-administration-port/ Covering J2EE Security and WebLogic Topics Tue, 13 Apr 2010 01:53:49 -0600 http://wordpress.org/?v=2.9.2 hourly 1 By: Steve K http://monduke.com/2008/03/21/the-weblogic-administration-port/comment-page-1/#comment-13968 Steve K Tue, 23 Dec 2008 02:22:30 +0000 http://monduke.com/?p=56#comment-13968 Thanks, excellent tip! Thanks, excellent tip!

]]> By: Mike Fleming http://monduke.com/2008/03/21/the-weblogic-administration-port/comment-page-1/#comment-13934 Mike Fleming Wed, 16 Jul 2008 23:12:44 +0000 http://monduke.com/?p=56#comment-13934 Pete, True, WebLogic does not provide an OOTB CRL checking solution. At least it doesn't in WLS 8/9. Unfortunately, I can't speak for WLS 10 since I don't have much experience with that. (I don't think it does, though.) I do know of CRL checking implementations in WLS but they are not publicly available. I believe that a custom IdentityAsserter was used in WLS 8. The CertPath provider seems like a better place to put the code if you're using WLS 9 or 10. If you have the option, use OCSP instead of CRLs since it is faster and easier to manage. Unfortunately, you'll still have to write a custom provider unless one is provided by your OCSP vendor. Pete,

True, WebLogic does not provide an OOTB CRL checking solution. At least it doesn’t in WLS 8/9. Unfortunately, I can’t speak for WLS 10 since I don’t have much experience with that. (I don’t think it does, though.)

I do know of CRL checking implementations in WLS but they are not publicly available. I believe that a custom IdentityAsserter was used in WLS 8. The CertPath provider seems like a better place to put the code if you’re using WLS 9 or 10.

If you have the option, use OCSP instead of CRLs since it is faster and easier to manage. Unfortunately, you’ll still have to write a custom provider unless one is provided by your OCSP vendor.

]]> By: Pete Thomas http://monduke.com/2008/03/21/the-weblogic-administration-port/comment-page-1/#comment-13933 Pete Thomas Wed, 16 Jul 2008 14:12:59 +0000 http://monduke.com/?p=56#comment-13933 Quick qeustion--you made a reply on a WebLogic forum that WLS doesn't support CRL checking "out-of-the box" but that you could implement a custom authenticator...Do you know anyone that has done this already? I really don't want to re-invent the wheel on what seems like it should be a straight-forward task. Quick qeustion–you made a reply on a WebLogic forum that WLS doesn’t support CRL checking “out-of-the box” but that you could implement a custom authenticator…Do you know anyone that has done this already? I really don’t want to re-invent the wheel on what seems like it should be a straight-forward task.

]]> By: Mike Fleming http://monduke.com/2008/03/21/the-weblogic-administration-port/comment-page-1/#comment-13904 Mike Fleming Thu, 03 Apr 2008 22:56:26 +0000 http://monduke.com/?p=56#comment-13904 Adam, Thanks for the tips. Readers would be well-advised to follow your example of careful deployment and network security techniques. The angle I was coming from addressed those who deploy one server. Unfortunately, I never specifically stated that. Adam,

Thanks for the tips. Readers would be well-advised to follow your example of careful deployment and network security techniques.

The angle I was coming from addressed those who deploy one server. Unfortunately, I never specifically stated that.

]]> By: adam http://monduke.com/2008/03/21/the-weblogic-administration-port/comment-page-1/#comment-13903 adam Thu, 03 Apr 2008 21:02:33 +0000 http://monduke.com/?p=56#comment-13903 I prefer to run a dedicated admin server, protected, firewalled, and nowhere near accessible from even the DMZ. Then I deploy managed servers, which would not have the admin console deployed to them. I prefer to run a dedicated admin server, protected, firewalled, and nowhere near accessible from even the DMZ. Then I deploy managed servers, which would not have the admin console deployed to them.

]]>