15-4 Developing Security Providers for Oracle WebLogic Server

15.1.4 WebLogic CertPath Validator SSPI

The WebLogic CertPath Validator SSPI has four parts: ■ An MBean SSPI, described in Section 15.1.3, CertPath Provider SPI MBeans. ■ The JDK CertPathValidatorSPI interface, as described in Section 15.3.1.1, Implement the JDK CertPathBuilderSpi andor CertPathValidatorSpi Interfaces. ■ The WebLogic Server CertPathProvider SSPI interface, as described in Section 15.3.1.2, Implement the CertPath Provider SSPI. ■ The JDK security provider that registers your CertPathValidatorSPI implementation with the JDK, as described in Section 15.3.1.3, Implement the JDK Security Provider SPI.

15.1.5 WebLogic CertPath Builder SSPI

The WebLogic CertPath Builder SSPI has four parts: ■ An MBean SSPI, described in Section 15.1.3, CertPath Provider SPI MBeans. ■ The JDK CertPathBuilderSPI interface, as described in Section 15.3.1.1, Implement the JDK CertPathBuilderSpi andor CertPathValidatorSpi Interfaces. ■ The WebLogic Server CertPathProvider SSPI interface, as described in Section 15.3.1.2, Implement the CertPath Provider SSPI. ■ The JDK security provider that registers your CertPathBuilderSPI with the JDK, as described in Section 15.3.1.3, Implement the JDK Security Provider SPI.

15.1.6 Relationship Between the WebLogic Server CertPath SSPI and the JDK SPI

Unlike other WebLogic Security Framework providers, your implementation of the CertPath provider relies on a tightly-coupled integration of WebLogic and JDK interfaces. This integration might best be shown in the tasks you perform to create a CertPath provider. If you are writing a CertPath Validator, you must perform the following tasks: 1. Create a CertPathValidatorMBean that extends CertPathProviderMBean, as described in Section 15.3.2, Generate an MBean Type Using the WebLogic MBeanMaker. 2. Implement the JDK java.security.cert.CertPathValidatorSpi, as described in Section 15.3.1.1, Implement the JDK CertPathBuilderSpi andor CertPathValidatorSpi Interfaces. Your JDK implementation will be passed a JDK CertPathParameters object that you can cast to a WebLogic CertPathValidatorParametersSpi. You can then access its WebLogic methods to get the trusted CAs and ContextHandler. You can also use it to access your WebLogic CertPath provider object. Use the CertPathValidatorParametersSpi to provide the data you need to validate the certificate chain, such as Trusted CAs, the ContextHandler, and your CertPath provider SSPI implementation, which gives access to any custom configuration data provided by your MBean, as described in Section 15.3.1.5, Use the CertPathValidatorParametersSpi SSPI in Your CertPathValidatorSpi Implementation. Your WebLogic CertPath provider is important because your CertPathValidatorSpi implementation has no direct way to get the custom configuration data in your MBean. Your WebLogic CertPath provider can provide CertPath Providers 15-5 a proprietary mechanism to make your custom MBean data available to your JDK implementation. 3. Implement the WebLogic CertPath provider SSPI, as described in Section 15.3.1.2, Implement the CertPath Provider SSPI. In particular, you use the initialize method of the CertPath provider SSPI to hook into the MBean and make its custom configuration data available to your CertPathValidatorSpi implementation, as shown in Example 15–2 . 4. Implement a JDK security provider that registers your CertPathValidatorSpi implementation, as described in Section 15.3.1.3, Implement the JDK Security Provider SPI. This coding might not be intuitive, and is called out in Example 15–5 . If you are writing a CertPath Builder, you must perform the following tasks: 1. Create a CertPathBuilderMBean that extends CertPathProviderMBean, as described in Section 15.3.2, Generate an MBean Type Using the WebLogic MBeanMaker. 2. Implement the JDK java.security.cert.CertPathBuilderSpi, as described in Section 15.3.1.1, Implement the JDK CertPathBuilderSpi andor CertPathValidatorSpi Interfaces. Your JDK implementation will be passed a JDK CertPathParameters object that you can cast to a WebLogic CertPathBuilderParametersSpi. You can then access its WebLogic methods to get the trusted CAs, selector, and ContextHandler. You can also use it to access your WebLogic CertPath provider object. Use the CertPathBuilderParametersSpi to provide the data you need to build the CertPath, such as Trusted CAs, ContextHandler, the CertPathSelector, and your CertPath provider SSPI implementation, which gives access to any custom configuration data provided by your MBean, as described in Section 15.3.1.4, Use the CertPathBuilderParametersSpi SSPI in Your CertPathBuilderSpi Implementation. Your WebLogic CertPath provider is important because your CertPathBuilderSpi implementation has no direct way to get the custom configuration data in your MBean. Your WebLogic CertPath provider can provide a proprietary mechanism to make your custom MBean data available to your JDK implementation. 3. Implement a WebLogic CertPath provider SSPI, as described in Section 15.3.1.2, Implement the CertPath Provider SSPI. In particular, you use the initialize method of the CertPath provider SSPI to hook into the MBean and make its custom configuration data available to your CertPathBuilderSpi implementation, as shown in Example 15–2 . 4. Implement the JDK security provider that registers your CertPathBuilderSpi implementation, as described in Section 15.3.1.3, Implement the JDK Security Provider SPI. This coding might not be intuitive, and is called out in Example 15–5 . 15.2 Do You Need to Develop a Custom CertPath Provider?