15 CertPath Providers 15-1 15 CertPath Providers The WebLogic Security service provides a framework that finds and validates X509 certificate chains for inbound 2-way SSL, outbound SSL, application code, and WebLogic Web services. The Certificate Lookup and Validation CLV framework is a new security plug-in framework that finds and validates certificate chains. The framework extends and completes the JDK CertPath functionality, and allows you to create a custom CertPath provider. The following sections provide the background information you need to understand before adding certificate lookup and validation capability to your custom security providers, and provide step-by-step instructions for adding certificate lookup and validation capability to a custom security provider: ■ Section 15.1, Certificate Lookup and Validation Concepts ■ Section 15.2, Do You Need to Develop a Custom CertPath Provider? ■ Section 15.3, How to Develop a Custom CertPath Provider

15.1 Certificate Lookup and Validation Concepts

A CertPath is a JDK class that stores a certificate chain in memory. The term CertPath is also used to refer to the JDK architecture and framework that is used to locate and validate certificate chains. There are two distinct types of providers, CertPath Validators and CertPath Builders: ■ The purpose of a certificate validator is to determine if the presented certificate chain is valid and trusted. As the CertPath Validator provider writer, you decide how to validate the certificate chain and determine whether you need to use the trusted CAs. ■ The purpose of a certificate builder is to use a selector which holds the selection criteria for finding the CertPath to find a certificate chain. Certificate builders often to validate the certificate chain as well. As the CertPath Builder provider writer, you decide which of the four selector types you support and whether you also validate the certificate chain. You also decide how much of the certificate chain you fill in and whether you need to use the trusted CAs. The WebLogic CertPath providers are built using both the JDK and WebLogic CertPath SPIs.

15.1.1 The Certificate Lookup and Validation Process

The certificate lookup and validation process is shown in Figure 15–1 . 15-2 Developing Security Providers for Oracle WebLogic Server Figure 15–1 Certificate Lookup and Validation Process 15.1.2 Do You Need to Implement Separate CertPath Validators and Builders? You can implement the CertPath provider in several ways: ■ You can implement a CertPath Builder that performs both building and validation. In this case, you are responsible for: 1. Implementing the Validator SPI. 2. Implementing the Builder SPI. 3. You must validate the certificate chain you build as part of the Builder SPI. Your provider will be called only once; you will not be called a second time specifically for validation. 4. You decide the validation algorithm, which selectors to support, and whether to use trusted CAs. ■ You can implement a CertPath Validator that performs only validation. In this case, you are responsible for: 1. Implementing the Validator SPI. 2. You decide the validation algorithm and whether to use trusted CAs. ■ You can implement a CertPath Builder that performs only building. In this case, you are responsible for: 1. Implementing the Builder SPI. 2. You decide whether to validate the chain you build. CertPath Providers 15-3 3. You decide which selectors to support and whether to use trusted CAs.

15.1.3 CertPath Provider SPI MBeans

WebLogic Server includes two CertPath provider SPI MBeans, both of which extend CertPathProviderMBean: ■ CertPathBuilderMBean indicates that the provider can look up certificate chains. It adds no attributes or methods. CertPathBuilder providers must implement a custom MBean that extends this MBean. ■ CertPathValidatorMBean indicates that the provider can validate a certificate chain. It adds no attributes or methods. CertPathValidator providers must implement a custom MBean that extends this MBean. Your CertPath provider, depending on its type, must extend one or both of the MBeans. A security provider that supports both building and validating should write an MBean that extends both of these MBeans, as shown in Example 15–1 . Example 15–1 Sample CertPath MBean MDF ?xml version=1.0 ? DOCTYPE MBeanType SYSTEM commo.dtd MBeanType Name = MyCertPathProvider DisplayName = MyCertPathProvider Package = com.acme Extends = weblogic.management.security.pk.CertPathBuilder Implements = weblogic.management.security.pk.CertPathValidator PersistPolicy = OnUpdate MBeanAttribute Name = ProviderClassName Type = java.lang.String Writeable = false Default = quot;com.acme.MyCertPathProviderRuntimeImplquot; MBeanAttribute Name = Description Type = java.lang.String Writeable = false Default = quot;My CertPath Providerquot; MBeanAttribute Name = Version Type = java.lang.String Writeable = false Default = quot;1.0quot; -- add custom attributes for the configuration data needed by this provider -- MBeanAttribute Name = CustomConfigData Type = java.lang.String 15-4 Developing Security Providers for Oracle WebLogic Server

15.1.4 WebLogic CertPath Validator SSPI