15
CertPath Providers 15-1
15
CertPath Providers
The WebLogic Security service provides a framework that finds and validates X509 certificate chains for inbound 2-way SSL, outbound SSL, application code, and
WebLogic Web services. The Certificate Lookup and Validation CLV framework is a new security plug-in framework that finds and validates certificate chains. The
framework extends and completes the JDK CertPath functionality, and allows you to create a custom CertPath provider.
The following sections provide the background information you need to understand before adding certificate lookup and validation capability to your custom security
providers, and provide step-by-step instructions for adding certificate lookup and validation capability to a custom security provider:
■
Section 15.1, Certificate Lookup and Validation Concepts
■
Section 15.2, Do You Need to Develop a Custom CertPath Provider?
■
Section 15.3, How to Develop a Custom CertPath Provider
15.1 Certificate Lookup and Validation Concepts
A CertPath is a JDK class that stores a certificate chain in memory. The term CertPath is also used to refer to the JDK architecture and framework that is used to locate and
validate certificate chains.
There are two distinct types of providers, CertPath Validators and CertPath Builders:
■
The purpose of a certificate validator is to determine if the presented certificate chain is valid and trusted. As the CertPath Validator provider writer, you decide
how to validate the certificate chain and determine whether you need to use the trusted CAs.
■
The purpose of a certificate builder is to use a selector which holds the selection criteria for finding the CertPath to find a certificate chain. Certificate builders
often to validate the certificate chain as well. As the CertPath Builder provider writer, you decide which of the four selector types you support and whether you
also validate the certificate chain. You also decide how much of the certificate chain you fill in and whether you need to use the trusted CAs.
The WebLogic CertPath providers are built using both the JDK and WebLogic CertPath SPIs.
15.1.1 The Certificate Lookup and Validation Process
The certificate lookup and validation process is shown in Figure 15–1
.
15-2 Developing Security Providers for Oracle WebLogic Server
Figure 15–1 Certificate Lookup and Validation Process
15.1.2 Do You Need to Implement Separate CertPath Validators and Builders?
You can implement the CertPath provider in several ways:
■
You can implement a CertPath Builder that performs both building and validation. In this case, you are responsible for:
1.
Implementing the Validator SPI.
2.
Implementing the Builder SPI.
3.
You must validate the certificate chain you build as part of the Builder SPI. Your provider will be called only once; you will not be called a second time
specifically for validation.
4.
You decide the validation algorithm, which selectors to support, and whether to use trusted CAs.
■
You can implement a CertPath Validator that performs only validation. In this case, you are responsible for:
1.
Implementing the Validator SPI.
2.
You decide the validation algorithm and whether to use trusted CAs.
■
You can implement a CertPath Builder that performs only building. In this case, you are responsible for:
1.
Implementing the Builder SPI.
2.
You decide whether to validate the chain you build.
CertPath Providers 15-3
3.
You decide which selectors to support and whether to use trusted CAs.
15.1.3 CertPath Provider SPI MBeans
WebLogic Server includes two CertPath provider SPI MBeans, both of which extend CertPathProviderMBean:
■
CertPathBuilderMBean indicates that the provider can look up certificate chains. It adds no attributes or methods. CertPathBuilder providers must implement a
custom MBean that extends this MBean.
■
CertPathValidatorMBean indicates that the provider can validate a certificate chain. It adds no attributes or methods. CertPathValidator providers must
implement a custom MBean that extends this MBean.
Your CertPath provider, depending on its type, must extend one or both of the MBeans. A security provider that supports both building and validating should write
an MBean that extends both of these MBeans, as shown in Example 15–1
.
Example 15–1 Sample CertPath MBean MDF
?xml version=1.0 ? DOCTYPE MBeanType SYSTEM commo.dtd
MBeanType Name = MyCertPathProvider
DisplayName = MyCertPathProvider Package = com.acme
Extends = weblogic.management.security.pk.CertPathBuilder Implements = weblogic.management.security.pk.CertPathValidator
PersistPolicy = OnUpdate MBeanAttribute
Name = ProviderClassName Type = java.lang.String
Writeable = false Default = quot;com.acme.MyCertPathProviderRuntimeImplquot;
MBeanAttribute Name = Description
Type = java.lang.String Writeable = false
Default = quot;My CertPath Providerquot;
MBeanAttribute Name = Version
Type = java.lang.String Writeable = false
Default = quot;1.0quot;
-- add custom attributes for the configuration data needed by this provider -- MBeanAttribute
Name = CustomConfigData Type = java.lang.String
15-4 Developing Security Providers for Oracle WebLogic Server
15.1.4 WebLogic CertPath Validator SSPI