12-10 Securing Oracle WebLogic Server ■ Verifies that the last certificate in the chain is either a trusted CA or is issued by a trusted CA. ■ Completes the certificate chain with trusted CAs. ■ Verifies the signatures in the chain. ■ Ensures that the chain has not expired. You can use certificate lookup and validation CLV providers to perform additional validation on the certificate chain. WebLogic Server includes two CLV providers: ■ WebLogic CertPath Provider—Completes certificate paths and validates certificates using the trusted CA configured for a particular server instance, providing the same functionality as the built-in SSL certificate validation. This is configured by default. ■ Certificate Registry—The system administrator makes a list of trusted CA certificates that are allowed access to the server; a certificate is valid if the end certificate is in the registry. The administrator revokes a certificate by removing it from the certificate registry, which is an inexpensive mechanism for performing revocation checking. This is not configured by default. Alternatively, you can write a custom CertPathValidator to provide additional validation on the certificate chain. See CertPath Providers in Developing Security Providers for Oracle WebLogic Server.

12.9.5 How SSL Certificate Validation Works in WebLogic Server

Outbound SSL and two-way inbound SSL in a WebLogic Server instance receive certificate chains during the SSL handshake that must be validated. An example of two-way inbound SSL is a browser connecting to a Web application over HTTPS where the browser sends the clients certificate chain to the Web application. The inbound certificate validation setting is used for all two-way client certificate validation in the server. Examples of WebLogic Server using outbound SSL that is, acting as an SSL client include: ■ Connecting to the Node Manager ■ Connecting to another WebLogic Server instance over the Administration port ■ Connecting to an external LDAP server, such as the LDAPAuthenticator Using the Administration Console or WLST, you can independently configure inbound and outbound SSL certificate validation using these SSLMBean attributes: InboundCertificateValidation and OutboundCertificateValidation. Legal values for both attributes are: ■ BUILTIN_SSL_VALIDATION: Use the built-in SSL certificate validation code to complete and validate the certificate chain. That is, configure SSL to work as it has in previous releases. This is the default behavior. ■ BUILTIN_SSL_VALIDATION_AND_CERT_PATH_VALIDATORS: Use the built-in trusted CA-based validation and the configured CertPathValidator providers to perform additional validation. That is, configure SSL to work as it has in previous releases and to do extra validation. See: ■ SSLMBean in the Oracle WebLogic Server MBean Reference Configuring SSL 12-11 ■ Set Up SSL in the Oracle WebLogic Server Administration Console Help

12.9.6 Troubleshooting Problems with Certificate Validation

If SSL communications that worked properly in a previous release of WebLogic Server start failing unexpectedly, the likely problem is that the certificate chain is failing the validation. Determine where the certificate chain is being rejected, and decide whether to update the certificate chain with one that will be accepted, or change the setting of the -Dweblogic.security.SSL.enforceConstraints command-line argument. To troubleshoot problems with certificates, use one of the following methods: ■ If you know where the certificate chains for the processes using SSL communication are located, use the ValidateCertChain command-line utility to check whether the certificate chains will be accepted. ■ Turn on SSL debug tracing on the processes using SSL communication. The syntax for SSL debug tracing is: -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true The following message indicates the SSL failure results from problems in the certificate chain: CA certificate rejected. The basic constraints for a CA certificate were not marked for being a CA, or were not marked as critical When you use one-way SSL, look for this error in the client log. With two-way SSL, look for this error in the client and server logs.

12.10 Using the nCipher JCE Provider with WebLogic Server