10-2 Programming Security for Oracle WebLogic Server
The classes in weblogic.security.pk that implement the CertPathSelector interface, one for each supported type of certificate chain lookup, are as follows:
■
EndCertificateSelector – used to find and validate a certificate chain given its end certificate.
■
IssuerDNSerialNumberSelector – used to find and validate a certificate chain from its end certificates issuer DN and serial number.
■
SubjectDNSelector – used to find and validate a certificate chain from its end certificates subject DN.
■
SubjectKeyIdentifierSelector – used to find and validate a certificate chain from its end certificates subject key identifier an optional field in X509 certificates.
Example 10–1 shows an example of choosing a selector.
Example 10–1 Make a certificate chain selector
you already have the end certificate and want to use it to lookup and
validate the corresponding chain X509Certificate endCertificate = ...
make a cert chain selector CertPathSelector selector = new EndCertificateSelectorendCertificate;
10.1.2 Instantiate a CertPathBuilderParameters
You pass an instance of CertPathBuilderParameters as the CertPathParameters object to the JDKs CertPathBuilder.build method.
The following constructor and method are provided:
■
CertPathBuilderParameters public CertPathBuilderParametersString realmName,
CertPathSelector selector, X509Certificate[]
trustedCAs, ContextHandler context
Constructs a CertPathBuilderParameters. You must provide the realm name. To do this, get the domains
SecurityConfigurationMBean. Then, get the SecurityConfigurationMBeans default realm attribute, which is a realm MBean. Finally, get the realm MBeans name
attribute. You must use the runtime JMX MBean server to get the realm name.
You must provide the selector. You use one of the weblogic.security.pk.CertPathSelector interfaces derived classes,
described in Section 10.1.1, Instantiate a CertPathSelector
to specify the selection criteria for locating and validating a certification path.
Notes: The selectors that are supported depend on the configured
CertPath providers. The configured CertPath providers are determined by the administrator.
The WebLogic CertPath provider uses only the EndCertificateSelector selector.
Using CertPath Building and Validation 10-3
Specify trusted CAs if you have them. Otherwise, the servers trusted CAs are used. These are just a hint to the configured CertPath builder and CertPath
validators which, depending on their lookupvalidation algorithm, may or may not use these trusted CAs.
ContextHandler is used to pass in an optional list of namevalue pairs that the configured CertPathBuilder and CertPathValidators may use to look up and
validate the chain. It is symmetrical with the context handler passed to other types of security providers. Setting context to null indicates that there are no context
parameters.
■
clone Object clone
This interface is not cloneable. Example 10–2
shows an example of passing an instance of CertPathBuilderParameters.
Example 10–2 Pass An Instance of CertPathBuilderParameters
make a cert chain selector CertPathSelector selector = new EndCertificateSelectorendCertificate;
String realm = _; create and populate a context handler if desired, or null
ContextHandler context = _; pass in a list of trusted CAs if desired, or null
X509Certificate[] trustedCAs = _; make the params
CertPathBuilderParams params = new CertPathBuilderParametersrealm, selector, context, trustedCAs;
10.1.3 Use the JDK CertPathBuilder Interface