10-2 Programming Security for Oracle WebLogic Server The classes in weblogic.security.pk that implement the CertPathSelector interface, one for each supported type of certificate chain lookup, are as follows: ■ EndCertificateSelector – used to find and validate a certificate chain given its end certificate. ■ IssuerDNSerialNumberSelector – used to find and validate a certificate chain from its end certificates issuer DN and serial number. ■ SubjectDNSelector – used to find and validate a certificate chain from its end certificates subject DN. ■ SubjectKeyIdentifierSelector – used to find and validate a certificate chain from its end certificates subject key identifier an optional field in X509 certificates. Example 10–1 shows an example of choosing a selector. Example 10–1 Make a certificate chain selector you already have the end certificate and want to use it to lookup and validate the corresponding chain X509Certificate endCertificate = ... make a cert chain selector CertPathSelector selector = new EndCertificateSelectorendCertificate;

10.1.2 Instantiate a CertPathBuilderParameters

You pass an instance of CertPathBuilderParameters as the CertPathParameters object to the JDKs CertPathBuilder.build method. The following constructor and method are provided: ■ CertPathBuilderParameters public CertPathBuilderParametersString realmName, CertPathSelector selector, X509Certificate[] trustedCAs, ContextHandler context Constructs a CertPathBuilderParameters. You must provide the realm name. To do this, get the domains SecurityConfigurationMBean. Then, get the SecurityConfigurationMBeans default realm attribute, which is a realm MBean. Finally, get the realm MBeans name attribute. You must use the runtime JMX MBean server to get the realm name. You must provide the selector. You use one of the weblogic.security.pk.CertPathSelector interfaces derived classes, described in Section 10.1.1, Instantiate a CertPathSelector to specify the selection criteria for locating and validating a certification path. Notes: The selectors that are supported depend on the configured CertPath providers. The configured CertPath providers are determined by the administrator. The WebLogic CertPath provider uses only the EndCertificateSelector selector. Using CertPath Building and Validation 10-3 Specify trusted CAs if you have them. Otherwise, the servers trusted CAs are used. These are just a hint to the configured CertPath builder and CertPath validators which, depending on their lookupvalidation algorithm, may or may not use these trusted CAs. ContextHandler is used to pass in an optional list of namevalue pairs that the configured CertPathBuilder and CertPathValidators may use to look up and validate the chain. It is symmetrical with the context handler passed to other types of security providers. Setting context to null indicates that there are no context parameters. ■ clone Object clone This interface is not cloneable. Example 10–2 shows an example of passing an instance of CertPathBuilderParameters. Example 10–2 Pass An Instance of CertPathBuilderParameters make a cert chain selector CertPathSelector selector = new EndCertificateSelectorendCertificate; String realm = _; create and populate a context handler if desired, or null ContextHandler context = _; pass in a list of trusted CAs if desired, or null X509Certificate[] trustedCAs = _; make the params CertPathBuilderParams params = new CertPathBuilderParametersrealm, selector, context, trustedCAs;

10.1.3 Use the JDK CertPathBuilder Interface