Checking Certificate Chains Using Certificate Lookup and Validation Providers
12.9.3 Checking Certificate Chains
Use the WebLogic Server ValidateCertChain command-line utility to confirm whether an existing certificate chain will be rejected by WebLogic Server. The utility validates certificate chains from PEM files, PKCS-12 files, PKCS-12 keystores, and JKS keystores. A complete certificate chain must be used with the utility. The following is the syntax for the ValidateCertChain command-line utility: java utils.ValidateCertChain -file pemcertificatefilename java utils.ValidateCertChain -pem pemcertificatefilename java utils.ValidateCertChain -pkcs12store pkcs12storefilename java utils.ValidateCertChain -pkcs12file pkcs12filename password java utils.ValidateCertChain -jks alias storefilename [storePass] Example of valid certificate chain: java utils.ValidateCertChain -pem zippychain.pem Cert[0]: CN=zippy,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US Cert[1]: CN=CertGenCAB,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US Certificate chain appears valid Example of invalid certificate chain: java utils.ValidateCertChain -jks mykey mykeystore Cert[0]: CN=corba1,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US CA cert not marked with critical BasicConstraint indicating it is a CA Cert[1]: CN=CACERT,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US Certificate chain is invalid12.9.4 Using Certificate Lookup and Validation Providers
WebLogic Server SSL has built-in certificate validation. Given a set of trusted CAs, this validation: Note: The weblogic.security.SSL.allowedcertificatepolicyids argument is currently not supported in WebLogic Server when the JSSE-based SSL implementation is enabled. 12-10 Securing Oracle WebLogic Server ■ Verifies that the last certificate in the chain is either a trusted CA or is issued by a trusted CA. ■ Completes the certificate chain with trusted CAs. ■ Verifies the signatures in the chain. ■ Ensures that the chain has not expired. You can use certificate lookup and validation CLV providers to perform additional validation on the certificate chain. WebLogic Server includes two CLV providers: ■ WebLogic CertPath Provider—Completes certificate paths and validates certificates using the trusted CA configured for a particular server instance, providing the same functionality as the built-in SSL certificate validation. This is configured by default. ■ Certificate Registry—The system administrator makes a list of trusted CA certificates that are allowed access to the server; a certificate is valid if the end certificate is in the registry. The administrator revokes a certificate by removing it from the certificate registry, which is an inexpensive mechanism for performing revocation checking. This is not configured by default. Alternatively, you can write a custom CertPathValidator to provide additional validation on the certificate chain. See CertPath Providers in Developing Security Providers for Oracle WebLogic Server.12.9.5 How SSL Certificate Validation Works in WebLogic Server
Parts
» Oracle Fusion Middleware Online Documentation Library
» Document Scope Document Audience
» Related Information Oracle Fusion Middleware Online Documentation Library
» New and Changed Security Features Security Realms in WebLogic Server
» Security Providers Oracle Fusion Middleware Online Documentation Library
» WebLogic Resources Security Policies and WebLogic Resources
» Deployment Descriptors and the WebLogic Server Administration Console
» The Default Security Configuration in WebLogic Server Configuring WebLogic Security: Main Steps
» Methods of Configuring Security
» Management Tasks Available in Compatibility Security
» Why Customize the Default Security Configuration?
» Before You Create a New Security Realm
» Creating and Configuring a New Security Realm: Main Steps
» When Do You Need to Configure a Security Provider?
» Configuring an Authorization Provider Configuring the WebLogic Adjudication Provider
» Configuring a Role Mapping Provider
» Auditing ContextHandler Elements Configuring the WebLogic Auditing Provider
» Configuration Auditing Enabling Configuration Auditing
» Configuration Auditing Messages Configuring the WebLogic Auditing Provider
» Audit Events and Auditing Providers
» Configuring a WebLogic Credential Mapping Provider
» PKI Credential Mapper Attributes Credential Actions
» SAML 2.0 Credential Mapping Provider Attributes
» Lookup String Syntax The partner lookup string has the following syntax:
» CertPath Provider Certificate Registry
» Configuring a WebLogic Keystore Provider Choosing an Authentication Provider
» Setting the JAAS Control Flag Option Changing the Order of Authentication Providers
» Setting User Attributes Configuring the WebLogic Authentication Provider
» Accessing Other LDAP Servers Enabling an LDAP Authentication Provider for SSL
» Configuring Static Groups Use of GUID and LDAP DN Data in WebLogic Principals
» Optimizing the Group Membership Caches
» Optimizing the Connection Pool Size and User Cache
» Domain Controller Settings Configuring a Windows NT Authentication Provider
» Password Composition Rules for the Password Validation Provider
» Using the Password Validation Provider with the WebLogic Authentication Provider
» Creating an Instance of the Password Validation Provider Specifying the Password Composition Rules
» Partner Lookup Strings Required for Web Service Partners For web service Identity
» Configuring a Negotiate Identity Assertion Provider Ordering of Identity Assertion for Servlets
» Configuring Identity Assertion Performance in the Server Cache Configuring a User Name Mapper
» Configuring a Custom User Name Mapper
» Configuring the SAML Authentication Provider Overview of Single Sign-On with Microsoft Clients
» Configuring Your Network Domain to Use Kerberos Creating a JAAS Login File
» Configure the SAML 1.1 Credential Mapping Provider Configure the Source Site Federation Services
» Configuring Relying and Asserting Parties with WLST
» Configuring SAML 2.0 Services: Main Steps
» About SAML 2.0 General Services
» Publishing and Distributing the Metadata File
» Viewing Partner Site, Certificate, and Service Endpoint Information
» About SAML Debug Scopes and Attributes Enabling Debugging Using the Command Line
» Enabling Debugging Using the WebLogic Server Administration Console
» Enabling Debugging Using the WebLogic Scripting Tool Sending Debug Messages to Standard Out
» Overview of Security Data Migration
» Migration Concepts Formats and Constraints Supported by WebLogic Security Providers
» Configuring the Embedded LDAP Server
» The Access Control File Access Control Location
» Access Control Scope Attributes Types
» Subject Types GrantDeny Evaluation Rules
» Backup and Recovery Oracle Fusion Middleware Online Documentation Library
» Security Providers that Use the RDBMS Security Store
» Oracle Example MS-SQL Example
» DB2 Example For More Information About Default Connection Properties Internally, the RDBMS
» Configuring JMS Connection Recovery in the Event of Failure
» Using Your Own Certificate Authority Converting a Microsoft p7b Format to PEM Format
» How End User Certificate Callback Handlers Work Creating a Certificate Callback Implementation
» SSL: An Introduction One-Way and Two-Way SSL
» Java Secure Socket Extension JSSE SSL Implementation Supported Setting Up SSL: Main Steps
» Using Host Name Verification SSL Session Behavior
» Controlling the Level of Certificate Validation Accepting Certificate Policies in Certificates
» Checking Certificate Chains Using Certificate Lookup and Validation Providers
» Configuring RMI over IIOP with SSL Using the nCipher JCE Provider with WebLogic Server
» System Property Differences Between the JSSE-Based and Certicom SSL Implementations
» Supported Cipher Suites Using the JSSE-Based SSL Implementation
» Using Debugging with JSSE SSL
» Configuring Cross-Domain Security Enabling Cross Domain Security Between WebLogic Server Domains
» Configuring a Cross-Domain User Configure a Credential Mapping for Cross-Domain Security
» Enabling Global Trust Enabling Trust Between WebLogic Server Domains
» Using Connection Filters Oracle Fusion Middleware Online Documentation Library
» Using the Java Authorization Contract for Containers Viewing MBean Attributes
» How Passwords Are Protected in WebLogic Server Protecting User Accounts
» Configuring a Domain to Use JAAS Authorization
» Running Compatibility Security: Main Steps
» Configuring a Realm Adapter Authentication Provider
» Accessing 6.x Security from Compatibility Security
Show more