Certificate Chain Check

• Overview
• Configuration

Overview

Whenever the Enterprise Gateway receives a client's X.509 certificate, either in an XML Signature or as part of an SSL handshake, it needs to determine whether or not that certificate can be trusted. For example, it is a trivial task for a user to generate a structurally sound X.509 certificate. This certificate can then be used to negotiate mutually authenticated connections to publicly available services.

Clearly, this scenario represents a security nightmare for IT administrators - we can't just allow any user to generate their own certificate and use it on the Internet. The server must be able to trust the authenticity of the client certificate. Furthermore, it must be able to verify that the certificate originated from a trusted source. To do this a server can perform a certificate chain check on the client certificate.

The main purpose of certificate chain validation is to ensure that a certificate has been issued by a trusted source. Typically, in a Public-Key Infrastructure (PKI), a Certificate Authority (CA) is responsible for issuing and distributing certificates. The whole infrastructure is based on the premise of transitive trust - if everybody trusts the CA, then everybody transitively trusts the certificates issued by that CA. If entities only trust certificates that have been issued by the CA, they can then reject certificates which have been self-generated by clients.

When a CA issues a certificate, it digitally signs the certificate and inserts a copy of its own certificate into it. This is called a certificate chain. Whenever an application (such as the Enterprise Gateway) receives a client certificate it can extract the issuing CA's certificate from it, and run a certificate chain check to determine whether or not it should trust the CA. If it trusts the CA, it will also trust the client certificate.

The question then begs itself - how does the Enterprise Gateway trust a Certificate Authority? The Enterprise Gateway maintains a repository of both trusted CA certificates, and trusted server certificates for use in SSL communications. In order to trust a certain CA, that CA's certificate must be imported into the Oracle Trusted Certificate Store.

Configuration

The Policy Studio provides an easy-to-use interface for configuring certificate chain validation. This interface allows you to amalgamate CA and server certificates into groups such that if an incoming client certificate has been issued by any of the CAs in the group, the Enterprise Gateway will trust the certificate. Simply enter a name for the group in the Group Name field. To populate the new group, simply click the Add/Edit button.

By selecting a group from this dropdown, the members of this group will be displayed in the Certificate Alias table. To add and/or remove members from the selected group, click the Add/Edit button.

Certificates can be added to and removed from new or existing groups using the Configure Trusted Certificate Groups dialog which is displayed on clicking the Add/Edit button.

The Configure Trusted Certificate Groups dialog consists of 2 main tables. The first table lists all certificates currently in the Trusted Certificate Store, i.e. those that are trusted by the Enterprise Gateway. The second table lists the members of the group selected in the Group Name field.

To add a certificate to a trusted group, simply select it from the Certificate Store table, and click the Add -> button. The certificate will now appear in the group certificates table. Similarly to remove a certificate from the group, select it from the group certificates table and click the <- Remove button. The certificate will now be removed from the group table.

It is also possible to add, remove, and view certificates in the Trusted Certificate Store using this dialog. To add a certificate to the Trusted Certificate Store, click the Add button, which displays the Import Certificate dialog.

Browse to the location of the CA certificate file, and enter an Alias for the certificate. This Alias will be used to uniquely identify the certificate within the Enterprise Gateway.

A certificate can be removed by simply selecting the certificate in the Trusted Store table, and then clicking the Remove button. The certificate will be removed from the table, and will no longer be trusted by the Enterprise Gateway.

Finally, it is also possible to examine the details of any one of the certificates in the Trusted Certificate Store. To do this, again select a certificate from the Trusted Certificate table, and then click on the View button.