Certificate validation

Oracle® Fusion Middleware
Part 30. Configuring Common Settings

Certificate validation

Contents

Overview
Configuration

Overview

Whenever API Gateway receives an X.509 certificate, either as part of the SSL handshake or as part of the XML message itself, it is important to be able to determine whether that certificate is legitimate or not. Certificates can be revoked by their issuers if it becomes apparent that the certificate is being used maliciously. Such certificates should never be trusted, and so it is very important that API Gateway can perform certificate validation.

API Gateway uses the following methods/protocols to validate certificates:

Online Certificate Status Protocol (OCSP) – OCSP is an automated certificate checking network protocol. API Gateway can query the OCSP responder for the status of a certificate. The responder returns whether the certificate is still trusted by the CA that issued it.
Certificate Revocation List (CRL) – A CRL is a signed list indicating a set of certificates that are no longer considered valid (that is, revoked certificates) by the certificate issuer. API Gateway can query a CRL to find out if a given certificate has been revoked. If the certificate is present in the CRL, it should not be trusted.
XML Key Management Services (XKMS) – XKMS is an XML-based protocol for (amongst other things) establishing the trustworthiness of a certificate over the Internet. API Gateway can query an XKMS responder to determine whether or not a given certificate can be trusted or not.

Configuration

The API Gateway can check the validity of a client certificate using any of the following filters:

	Note
To validate a certificate using either an OCSP request or CRL lookup, the issuing CA's certificate should be trusted by API Gateway. This is because for a CRL lookup, the CA's public key is needed to verify the signature on the CRL, and for an OCSP request, the protocol stipulates that the CA's public key must be submitted as part of the request. The issuing CA's public key is not always present in issued certificates, so it is necessary to retrieve it from the API Gateway's certificate store instead.

Note

To validate a certificate using either an OCSP request or CRL lookup, the issuing CA's certificate should be trusted by API Gateway. This is because for a CRL lookup, the CA's public key is needed to verify the signature on the CRL, and for an OCSP request, the protocol stipulates that the CA's public key must be submitted as part of the request. The issuing CA's public key is not always present in issued certificates, so it is necessary to retrieve it from the API Gateway's certificate store instead.

Prev	Up	Next
	Home

Oracle® Fusion MiddlewarePart 30. Configuring Common Settings