2.4.16 Enforce Security Constraints on Digital Certificates

This topic provides information on enforce security constraints on digital certificates.

Oracle WebLogic Server performs certificate validation whenever it establishes an outbound SSL connection, or when a two-way SSL connection is established. As part of certificate validation, WebLogic Server checks if the certificate contains the Basic Constraints extension. Ensuring the presence of the Basic Constraints extension will prevent attackers from generating new certificates to aid in website spoofing.

Ensure the check for Basic Constraints extension is enabled, by verifying whether the following line is absent in the WebLogic Server start-up command.

-Dweblogic.security.SSL.enforceConstraints=off

Also verify if any messages have been logged at WebLogic server boot, providing information about the presence of certificates that could be rejected by clients.