WAS v8.5 > Secure applications > Secure communications > Secure communications using SSL > SSL configurationsTrust manager control of X.509 certificate trust decisions
Trust managers validate the SSL certificate sent by peers. They verify the signature and check the expiration date.
WebSphere Application Server can call multiple trust managers during an SSL connection. The default trust manager does the standard certificate validation; custom trust manager plug-ins run customized validation such as host name verification.
Server-side trust managers call isClientTrusted method. Client-side trust managers call isServerTrusted. The peer certificate chain is passed to these methods. If the trust manager chooses not to trust the peer information, it might produce an exception to force a handshake failure. Additional information can be passed to the trust manager using the com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface.
Default IbmX509 trust manager
Establishes trust by performing standard certificate validation.
<trustManagers xmi:id="TrustManager_1132357815717" name="IbmX509" provider="IBMJSSE2" algorithm="IbmX509" managementScope="ManagementScope_1132357815717"/>The trust manager provides a signer certificate from the truststore to verify the peer certificate sent during the handshake.
Default IbmPKIX trust manager
We can replace the IbmX509 trust manager with the default IbmPKIX trust manager...<trustManagers xmi:id="TrustManager_1132357815719" name="IbmPKIX" provider="IBMJSSE2" algorithm="IbmPKIX" trustManagerClass="" managementScope="ManagementScope_1132357815717"> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_1132357815717" name="com.ibm.security.enableCRLDP" value="true" type="boolean"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_1132357815718" name="com.ibm.jsse2.checkRevocation" value="true" type="boolean"/> </trustManagers> <trustManagers xmi:id="TrustManager_managementNode_2" name="IbmPKIX" provider= "IBMJSSE2" algorithm="IbmPKIX" trustManagerClass="" managementScope="ManagementScope_managementNode_1"> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_1" name="com.ibm.security.enableCRLDP" value="false" type="boolean" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_2" name="com.ibm.jsse2.checkRevocation" value="false" type="boolean" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_3" name="ocsp.enable" value="false" type="String" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_4" name="ocsp.responderURL" value="http://ocsp.example.net:80" type="String" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_5" name="ocsp.responderCertSubjectName" value="" type="String" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_6" name="ocsp.responderCertIssuerName" value="" type="String" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_7" name="ocsp.responderCertSerialNumber" value="" type="String" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> </trustManagers>In addition to its role of standard certificate verification, the IbmPKIX trust manager checks for OCSP properties and for certificates containing certificate revocation list (CRL) distribution points. This process is known as extended CRL checking. When you select a trust manager, its associated properties are automatically set as Java System properties so the IBMCertPath and IBMJSSE2 providers are aware that CRL checking is enabled.
Differences between the Ibmx509 and the IbmPKIX trust managers
x.509 certificate validation requirements are more stringent in the IbmX509 trustmanager than in the IbmPKIX trustmanager. For example:
- The IbmX509 trustmanager validates the entire certificate chain regardless of which certificates the client/server trusts. However, the IbmPKIX trustmanager does not validate a certificate even if you tell the IbmPKIX trustmanager to trust that certificate. The IbmPKIX trustmanager only validates the certificates from the one signed by the certificate you trust, to the leaf certificate. Also,
- The IbmX509 requires that any root CA certificate must possess the BASIC CONSTRAINTS extension. Otherwise the certificate cannot be used as a root CA certificate. IbmPKIX does not have this BASIC CONSTRAINTS requirement for root CA certificates.
- The IbmX509 trust manager performs signature validation and certificate expiration checks to validates certificates. . The IbmPKIX trust manager performs these same validations, plus more advanced Certificate Revocation List checking (CRL), which determines if the certificate authority (CA) has revoked the certificate.
- The IbmPKIX trust manager automatically obtains a CRL when a certificate is received if CRL distribution point (DP) extensions exist.
Additionally, the Online Certificate Status Protocol (OCSP) can be used to perform an online check of certificate validity. However this capability requires you to set additional system properties, as documented in the Java Certification Path API Programmer's Guide, which is available on the IBM developerWorks web site.
Custom trust manager
We can define a custom trust manager to perform additional trust checking, which is based upon the needs of the environment. For example, in one environment, you might enable connections from the same Transmission Control Protocol (TCP) subnet only. The com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface provides extended information about the connection not provided by the standard Java Secure Sockets Extension (JSSE) javax.net.ssl.X509TrustManager interface. The configured trustManagerClass attribute determines which class is instantiated by the runtime, as shown in the following code sample:
<trustManagers xmi:id="TrustManager_1132357815718" name="CustomTrustManager" trustManagerClass="com.ibm.ws.ssl.core.CustomTrustManager" managementScope="ManagementScope_1132357815717"/>The trustManagerClass attribute must implement the javax.net.ssl.X509TrustManager interface and, optionally, can implement the com.ibm.wsspi.ssl.TrustManagerExtendedInfo interface.
Disable the default trust manager
In some cases, you might not want to perform the standard certificate verification provided by the IbmX509 and IbmPKIX default trust managers. For example, you might be working with an internal automated test infrastructure not concerned with SSL client or server authentication, integrity, or confidentiality. The following sample code shows a basic custom trust manager such as com.ibm.ws.ssl.core.CustomTrustManager whose property is set to true.
com.ibm.ssl.skipDefaultTrustManagerWhenCustomDefined=true
We can set this property in the global properties at the top of the ssl.client.props file for clients or in the security.xml custom properties file for servers. You must configure a custom trust manager when we disable the default trust manager to prevent the server from calling the default trust manager even though it is configured. Disabling the default trust manager is not a common practice. Be sure to test the system with the disabled default trust manager in a test environment first.
Related concepts:
SSL configurations
Java Certification Path API Programmer's Guide