When using Client cert auth, the verify(Credential credential) method receives a X509CertificateCredential instance which contains ONLY the last X509Certificate in the chain that was presented from the client.  In order to allow the identity manger to make decisions based on the entire cert chain, add a new field to the X509Certificate X509CertificateCredential class that holds an array of certs to represent the whole chain along with a getter/setter.  This will be fully backwards compatible and will allow easier access to the entire chain without having to manually dig around in the SSLSessionInfo class to get them.