6
Windows 2000 PKI Integration

This chapter describes the integration of Oracle Public Key Infrastructure (PKI) with Windows 2000 Public Key Infrastructure (Windows PKI) on Windows operating systems.

This chapter contains these topics:

• Oracle Public Key Infrastructure

• Windows Public Key Infrastructure

Oracle Public Key Infrastructure

Oracle Public Key Infrastructure (PKI) is used by the Oracle Enterprise Security Manager, LDAP-enabled Oracle Enterprise Manager, Oracle's Secure Socket Layer (SSL) authentication, Oracle9i database, and Oracle Application Server.

Oracle PKI includes the following components:

• Oracle Wallets - Stores the digital certificates trustpoints and private keys used in public key applications for encryption, digital signature, and verification.

• Oracle Wallet Manager (OWM) - Creates an encrypted Oracle Wallet that holds the digital certificates.

• Oracle Enterprise Login Assistant - Creates or deletes the decrypted, obfuscated Oracle Wallets.

Windows Public Key Infrastructure

The Microsoft Certificate Store integration works only with the certificates that use Microsoft Enhanced Cryptographic Provider. You need to install the Windows High Encryption Pack to get this Cryptographic Provider and select Microsoft Enhanced Cryptographic Provider when creating these certificates. Also, when there are more than one of these certificates available for the same key usage (signature/key exchange), the first certificate retrieved will be used for Oracle SSL.

Microsoft Certificate Stores

Microsoft Certificate Stores are repositories for storing certificates and their associated properties. Windows 2000 stores certificates and certificate revocation lists in logical and physical stores. Logical stores contain pointers to the public key objects in the physical stores. Logical stores enable public key objects to be shared between users, computers, and services without requiring the storage of duplicates of the objects for each user, computer, or service. With physical stores, public key objects are stored in the registry of the local computer or, for some user certificates, in Active Directory. Some of the standard system certificate stores defined by Microsoft are:

• MY or Personal - holds a user's certificates for which the associated private key is available. The MY certificate store maintains certificate properties that indicate the Cryptographic Service Provider (CSP) associated with the private key. An application uses this information to obtain the private key from the CSP for the associated certificate.

• CA - holds issuing or intermediate CA certificates

• ROOT - holds only self-signed CA certificates for trusted root CAs

Microsoft Certificate Services

Microsoft Certificate Services (MCS) consists of the following modules:

• The Server Engine - handles all certificate requests. The engine interacts with modules at each processing stage to ensure that the proper action is taken based on the state of the request.

• The Intermediary - receives requests for new certificate from clients and then submits them to the Server Engine.

• The Policy Module - contains the set of rules controlling the issuance of certificates. This module may be upgraded or customized as needed.

Wallet Resource Locator

The Wallet Resource Locator (WRL) specifies that the WALLET_LOCATION parameter in the sqlnet.ora file identifies a particular PKI.

The user can choose between using Oracle Wallet or Microsoft Certificate Store by setting the WALLET_LOCATION parameter in sqlnet.ora.

To use the credentials from Microsoft Certificate Store:

• The WALLET_LOCATION parameter in sqlnet.ora is set to:

  WALLET_LOCATION = (SOURCE = (METHOD=MCS))
  

• The Oracle application uses Oracle's TCP/IP with SSL protocol (TCPS) to connect to the Oracle Server.

• The SSL protocol uses the X.509 certificates and trustpoints from the user's Microsoft Certificate Store for SSL authentication.