C
Known Troubleshooting Tips
This chapter describes a number of issues that can arise in the installation or administration of Oracle Application Server Certificate Authority.
The following sections of this Appendix describe how to deal with or work around those issues for the current release:
1. Prerequisite Issues and Warnings
2. Browser Issues
- Issue: Browser issues a warning if the CA SSL Server's CN is not identical to the machine name.
- Issue: Browsers use only the first (rightmost) CN component
- Netscape
- Internet Explorer (IE)
3. Network Issues
4. Certificate Issues
5. Single Sign-on (SSO) Issues
6. Search Issues
7. Backup Protection Issues
1. Prerequisite Issues and Warnings
a. Issue: Failure of Key Pair Generation during Certificate Requests on Windows.
For Windows client machines, this operation requires NT to have Service pack 5 or above.
- What to Do
- Visit Microsoft's website and download the necessary upgrades for your configuration
- Always use
ocactl to change any password related to OCA. Never use any other tool.
b. Issue: Cannot Log in as Administrator after Logging in as Normal User
If you first log in to OCA as a normal user via SSL, then trying to go to Certificate Management causes a JAZN error. The reason is that you are not recognized as the web administrator unless you log in as such, even though you are enrolled as the web admin. The SSL session established between OCA and you as a non-admin user remains active; your enrollment does not change your SSL session.
- What to Do
- To log on as web admin, you must
- Enroll as web admin,
- Exit your browser, and
- Login as web admin, by choosing your web admin certificate for authentication.
c. Issue: Changing Passwords Must Use OCA's Commandline Tool ocactl
- It may occasionally be desirable or advisable to change the passwords used for the CA SSL wallet, the OCA internal repository, or the OCA administrator. If any tool other than
ocactl is used to change any of these passwords, OCA will stop working.
2. Browser Issues
Some symptoms may arise only when you are using a certain type or level of browser. This section describes the presently known browser-related issues.
Issue: Browser issues a warning if the CA SSL Server's CN is not identical to the machine name.
The machine name is likely used widely and inconvenient to change. Therefore, the CN for the CA SSL Server must be made identical to that machine name, requiring a new certificate.
Issue: Browsers use only the first (rightmost) CN component
When a DN has more than one CN component, the browser names the certificate for that DN using only its first CN component (from the right). This certificate is listed in the popup for SSL Mutual Authentication as "users's", in both MicroSoft's Internet Explorer and Netscape (4.7x and 7.x).
Netscape
i. Issue: Only one certificate appears in the popup window, though multiple certificates are available.
Netscape 4.79 shows only the latest certificate in this popup window.
- What to Do
- Alter the order of certificates so that the one that you want to use is the last certificate on the list.
ii. Issue: Browser continues to ask if CA certificate is trusted.
Netscape 4.7x versions do not automatically trust the CA certificate; they require the user to state explicitly that the CA certificate is to be trusted. Until that is done, Netscape does not assume it is trusted.
- What to Do
iii. Issue: "Certificate is expired" warning appears.
If the time zone of the client is behind that of the server, there can be a period of time in which Netscape might issue a 'certificate is expired' warning. The reason is that the CASSL certificate is not yet valid in the user's time zone.
- What to Do
- The problem should resolve itself in a relatively short period of time, depending on the time zone differential.
iv. Issue: SubCA and CA SSL client certificates are listed.
Netscape 7.x browser users can face this anomaly: If the user has two SSL client certificates, one from the CA and another from a SubCA of that CA, then during client authentication to the SubCA, both certificates are listed. Select the certificate appropriate to the CA in use for this SSL site.
Internet Explorer (IE)
i. Issue: "Page can not be displayed" Message
These intermittent errors can arise while interacting in SSL mode. One example arises after logging in to SSO by name and password, but then changing authentication by choosing SSL. This error is a known IE bug.
- What to Do
- Try to reload the page. If that isn't helping, exit from the current browser session, and then re-access Oracle Application Server Certificate Authority to try anew.
ii. Issue: Failure to import CRL to Browser
The IE button Import CRL to Browser does show the CRL for viewing, but it does not actually import the CRL into the browser.
- What to Do
- Use the IE menus to choose the following command sequence:
Tools -> Internet Options -> Content -> Certificates -> Import
iii. Issue: Message that a page contains both secure and non-secure information
In User Pages -> Manual Authentication -> Download CA certificate -> Advanced, clicking Help opens a new window that may display an error message saying that the page contains both secure and non-secure information. This is not a security breach.
iv. Issue: Opening online Help can generate a security alert.
When online help is opened while using OCA, IE will display a security alert. It appears that the alert is generated whenever an https URL is in use and then a second https URL is invoked.
- What to Do
- This behavior can be switched off by changing the security options under Tools -> Internet Options -> Security -> Custom Level. Under Settings, look for "Display Mixed Content" and select the enable option under that heading.
3. Network Issues
a. Issue: Error message when logging on to OCA using SSO username/password
The following message:
arises from an IP address check if a proxy server with multiple IP addresses is used between the browser and the SSO server.
- What to Do
- When the access is through an intranet, the browser should be configured not to use a proxy, following the instructions in the browser documentation.
- If this is not the case, or if such a change does not solve the problem, then the following change is needed on the server side: the value of the directive OssoIpCheck in the SSO configuration file must be set to "off". To do so, navigate to the file located at
$ORACLE_HOME/Apache/Apache/conf/mod_osso.conf
and edit the line containing OssoIpCheck to say "OssoIpCheck off ".
- After modifying the configuration file, you must restart the Oracle HTTP Server by executing the following stop and start commands:
$ORACLE_HOME/opmn/bin/opmnctl stopproc type=ohs
$ORACLE_HOME/opmn/bin/opmnctl startproc type=ohs
b. Issue: "Network Error" message.
This message can arise when a browser requires re-authentication because an operation was attempted with Oracle Application Server Certificate Authority after some period of inactivity.
- What to Do
- You need to re-authenticate yourself to OCA by going to the Certificate Management tab and, when asked, choosing the Web Admin Certificate.
4. Certificate Issues
a. Issue: Importing user certificate does not import CA certificate on Netscape
An attempt to import a user certificate does not in fact do so.
- What to Do
- All CA/Sub CA certificates must contain the O (Organization) component in their Subject DN. The components mandatory in the CA/ Sub CA DN are C, O, and CN.
- When installing Oracle Application Server Certificate Authority, or regenerating the Root CA, users should input a DN that includes at least country, organization, and common name ("C, O, CN").
- When installing a Sub CA, ensure that the DN of the CA signing certificate has O (organization) RDN in its subject DN.
b. Issue: Inability to Access or Use the Certificate Management Tab
Attempts to access or use the Certificate Management facility fail.
- What to Do
- Access to Certificate Management requires that your browser has imported a valid Web Administrator certificate. Thus you must apply for and receive such a certificate before clicking Certificate Management. You do so in the Administration Setup tab, by clicking the button labeled Web Administrator Enrollment ... .
c. Issue: Administrator Needs to Work from a Different Machine
An Oracle Application Server Certificate Authority administrator may wish to do certificate management tasks from any of multiple machines. However, his Web Administrator certificate is contained in the browser of the machine he used when originally authenticating himself to be the OCA Web Administrator.
- What to Do
- To switch from one machine to another and maintain the ability to do certificate management tasks, you need to export the certificate from the previous browser and import it into the new browser, as follows:
- Exporting the certificate on Netscape: Choose
Security->Certificates->Yours->choose the Web Admin Cert ->Export
- Importing the certificate on Netscape: Choose
Security->Certificates->Yours->Import Certificate.
- Exporting the certificate on Internet Explorer: Choose
Internet options ->Content->Certificates->Personal-><choose your Web Admin Cert> ->Export
- Importing the certificate on Internet Explorer: Choose
Internet options->Content->Certificates->Personal->Import
5. Single Sign-on (SSO) Issues
a. Issue: Name shown on an SSO certificate appears only as "User"
These certificates do not show the common name or DN. They are distinguishable only by having different certificate serial numbers.
- What to Do
- Click on "View" to check the certificate serial number, and pick the certificate identified by the serial number you wish to use.
b. Issue: VBScript Error Message While Generating Keys
In SSO, you request a certificate by clicking "Submit" in the popup window. Since there is no message to wait and no visible indication of progress, users sometimes click "Submit" again, causing this error.
- What to Do
- Try again, being sure to click "Submit" only once and to wait until the certificate is returned.
c. Issue: "Page can not be displayed" Message in Internet Explorer
After logging in to SSO by name and password, but then changing authentication by choosing SSL, a known IE bug gives the "Page cannot be displayed error."
- What to Do
- Try to reload the page. If that isn't helping, exit from the current browser session, and then re-access Oracle Application Server Certificate Authority to try anew.
d. Issue: Going to the SSO login page in Internet Explorer can get a security warning dialog
- What to Do
- This warning occurs due to switching from https to http. No action is needed.
6. Search Issues
a. Issue: Pressing "Enter" in search screens produces "Internal Error".
- What to Do
- This error is a known Oracle Bug, #2224035 (Marlin). To initiate a search, use the GO button rather than pressing Enter.
7. Backup Protection Issues
a. Issue: Ensuring Recoverability of the OCA Internal Repository
Errors and unpredicted events can threaten the continuity of OCA operations.
- What to Do
- Take a backup of the OCA repository periodically. Oracle Application Server commandline tools such as "export" can be used to save the OCA repository to a file. It can then be restored to the "same" database using the "import" tool.
8. General Issues
a. Issue: Pages taking too long to load, or hanging
Sometimes such delays can occur, possibly after Oracle Application Server Certificate Authority has been in operation for a substantial period.
- What to Do
- Restart OCA's OC4J instance, which will return you to faster operations.
b. Issue: JAZN error when enrolling a new web administrator
After a web administrator certificate has been revoked, OHS and OCA's OC4J must be restarted before starting OCA and enrolling the new web administrator.
- What to Do
- Start OHS and OCA's OC4J first, then start OCA, and then enroll the new web administrator.
c. Issue: No SMIME signing certificate in Outlook Express
In some Windows environments, when you select the certificate for SMIME signing in Outlook Express, there is no certificate listed. The reason is that there is an installed version of Microsoft Outlook.
- What to Do
- You will need to use Microsoft Outlook and not Outlook Express.
d. Issue: Browser warning about CA SSL Server's CN
If the CA SSL Server's CN is not identical to the machine name, this warning will arise.
- What to Do
- You will need to make the CN and machine name the same.
