4
Configuring Oracle Application Server Certificate Authority

The Oracle Application Server Certificate Authority administrative web interface covers the following three broad areas, each accessible from a tab on the home page:

• Certificate issues, regarding issued certificates; requests for certificate issuance, revocation, or renewal: and certificate revocation lists (CRLs)

• Configuration issues, regarding parameters for Oracle Application Server Certificate Authority actions and for implementation of certificate security policies

• Viewing logs of Oracle Application Server Certificate Authority activity

This chapter describes the second and third of those areas: configuration management and viewing logs, as well as describing the content you should provide in your certification practice statement.

It contains the following sections:

• Structure of the Administration Interface

• Configuration Management Tab

• View Logs Tab

• Creating and Updating Your Certification Practice Statement

Structure of the Administration Interface

The home page of the graphical user interface (GUI) for Oracle Application Server Certificate Authority presents three additional tabs, as the following figure shows:

Text description of the illustration homepage.gif

These three subtabs enable you to address specific tasks in managing certificates or the Certificate Authority configuration:

• Certificate Management Tab, described in Chapter 3, particularly in the section entitled Managing Certificates

• Configuration Management Tab, described in this chapter

• View Logs Tab, described in this chapter

Configuration Management Tab

The Configuration management tab is one of the four choices available when you first enter the Oracle Application Server Certificate Authority web environment. Clicking the Configuration Management tab on the home page displays the first of the three subtabs, each representing a grouping of the Oracle Application Server Certificate Authority configuration management facilities.

The content and use of those subtabs are explained in the following sections:

• Summary of Configuration Tasks

• Notification Sub-tab

• General Sub-tab

• The Policy Sub-tab of Oracle Application Server Certificate Authority and Policy Actions are discussed in Chapter 5, "Managing Policies in Oracle Application Server Certificate Authority"

  

  Text description of the illustration configmain01.gif

Summary of Configuration Tasks

Table 4-1, Table 4-2, and Table 4-3 list the tasks encompassed by the Notification, General, and Policy sub-tabs of Configuration Management and provide links to discussions of those tasks.

Table 4-1 Notification Sub-tab Tasks and Discussions in Configuration Management  

Notification Sub-tab Tasks and Data	Links to Task Discussions
Specify server name and email contacts for alerts and notifications. Specify desired types of alerts. Specify the interval between generating CRLs, the interval between validating CRLs, and the interval between directory synchronizations	Mail Details Alerts Scheduled Jobs

Table 4-2 General Sub-tab Tasks and Discussions in Configuration Management  

General Sub-tab Tasks and Data	Links to Task Discussions
Specify that certificate publishing uses SSL or non-SSL communication channel with Oracle Internet Directory.	Certificate Publishing
Specify that end-users can use SSL and SSO authentication for certificate management.	SSL and SSO Authentication
Specify logging, tracing, both, or neither.	Logging and Tracing
Specify default values for DN components shown in enrollment.	Default Base DN Components
See configuration parameters for the database and directory.	Database Settings, Directory Settings

Table 4-3 Policy Sub-tab Tasks and Discussions in Configuration Management  

Policy Sub-tab of Oracle Application Server Certificate Authority Tasks and Data (in Chapter 5)	Links to Task Discussions
See the policies applicable to available operations, such as certificate requests, revocations, or renewals. Edit, enable, disable, delete, add, or reorder policies.	Certificate Request Policies as Shipped Certificate Revocation Policy as Shipped Certificate Renewal Policy as Shipped Policy Actions

Notification Sub-tab

Notification parameters control what events trigger notification emails to the administrator, how those emails are generated, and how often checking is done to reveal such events.

Changes you make to Notification configuration parameters will take effect only after Oracle Application Server Certificate Authority is restarted.

Mail Details

Mail parameters enable email notifications to be sent, encrypted or clear, to the email address you specify for the administrator and to the OCA users when appropriate, using your specified server, sender, and template. You specify your choices in the following portion of the Notification subtab screen:

Text description of the illustration notifnmaildetails.gif

Note that the hint below Enable Template will, after installation, display the exact path to the template directory. For example, if $Oracle_Home is defined during installation as /private/sitename/username, then this hint will display as "Templates stored at /private/sitename/username/oca/email."

See Also: Regenerating the CA SSL and CA SMIME Wallets in Chapter 6, "OracleAS Certificate Authority Administration: Advanced Topics"

Alerts

Alerts parameters enable you to specify whether you are to receive alerts in the following circumstances:

• When the number of pending certificate requests exceeds the queue threshold you specify here, to be checked on the schedule you specify here

• Whenever automatic generation of the CRL fails. Such failure could occur, for example, if the database or Oracle Internet Directory were temporarily unavailable. Other rare possibilities include unpredictable runtime or configuration errors related to memory, input/output, or connectivity issues.

You specify your choices in the following portion of the Notification subtab screen:

Text description of the illustration notifnalerts.gif

Scheduled Jobs

Scheduled Jobs parameters enable you to make the following choices about automatic jobs:

• Whether a CRL is to be generated automatically, and how often. This feature establishes a reliable, timely, and regular process supporting applications that depend on the CRL to detect revoked or expired certificates.

• Whether directories are to be synchronized, and how often. This feature ensures timely, regular updates to the certificate information in the Oracle Internet Directory. Even certificates issued (or revoked or expired) during any temporary directory downtime will be published (or removed) during synchronization.

You specify your choices in the following portion of the Notification subtab screen:

Text description of the illustration notifnscheduledjobs.gif

General Sub-tab

This sub-tab enables you to set parameters controlling the following tasks:

• Certificate Publishing

• SSL and SSO Authentication

• Logging and Tracing

• Default Base DN Components

• Database Settings

• Directory Settings

Changes you make to General configuration parameters will take effect only after Oracle Application Server Certificate Authority is restarted.

Certificate Publishing

The choices in this section enable you to publish certificates to the directory and to choose SSL protection for messages that tell the directory about those certificates.

Text description of the illustration publishnssl.gif

SSL and SSO Authentication

The choices in this section let you specify that SSL or SSO users can be recognized automatically, meaning that their existing certificates (or SSO authentication) are accepted as authenticating their identities. Enabled by default, such acceptance means Oracle Application Server Certificate Authority will issue them a new certificate without administrator intervention.

Text description of the illustration sslssoauthentn.gif

Logging and Tracing

The choices in this section let you specify whether to create a log file of all user activities, a tracing file of all details for every error, or both.

Text description of the illustration loggingntracing.gif

Logs are stored in the OCA repository; you can view them from the View Logs tab. Trace is stored on the file system, in the file at $ORACLE_HOME/oca/logs/oca.trc.

Default Base DN Components

The values you fill in here will be used to pre-fill some of the Distinguished Name elements on the manual enrollment request form used to submit certificate requests.

Text description of the illustration dnongeneral.gif

This facility is simply for the users' convenience, supplying common fields. The values you fill in here can be overridden as needed.

Database Settings

The settings shown here simply tell you the database connect string that is being used to connect to the Oracle Application Server Certificate Authority repository.

Text description of the illustration databasesettings.gif

These settings only change if Oracle Application Server Certificate Authority's repository moves to a new location. You can use the ocactl updateconnection command in that case to update the repository connection settings.

Directory Settings

The settings shown here simply tell you the host, agent, and port being used to connect with Oracle Internet Directory.

Text description of the illustration directorysettings.gif

View Logs Tab

This configuration management page enables you to view logs that record messages regarding transactions or errors occurring during use of Oracle Application Server Certificate Authority. Such a screen would look like this:

Text description of the illustration viewlogsnowhite.gif

Each line of such a log contains six elements, beginning with a log id number, the IP address that initiated the client activity, and the date of the action. Each line also includes the log entry type, the component of Oracle Application Server Certificate Authority generating the entry, and the component's message about the activity.

Creating and Updating Your Certification Practice Statement

A certification practice statement describes the policies and procedures your site and certification authority follow, and thus often contains the following information:

• Legal notices, obligations, and liability

• Warnings or cautionary notes about using certificates

• Public Key Infrastructure knowledge requirements

• Standards or protocols used

• Certificate-specific data:
  • life cycle details

  • limitations

  • key strengths and related security consequences

• Hierarchy of certificate authorities at a site

• Services provided

• How to acquire, revoke, or renew a certificate

• Contact information

You can add or alter your certification practice statement (CPS) by editing the $ORACLE_HOME/oca/help/Help/oca_cps.html file.

After Oracle Application Server Certificate Authority is restarted, your changes will appear on the Practice page when any user clicks the Practice Statement icon appearing on every page.

Note: The Certificate Practice Statement created by the OCA administrator using the above procedure is not internationalization (i18n) compliant. This fact means that clients in a language different from the OCA server language will see the practice statement only in the server's language.

Certificate Practice Statements described by the OCA administrator using the above procedure is not internationalization (i18n) compliant. That means, the clients in a different language than the OCA server language will see the practise statement in server's language only."