7
End-User Interface of the Oracle Application Server Certificate Authority

The term "end-users" includes persons, of course, but also server entities that acquire certificates to facilitate authentication among servers and applications.

Oracle Certificate Authority has separate HTML interfaces for end-user and administrator interaction with the Oracle Application Server Certificate Authority server. Using these HTML forms, end-users can perform personal certificate-related operations and the administrator can perform certificate administration and management.

For the OracleAS Certificate Authority web administrator interface, see

This chapter describes the end-user interface, in the following sections:

• Accessing the User Interface

• End-User Tabs and Processes
  • User Certificates Tab

  • Certificate Retrieval, Renewal, and Revocation

  • Server/SubCA Certificates Tab

  • Subordinate CA Certificates

• Downloading a CA Certificate

• Importing the Certificate Revocation List (CRL) into Your Browser

• Downloading Certificate Revocation Lists into Your File System

• Importing a Certificate to Your Browser

• Exporting (Backing up) Your Wallet from Your Browser

• Importing a Certificate from Your File System

Both Netscape and Internet Explorer are supported.

Accessing the User Interface

To access the home page for the end-user interface to Oracle Application Server Certificate Authority, launch your web browser and enter the URL and port number of the administration server as they were displayed at the end of installation. For example:

https://Oracle_HTTP_host:ssl_port/oca/user

The Oracle Application Server Certificate Authority user home page appears:

Text description of the illustration userfrontpage071603.gif

As the page itself explains, you can use this web interface to request, renew, revoke, or find any certificate or certificate request. To access these capabilities, you can click either the User Certificates tab or the Server/SubCA Certificates tab.

You can also use the click here links to import into your browser the Certificate Authority's certificate or the latest certificate revocation list (CRL).

Similarly, administrators can use their click here links to download the CA certificate or CRL into their file system for additional uses.

End-User Tabs and Processes

The Oracle Application Server Certificate Authority web interface enables two types of end-user interaction with Certificate Authority, as represented by the two tabs:

From the User Certificates tab you can

• authenticate yourself to the Oracle Application Server Certificate Authority, either by using existing Single Sign-On (SSO) or SSL certificates, or by requesting manual authentication by an administrator,

• create a new certificate request for manual approval by the OCA administrator (for end-users or servers),

• request and receive a certificate automatically (for SSL and SSO users)

• import, view, revoke, or renew your certificates,

• change your authentication method,

• download the CA certificate, or

• download the latest certificate revocation list (CRL).

Table 7-1 lists the types of certificates that Oracle Application Server Certificate Authority supports and provides a brief explanation for each.

Table 7-1 Certificate Types and Uses

Certificate Type	Meaning/Usage
Encryption	User intends to enable others to send messages encrypted with the public key so that only user can decipher them using the private key.
Signing	User intends to sign message digests with the private key, enabling others to use the public key to verify that user originated the message and it is unchanged.
Code signing	User intends to sign software with private key, enabling clients to use the public key to verify that user is the source of the software.
Certificate signing	User intends to use private key to sign certificates it issues, enabling recipients to use its public key to verify that the certificate was in fact signed by user.
SSL	User intends the certificate for use in SSL authentication.

From the Server/SubCA Certificates tab, you can

• search for certificates and certificate requests by ID, serial number, or Common Name, etc.,

• request server and sub-CA certificates, or

• import CA certificates or certificate revocation lists (CRLs).

User Certificates Tab

Upon first entering this tab, you see the Authentication page, which allows you to select how you intend to authenticate yourself to Oracle Application Server Certificate Authority.

Table 7-2 lists the available types and methods:

Table 7-2 Types of Authentication  

Authentication Type	Description	Method in brief (details in following sections)
Single Sign-On (SSO)	Authentication is automated, based on your single sign-on server. Typically it is password-based.	Click the radio button labeled Use your Oracle Single Sign-on name and password and then click Submit.
Secure Socket Layer (SSL)	Authentication is automated, based on your pre-issued SSL certificate.	Click the radio button labeled Use Your Existing Certificate and then click Submit
Manual	Authentication is not automated. You must fill out a Certificate Request form, submit it, and wait for approval from the administrator.	Click the radio button labeled Use manual approval/authentication and then click Submit.

See: Chapter 2, "Identity Management and OracleAS Certificate Authority Features" about authentication.

These types and methods are explained in greater detail in the following sections:

• Single Sign-on Authentication (SSO)

• Configuring Your Browser to Trust OracleAS Certificate Authority

• Secure Sockets Layer (SSL) Authentication

• Manual Authentication

• Certificate Retrieval, Renewal, and Revocation

• Server/SubCA Certificates Tab

• Subordinate CA Certificates

  Note: For both end-users and administrators: Netscape shows choices for key size (512, 1024). Internet Explorer uses a hard-coded "basic" choice of 512 bits, usually the first choice in its list, with an enhanced choice, of 1024 bits, further down. However, in some versions of IE, Gemplus is listed as the first choice. If the computer does not have a smart card card-or-reader, then choosing Gemplus give users an error because no key-size resolution is found. If there is a card-reader, then the Gemplus smart card determines the key size.

Single Sign-on Authentication (SSO)

The following steps enable SSO users to get a certificate automatically, or to manage their certificates, by supplying the required SSO authentication information, such as username and password:

1. In the Authentication form, select the Use Your Oracle Single Sign-On Name and Password option and click Submit.
   You will be redirected to the SSO login page.

2. Enter your SSO user name and password.

   The User Certificates - SSO form appears, showing your valid certificates and enabling you to do the following tasks:

   • Get a Certificate.

   • View Details of a Selected Certificate.

   • Renew a current certificate.

   • Revoke a current certificate.

To get a certificate, do steps 3 through 5:

3. Click Request a Certificate on the User Certificates - SSO form to display the Certificate Request form.

4. In the Certificate Request form, enter the information appropriate to you and submit the form. The choices you see when using Netscape are slightly different from those you see when using Internet Explorer:
   • In Netscape, the phrase Key Size appears, referring to the size, in bits, of the key-pair to be generated: 512, 1024, ...

   • In Internet Explorer, the phrase Key Store appears, referring to a choice of providers for cryptography service. Standard choices include Microsoft Basic Crypto Provider, Microsoft Enhanced Crypto Provider, and Microsoft Strong Cryptographic Provider, for which the key sizes are fixed at 512, 1024, and 2048 bits, respectively. Other choices may also be present, such as Gemplus for smartcard usage. Select the size according to your requirements. Oracle recommends using 1024 bits (the "Enhanced" choice).

   • Validity Period: Duration of the certificate's validity, in days. However, SSO users need not key in the validity period information because it is automatically set by the Oracle Application Server Certificate Authority, using the number specified for the "default Validity period" in the ValidityRule policy.

   After you submit the filled-out form, the Certificate form appears, showing the information recorded on the certificate.

5. After checking that the information about you is correct, make a note of the name of the signer of the certificate: you will need that name later. Then click the Import to Browser button to import the certificate into your browser. Netscape and Internet Explorer report successful import differently, as described below:

   Note: If you click OK instead of Import to Browser, your certificate is created, stored in the OCA repository, and published to the Oracle Internet Directory. However, your browser cannot supply it to a server until you import it. See Importing a Certificate to Your Browser

• In Netscape, you will know the certificate has been imported when you see the words "Document Done" in the status bar at the lower left of your browser. At that point, click OK: even though the cursor continues to show the hourglass, the action is completed. The corresponding CA's (Signer's) certificate has also been imported.

  Note: For this certificate to be trusted, you need to edit the CA certificate's uses, specifying that you trust certificates issued by this Certificate Authority for network sites, email users, software developers, or all three. Checkboxes for these choices are reached through the Security choice on Netscape's menu bar: see Trusting a Certificate Issuer in Netscape.

• In Internet Explorer, you know the certificate has been imported when you see the message "Certificate has been imported successfully". You are also asked whether you want the Signer's certificate imported, on a window showing the details of that CA. Click OK to ensure that certificate is also imported. Internet Explorer automatically treats such a certificate as trusted.

Configuring Your Browser to Trust OracleAS Certificate Authority

This process is slightly different in Netscape and Internet Explorer.

Trusting a Certificate Issuer in Internet Explorer

When you import a certificate using Internet Explorer, it asks whether you wish to add that certificate to the Root Store:

Text description of the illustration inttexplstorecertdb.gif

Clicking Yes imports the certificate and sets the issuer as "trusted." You can view your certificates by selecting the menu choices "Tools - Internet Options - Content - Certificates." The four tabs then shown enable you to see your own certificates, those supplied by others to authenticate them to you, intermediate certificate authorities who have supplied certificates to you, and the root certificate authorities you have chosen to trust.

Trusting a Certificate Issuer in Netscape

When you import a certificate using Netscape, it imports both the certificate you requested and the certificate representing the certificate authority that signed and issued your new CA certificate. The only notification you get is the message "Document Done" in the lower-left status-bar area of your browser. However, your new certificate is not trusted until you have explicitly identified for Netscape those activities for which you want to trust the signer's certificate.

You do so by the following steps:

1. Open Netscape's Security Info page by clicking the "lock" icon in the status bar at the lower left of your browser. (Or by selecting "Communicator - Tools - Security Info" from the menu bar.) A page like the following appears:

   

   Text description of the illustration netscapesecinfoscreen.gif

2. Click the "Signers" link. A page like the following appears:

   

   Text description of the illustration netscapesigners.gif

3. Click the name of the signer that you noted when viewing the certificate's details, and click Edit. A page like the following appears:

   

   Text description of the illustration netscapecacheckboxes.gif

4. Click the three checkboxes shown as checked in the above illustration, and then click OK.

   The CA certificate is now trusted to verify the certificates of network sites this browser connects to, of signed or encrypted messages received, or of signed software.

Secure Sockets Layer (SSL) Authentication

If you already have an SSL certificate from the Certificate Authority, you can obtain an Oracle Application Server Certificate Authority certificate for future authentication purposes by using the current SSL certificate as identification, as follows:

1. From the Authentication form, select Use Your Existing Certificate option and click Submit. The User Certificates - SSL form appears, from which the following tasks can be performed:
   • Get a Certificate.

   • View Details of a Selected Certificate.

   • Renew a current certificate.

   • Revoke a current certificate.

To get a certificate, do steps 2 through 5:

2. From the User Certificates - SSL form, click Request a Certificate to display the Certificate Request form.

3. In the Certificate Request form, enter the information appropriate to you and submit the form. The Netscape interface is slightly different from that of Internet Explorer, as explained above in Single Sign-on Authentication (SSO).

   After you submit the filled-out form, the Certificate form appears, showing the information recorded on the certificate.

4. After checking that the information is correct, click the Import to Browser button to import the certificate into your browser.

5. Click OK to return.

Manual Authentication

To obtain a certificate using manual authentication, perform the following steps:

1. From the Authentication form, select Use Manual Approval Authentication and click Submit. The User Certificates form appears, enabling you to specify your DN and contact information, as well as select the key size, usage, and validity period for the certificate you are requesting.

2. On the User Certificates form, click Request a Certificate to display the Certificate Request form.

3. In the Certificate Request form, enter the DN and contact information appropriate to you, use the Enrollment form's drop-down list to select key size and either SSL/Encryption or Signing certificate, and then submit the form to the Oracle Certificate Authority administrator.

A Request ID is allocated, specific to this user request, which you use to locate the certificate once it is approved.

The certificate becomes available only after receiving the administrator's approval.

Once the administrator communicates that the certificate is approved, go to the Certificate Retrieval form, search for your certificate using your Request ID or DN, and import the certificate.

Certificate Retrieval, Renewal, and Revocation

After a certificate request is approved, the issued certificate can be retrieved for review and importation. Use the same machine and browser as when you requested the certificate.

After an SSO- or SSL-certificate has been in use for a period, it can be renewed during a configurable time-window around its expiration date.

An issued certificate can be revoked if it is, for some reason upon review, incorrect or inappropriate or no longer valid for its intended user or activities.

These certificate operations are described in the following sections:

• Certificate Retrieval

• Certificate Renewal

• Certificate Revocation

Certificate Retrieval

After you receive notification that your manual-authentication certificate request is approved, you need to review the certificate and import it. You can find your certificate by entering the serial number from that notification into the search field on the User Certificates page. After it is found and you select it by clicking the radio button next to the serial number, you can click View Details to review the data used in generating it. Then you can import it as described in Importing a Certificate to Your Browser.

If, for a particular certificate, these data are not correct, then that certificate should be revoked and replaced by applying for a new certificate.

Certificate Renewal

SSO and SSL certificate users can renew their certificates

A user can renew such a certificate within a certain period of days before and after a certificate is due to expire. By default, this period is 10 days before and 10 days after the certificate's expiration date. However, the administrator can alter this period by using the Configuration tab in the administration web interface. Users can select a certificate, click on View Details, and then renew the certificate.

Certificate Revocation

SSO and SSL certificate users can revoke certificates.

If errors or problems are found with a certificate, or if a private key is stolen, etc., the certificate should be revoked. The user can supply correct information for a new certificate. Using the new certificate should cancel out whatever issues were associated with the earlier one.

Revoking a certificate will mark it as revoked in OCA repositories and it will be added to the CRL the next time the CRL is generated. However, revoked certificates are not removed automatically from your browser database. You should remove them manually. In Netscape, you click the Security icon on the browser, click the Yours choice under Certificates, select the revoked certificate from the list displayed, and click Delete.

Server/SubCA Certificates Tab

An administrator for any server can obtain a server certificate enabling PKI authentication for that server with other servers or users. To do so, a PKCS#10 request form is needed, which can be generated using Oracle Wallet Manager (or an equivalent third-party tool). See the Oracle Wallet Manager chapter in the Oracle Application Server 10g Security Guide.

From the Server Certificates tab page, use the following steps:

1. On the Home page, select the Server/Sub CA Certificates tab to display the Server Certificate form.

2. Click the Request a Certificate button.

3. On the Server / SubCA Certificate Request form, you paste in the completed PKCS#10 request form generated earlier by Oracle Wallet Manager, and choose the type of certificate you want. You can request SSL/encryption, signing, code signing, or CA signing server certificates. To function as a subordinate CA, specify "CA Signing" as the certificate usage in the enrollment form. You also choose the validity period for your requested certificate, from the drop-down choices presented.

4. Enter the appropriate information and submit the form to the administrator.

The server administrator obtains authentication only after the administrator approves this request.

Subordinate CA Certificates

In circumstances where a single CA is impractical, such as separate continental divisions in a single company, multiple CAs can be maintained within the PKI structure. In a hierarchical PKI, the root CA is the single CA trusted by all users. The root CA's public key is what serves as the beginning of the trust path for a security domain.

Oracle Application Server Certificate Authority can be a root CA or it can obtain a Subordinate CA certificate from a third-party CA. Oracle Application Server Certificate Authority can certify the certificate signature of another CA, thereby creating a subordinate CA. The subordinate CA may in turn issue certificates to even lower-level CAs, creating what is called a certificate chain. An individual certificate signed by one of the subordinate CAs must present the certificates of all CAs up to the root. Because each authority's certificate is signed by a higher CA, a user can verify the validity of a particular certificate by tracing the certificate authority path back to the root CA.

To obtain a subordinate CA certificate, perform the following steps:

1. On the Home page, select the Server/Sub CA Certificates tab to display the Subordinate CA Certificates form.

2. Click the Request a Certificate button.

3. In the Subordinate CA Certificate Request form, enter the appropriate information, select certificate usage type as CA signing, and submit the form to the administrator.

The requester obtains a certificate only after the administrator approves this request.

Downloading a CA Certificate

In Netscape, after you click Request a Certificate, Oracle Application Server Certificate Authority presents a sequence of dialog boxes. These dialogs describe the operations that need to happen in order to accept the OCA certificate. Click Next on each dialog box as it is presented, and Finish on the last one. Your CA certificate will be automatically downloaded into your browser.

For Internet Explorer, you are asked simply to accept or reject the CA Certificate import. You may wish to do so simply to trust servers whose certificates are issued by this CA, even if you do not want to get a certificate from it. The browser will ask whether you want to save the certificate or open it from the current location. To import the CA certificate into your browser, you select Open the file from its current location and click OK. In the next window that opens, choose Install Certificate and accept the certificate import to place the CA certificate into the browser's repository.

Importing the Certificate Revocation List (CRL) into Your Browser

Importing a certificate revocation list (CRL) into your browser enables it to warn you if an incoming certificate offered by an individual or company has been revoked. Use of a revoked certificate could indicate a possible problem with impersonation or with a product being offered or used. Being warned can help you avoid potentially inappropriate interactions.

This operation requires different actions in different browsers:

• In Netscape

• In Internet Explorer (IE)

In Netscape

From the User Certificates tab of Oracle Application Server Certificate Authority, do the following tasks:

1. Click the Download CRL button.
   The Download CRL form appears.

2. Click Import CRL into Browser.
   The CRL is imported.

The CRL can be seen under, Security-> Signer's-> View / Edit CRL.

If you already have the CRL and it has the same or later validity of the CRL being downloaded, a small dialog box informs you that the CRL you are attempting to download is not later than one already in your browser.

You can also

• download a binary copy of the CRL by clicking the button labeled Download CRL in Binary and choosing the directory in which you want it stored, or

• download a copy in Base64 format by clicking the button labeled Download CRL inBASE64 format and choosing the target directory.

In Internet Explorer (IE)

In IE, the CRL is not directly imported into the browser. As in the case of importing a CA Certificate, IE asks the question Save to Disk or Open from the Current Location. In the latter case, the CRL is not imported. If Save to Disk is chosen, you then do the following actions:

1. Select from the Tools menu Tools->Internet Options->Content->Certificate

2. Select Import Certificate.

3. Select the CRL.

This procedure will then show the message "CRL Imported."

Downloading Certificate Revocation Lists into Your File System

Downloading a certificate revocation list (CRL) into your file system enables other programs to use it to detect revoked or expired certificates offered by an individual or a company. Avoiding the use of such a certificate can protect your resources and applications from inappropriate or unauthorized uses.

To download a CRL, follow these steps:

1. Go to the Oracle Application Server Certificate Authority User Certificates Page.

2. Click Download CRL.

3. Click either Download CRL in Binary or Download CRL in BASE64 format.

4. Save the CRL into a directory of your choice.

5. Modify your http.conf file, located in $ORACLE_HOME/apache/apache/conf, to include the "SSLCARevocationFilePath" parameter, and point that parameter to the directory containing the new CRL file.

Importing a Certificate to Your Browser

After your request for a certificate is approved,Oracle Application Server Certificate Authority displays its details for you in a new window so that you can check that the details match what you intended. Check that the name, validity period, and other attributes on the certificate are as they should be. If those details include any serious error, you should revoke this certificate and apply for a new one, specifying on the request form all the correct information.

When you are satisfied, click the Import Certificate button to import a copy of the certificate into your browser. You will see the message "Document Done" in the lower-left status-bar area of your browser. You can then click OK.

If you were to simply click OK without clicking Import Certificate, the server would have a copy of your certificate but your browser would not. It could not then supply the certificate when needed for authentication to an application, a directory, or another server.

The action of importing the certificate also imports the chain of CAs up to the root CA. However, the CA certificate imported along with the user certificate is not automatically trusted in Netscape. You need to establish the trust, as follows:

• In Netscape:
  1. Click on the security icon.

  2. Select Signers repository.

  3. Select the appropriate CA Certificate by name. (You might be prompted for the repository password.)

  4. Edit the CA Certificate.

  5. Check the appropriate check boxes.

  6. Select OK.

  This process establishes the desirable trust relationships, so that when you try to establish an SSL session, the Netscape browser will trust the certificates issued by this importing certificate.

Exporting (Backing up) Your Wallet from Your Browser

You can (and should) export your wallet to your file system for safekeeping, so that you can restore them after any possible disruption to your system or your browser. The wallet contains your certificate, private key, and the chain of certificates for the trusted Certificate Authority that issued your certificate.

In Netscape, use the following steps:

1. Select the Security icon in the menu bar.

   A window opens showing your choices for reviewing security information.

2. Under the Certificates heading, click Yours.

   A subordinate window opens showing the names of your certificates.

3. Click the particular certificate you want to export.

4. Click the Export button to the right of that subordinate window.

5. When asked, enter a password to preserve the security and integrity of this certificate. You will be asked for it twice, and what you enter must match.

   As usual, you must remember this password in order to retrieve and reinstall this certificate. Without the password, it will not be usable.

6. When asked, enter the file system destination, pathname and filename, where this encrypted certificate is to be stored.

   A message appears saying "Your certificates have been successfully exported."

In Internet Explorer, use the following steps:

1. From the Tools men, select Internet Options.

   A window opens showing six tabs you can choose from.

2. Select the Content tab, and click the Certificates button.

   The Certificate Manager window opens, with four tabs enabling you to see your personal certificates, those of other people, plus the names and expiration dates for trusted and intermediate issuers of certificates.

3. In the Personal tab, click the particular certificate you want to export.

4. Click the Export button below the subordinate window.

5. Click Next in the Certificate Manager Export Wizard.

6. If you wish to export the private key, click the Yes radio button. (If not, click the No radio button.) Clicking Yes means your private key is also stored.

7. Click Next.

8. Choose PKCS #12 and check the two checkboxes beneath it, and click Next.

9. When asked, enter a password to preserve the security of the private key. You will be asked for it twice, and what you enter must match.

   As usual, you must remember this password in order to retrieve and reuse this private key. Without the password, it will not be usable.

10. When asked, enter the file system destination, pathname and filename, where this encrypted certificate and key is to be stored.

11. A new window shows the choices you've made. After verifying this information, click Finish.

    A message appears saying "The export was completed successfully."

12. Click OK, Close, and OK to exit from the windows used for this process.

Importing a Certificate from Your File System

You can import a certificate into your browser from a file stored on your file system. The file must be of type pkcs12, with extension .p12. You will need to know the password that was used to encrypt that wallet. The steps are as follows:

In Netscape, use the following steps:

1. Select the Security icon in the menu bar (or the status bar at the bottom).

2. Under Certificates, click the "Yours" link. A list and some buttons appear.

3. Click Import a Certificate....

4. Navigate to the directory containing the wallet with your desired certificate, and double-click the .p12 file.

   A dialog box will ask you for the wallet's password.

5. Enter the password. (If the password you supply is incorrect, Netscape says the file is corrupt or not valid, since decryption failed. If the certificate is already imported, Netscape will tell you and take no further action on this request.)

6. After successfully importing the certificate, click OK.

In Internet Explorer (IE), use the following steps:

1. From the Tools men, select Internet Options.

   A window opens showing six tabs you can choose from.

2. Select the Content tab, and click the Certificates button. The Personal tab lists your certificates.

3. Click Import. The Certificate Import Wizard window appears.

4. Click Next and then Browse to the directory containing your desired certificate.

5. Double-click to put the full path into the Wizard, and then click Next.

6. Enter the password for the wallet you selected.

7. Click Next.

8. Internet Explorer can automatically select the certificate store based on the type of certificate, or you can tell it where you want the certificates by clicking the other radio button and entering the path to that store.

9. Click Next.

10. Click Finish.

    If the certificate store being used by IE does not yet contain the certificate of the the CA who issued your certificate, a dialog box will appear asking if you want to add it to that store.

11. Click Yes. Having that certificate makes it possible to authenticate with other servers or users whose certificates were also issued by that CA (or another authority in the same chain of trust).

    IE displays a dialog box telling you the import was successful.

12. Click Close and OK to exit from the certificate and security area of IE.