Skip Headers

Oracle® Application Server Certificate Authority Administrator's Guide
10g (9.0.4)
Part Number B10663-01
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Table Of Contents
Contents

Go to previous page

Index

A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  R  S  T  U  V  W  X 

A

Accessing the User Interface, 7-2
acquire subCA certificate, B-1
acquiring a server certificate, 7-13
Add, 5-17
add, 5-16
add a policy (custom only), 5-20
Add Another Row, 5-28
adding
a policy, 5-31
custom policy, 5-33
policies, 5-14, 5-15
Adding Predicates, 5-28
ADMIN, A-5
administering
policies, 5-3
administration interface, 3-7, 4-1
administrative password, 3-7
Administrative Task Overview, 3-1
Administrator
types of, A-9
administrator
certificate, 2-8, 3-13
form, 2-8
new, 3-6, 6-8
password, 2-8, 3-3, 3-5
administrator certificate, 3-7
administrator password, B-4
ocactl requires, 6-5
administrator's certificate
importing, 2-8
admin.log, 6-13
admin.trc, 6-12, 6-13
advanced DN, 3-17
Advanced Topics, 6-1
Affiliation Change (revocation reason), 3-12
AFFILIATION_CHANGE (revocation code), 3-7
alerts, 4-5
CA SMIME wallet, 6-3
configuring, 4-5, 6-3, 6-4
CRL generation failure, 4-5
All Pending Requests, 3-14
allowExpiredCerts, 5-11
allowRenewal, 5-12
altering
requests, 5-4
ancestors, B-5
AND, 5-22
Apache, 6-6, 6-22
Oracle HTTP Server, 6-3
APIs, 5-23, 5-31
and plug-ins, 5-3
application
SSO usage, 3-23
apply policy checkbox, 5-15
applying
policies, 5-3
policy default values, 5-25
approval
manual, 7-3
approve, 2-8, 3-10, 3-14
approved, 2-8
Approving Certificate Requests, 3-10
Approving or Rejecting Certificate Requests, 3-10
asterisk
in predicate expression, 5-23
matches attributes, 5-23
not string matching, 5-23
asymmetric, 1-2
attributes, 1-9
asterisk matches, 5-23
in predicates, 5-23
authentication, 1-2, 1-6, 1-7, 1-9, 2-6, 2-9, 3-23, 7-1
certificate-based, 2-10
change method, 2-8, 7-3
checking the CRL, 3-18
client certificate, 3-6
configuring for SSL & SSO, 4-7
form, 3-3
manual, 7-11
mod_osso, 2-9
password-based, 2-10
SSL, 7-4, 7-10
SSL server, 6-3
SSL-based, 2-10
SSO, 3-20
user, 3-11
authority
certification, 1-3
automatic certificates for SSL/SSO users, 7-3
automatic client users, 5-7

B

backing up
wallets, 6-6
backup and recovery
considerations, 6-20
backup and recovery procedures, 6-1
base64 certificate, B-5
BasicConstraintsExtension, B-3
benefits
OracleAS PKI, 1-7
benefits of a PKI, 1-6
big-endian order, 5-24
binary number
key, 1-2
bits
set for extensions, B-3
broadcasting OCA request page to SSO users, 3-18, 3-19
browsers, 1-8, 2-7
configuring, 7-7
import certificate, 3-20
import SSO certificate, 3-22
password, 3-6
present certificates to SSO, 3-23
use CRLs, 3-18
Built-in Plug-in Policy Modules, 2-7

C

CA, 1-3, 1-4, A-5, A-9
hierarchy, B-3
levels, 1-3
new
new signing password, B-4
root, 1-3
signing, 1-3
subordinate, 1-3
ca
certificate type, 5-23
CA certificate
new, 6-2, A-10
CA Compromise (revocation reason), 3-12
CA hierarchy, B-6
setting up, B-1
CA key
compromised, 6-2, 6-7
CA signing, 7-13
CA signing certificate, 6-2
invalid, 6-2, A-10
CA SMIME wallet, 6-2
generating, B-6
signing alerts & notifications, 6-3
CA SSL, A-11
CA SSL wallet, 6-2
generating, B-6
regenerating, 6-3
CA wallet
regenerating, 6-2
CA_COMPROMISE (revocation code), 3-7
ca_sign
usage type in predicates, 5-23
card reader, 7-5
case-insensitive
strings in predicates, 5-23
CASMIME, A-5, A-9
CASSL, A-5, A-9
centralization, 1-1
Certificate, 3-12
certificate
administrator, 3-7, 3-13
administrator information required, 3-5
administrator request, 3-3
all invalidated, 6-2, A-10
automatic for SSL/SSO users, 7-3
base64, B-5
compromised, 3-10, 3-12, 3-13
contents, 1-4
contents and uses, 1-4
digital, 1-3
download, 7-3
download into file system, 7-3
expired, 3-13, 5-4, 5-11
expiring, 6-4
extensions, 1-4
finding, 3-14
fingerprint, 1-4
getting a, 2-10
import, 3-6, 3-20, 7-3
import into browser, 7-3
import to browser, 3-3
import to file system, 7-19
inconsistent state, 6-7
invalidated, 6-7
issued upon request for SSO/SSL-authenticated user, 4-7
management, 3-1, 3-9
manual, 5-6
multiple, 5-4
multiple constraint, 5-8
new CA, 6-2, A-10
new request, 7-3
new required, 6-7
owner, 3-16
parameter values
restricting, 5-3
pending request alerts, 4-5
PKCS#10 request, 2-7
PKI, 1-3
policies, 5-2
properties, 2-8
publish SSO, 3-21
publishing, 4-7, 6-18
purposes, 2-10
rejecting, 3-11
renew, 7-3
renewal window, 3-10, 3-13, 5-12, 5-16
renewing, 3-13, 6-4, 7-12
replace administrator, 3-6
request
SSO, 3-19
request URL for SSO, 3-19
requests, 1-8, 2-7
pending, 3-8
status, 2-8
retrieving, 7-12
revoke, 7-3
revoking, 3-12, 7-12
revoking expired, 5-10
root CA, 3-13
search, 3-14
separate, 1-4
serial number, 1-4
server, 5-6, 7-3, 7-13
server, acquiring, 7-13
server/subCA, 7-13
signer, 7-6, 7-9
signing, 1-4, 7-4
SMIME invalidated, B-7
SSL, 1-4
SSL invalidated, B-6
SSO usage, 3-20, 3-23
status, 3-15, 3-17
Sub CA, 3-11
trusted, B-5
editing uses, 7-7, 7-8
types, 7-3
types in predicates, 5-17, 5-23
user, 7-4
using existing, 4-7
view, 7-3
viewing details, 3-11
X.509, 1-4
Certificate Authority
CA, 1-4
certificate authority, 1-7
signing, 1-3
Certificate Management Tab, 3-8
Certificate Management tab, 2-8
Certificate Renewal, 7-12
Certificate Renewal Policy as Shipped, 5-16
Certificate Request Details screen, 3-10
Certificate Request form, 7-6
Certificate Request Policies as Shipped, 5-15
Certificate Retrieval, 7-12
Certificate Retrieval, Renewal, and Revocation, 7-12
Certificate Revocation, 7-12
Certificate Revocation List, 6-7
certificate revocation list, 3-17
Certificate Revocation List (CRL), 2-8
Certificate Revocation Policy as Shipped, 5-16
certificate usage
in predicates, 5-23
CERTIFICATE_HOLD (revocation code), 3-7
certificates
life-cycle, 1-9
certification authority, 1-3
Certification Practice Statement, 4-10
certified, 3-9, 3-15, 3-17
Cessation of Operation (revocation reason), 3-12
CESSATION_OF_OPERATION (revocation code), 3-7
challenges, 1-1
changes
policy, 5-15
changeschema, A-3
changeschema command, 6-16, 6-17, A-3
changesecurity, 6-15, A-3
changesecurity command, 6-15
changing
method of authentication, 7-3
wallet password, 6-5
changing OCA's IM Services, 6-14, 6-15
changing passwords, 6-5
Changing Privileged Passwords, A-9
class, 5-15, 5-20
register, 5-31
clear, A-3
clearing
log or trace
deletes contents, 6-13
log or trace data, 6-13
client
certificate type, 5-23
CN
in DN, 5-23
code signing, 7-4
code_sign
usage type in predicates, 5-23
codes
revocation, 3-7
cold failover
configuration, 6-19
deployment, 6-19
Collaboration Suite, 2-5
Command Examples, A-6
command-line interface, 3-1
commands, A-3
when take effect, 6-5
Common Name, 3-14
common name, 3-4, 3-6
Sub CA, B-6
complete
DN, 5-23
components
needed by OCA, 2-12
Oracleas PKI, 1-8
Components of the OracleAS PKI, 1-7
compromised
CA key, 6-2, 6-7
compromised certificates, 3-10, 3-12, 3-13
concepts
policy, 5-2
configuration
cold failover, 6-19
configuration asks, 4-3
configuration choices, 3-18, 3-19
configuration file, 6-22, A-6, A-8
configuration management, 3-1
alerts, 4-5
subtabs, 4-3
tab, 4-2
Configuration Operations for Oracle Application Server Certificate Authority, 6-5
configure
log & trace, 4-7
configuring
Apache, 6-6
on web, 6-5
sending signed alerts and notifications, 4-5, 6-3, 6-4
site, 6-5
SSL automatically, 6-6
Sub CA, B-5, B-6
using ocactl, 6-5
Configuring Your Browser to Trust Oracle Application Server Certificate Authority, 7-7
connection information
where stored & displayed, 6-18
connections
OCA repository and directory, 6-18
container
called database, cache, or wallet, 1-5
contents, 1-5
for certificates, 1-5
wallet, 1-5
containers, 1-8
PKI, 1-5
contents
certificate, 1-4
container, 1-5
contiguous
DN, 5-23
contiguous DN, 5-12
contiguous string, 3-15
convertwallet, 6-6, 6-7, A-3, A-6
copying
base64 certificate, B-5
CRLs, 3-18
trust points, B-6
copying CRLs, 3-18
CPS (certification practice statement), 4-10
credentials
PKI, 1-5
criterion
for predicate order, 5-25
CRL, 2-7, 2-8, 3-9, 3-17, 6-7, 7-3
checking, 3-18
copying, 3-18
download, 3-18
download into file system, 7-3
generating, 3-17
import, 3-18
import into browser, 7-3
multiple, 3-18
path used by server, 3-18
purpose, 3-15
scheduling generation, 4-6
updating, 3-17
usages, 3-18
CRL alerts, 4-5
CRL validity, 3-18
days to next update, 3-18
CRL_SIGN, B-3
custom policy, 5-31
adding, 5-33
name description and class, 5-33
plug-ins, 5-1, 5-16
customize
policies, 2-8
cut-and-paste, 1-9, 3-3
cutting and pasting, 1-7
cwallet.sso, 6-4, 6-6, 6-22, A-6

D

data integrity, 1-1
database
connect string used, 4-8
database connection pool, A-6, A-8
Database Settings, 4-8
days to next CRL update, 3-18
DB, A-5, A-9
dc (domain component), E-3
decipher, 7-3
decrypt, 1-2
decryption, 1-1, 1-2, 7-3
by appropriate recipient only, 1-2
infeasible, 1-9
messages, 1-3
time and effort, 1-6, 1-9
Default Base DN Components, 4-8
Default Constraint-specific Policy Rules, 5-4
default deployment, 2-12
advantages, 2-12
installation instructions, 2-12
default period
renewal, 5-12, 5-16
default policy rules, 2-8
defaults, 5-2, 5-16
in a policy
when used, 5-21
key sizes, 5-15
policies, 5-4
renewal validity period, 5-12
validity period, 5-16
Delegated Administration Service, 2-3, 2-6
delegated administration service, 1-1
delete, 5-16
predicate, 5-17
delete a policy, 5-17
deleted policy, 5-17
deleting
policies, 5-15
departments
Sub CA wallets, B-5
deployment, 2-12
default, 2-12
advantages, 2-12
installation instructions, 2-12
recommended, 2-12
advantages, 2-12
installation instructions, 2-13
strategies, 2-12
using cold failover, 6-19
describing
a policy plug-in, 5-3
Developing a Custom Policy Plug-in, 5-31
digital certificates, 1-3, 1-6
approving requests, 3-10
binary file, A-10
contents and uses, 1-4
encryption, 2-9
management, 3-9
pending, 2-9
rejecting, 3-11
renewing, 3-13
request, 2-7, 2-8, 2-9, 2-10, 2-11
revoking, 3-12
signing, 2-9
signing/SSL, 2-11
SSL, 2-9
viewing, 3-11
digital signature, 1-1, 1-4, 1-6, 1-7, 2-7
digital transactions
sign, 1-6
DIGITAL_SIGNATURE, B-3
directory
connections, 6-18
for Sub CA wallet, B-4
directory integration services, 1-1
directory organization object, E-3
DN, E-3
directory services, 1-1
Directory Settings, 4-8
directory synchronization
scheduling, 4-6
disable, 5-16
disabling
policies, 5-3, 5-15
RenewalRequestConstraint, 5-12
RevocationConstraints, 5-11
RSAKeyConstraints, 5-5
uniquecertificateconstraint, 5-9
validity rule, 5-7
disabling policy rules, 5-3
displaying connection information, 6-18
distinguished name, 3-16, 5-23
DN, 1-4
distinguished name (DN), 1-4
DN, 1-4, 2-11, 3-3, 3-4, 5-23, 5-24
advanced, 3-15, 3-17
as root of directory information subtree, E-3
complete, 5-23
configuring defaults for manual enrollment, 4-8
contiguous & complete, 5-12
contiguous string to root, 3-15
dc, E-3
dc entry, 6-2
distinguished name, 3-16
domain component, 6-2, E-3
follows RFC1779, 5-23
identifying a directory organization object, E-3
in predicate, 5-24
invalid, 5-24
least significant component, 5-24
matching, 5-24
most significant component, 5-24
partial, 5-23
relative, 3-17
root, 5-24
rules for matching, 5-24
subordinates can represent organization subdivisions, E-3
valid, 5-24
domain component, 6-2
re an organization's subdivisions or localities, E-3
domain component, example, E-3
domain components, 2-11
Down CA Certificate, B-5
download
CA certificate, 7-3
CRL, 7-3
into file system
certificate or CRL, 7-3
Download CRL, 3-18
download CRL, 2-8
Download to your local disk (CRL), 3-18
downloading, 7-14
Downloading a CA Certificate, 7-14
Downloading the Certificate Revocation List (CRL), 7-15, 7-16
drastic operation, 3-13, 6-7

E

Ease of Use for Administrators and End Users, 2-8
eavesdropper, 1-2
E-Business Suite, 2-5
edit, 5-16
in Policy subtab, 5-3
edit a policy, 5-16
editing
trusted uses, 7-7, 7-8
elements
in a log, 4-9
of a practice statement, 4-10
email, 3-11, 4-4
server, sender, template, 4-4
to SSO users for OCA URL, 3-19
email address search, 3-15
email clients
use CRLs, 3-18
verify incoming SMIME messages, 3-18
embedded HTML link
for SSO users, 3-19
enable, 5-16
enable a policy, 5-17
enabling
a policy plug-in, 5-3
RenewalRequestConstraint, 5-12
RevocationConstraints, 5-11
RSAKeyConstraints, 5-5
uniquecertificateconstraint, 5-9
validity rule, 5-7
Enabling PKI Authentication with SSO and OCA, 3-22
enabling policy rules, 5-3
encryption, 1-1, 1-2, 1-4, 1-6, 1-8, 2-9, 7-3
algorithms, 1-1
asymmetric, 1-2
messages, 1-3
scheme, 1-2
symmetric, 1-2
unique for different users, 1-1
end-entity, 3-16, 3-18, 7-1
end-user, 3-16, 7-1
interface, 7-1
end-user interaction
two types, 7-3
End-User Tabs and Processes, 7-3
enforcing
policies, 5-3
enrollment form
Server/SubCA, 7-13, 7-14, B-2, B-5, B-6
Enterprise User, 2-5
entities
trusted, 1-2
vouch for relationship, 1-2
entity, 1-3
equal to, 5-22
error, 7-5
evaluating requests
policies, 5-2
evaluation
of multiple predicates, 5-24
evaluation example
multiple predicates, 5-25, 5-26
Evaluation Example for Multiple Predicates, 5-25
events
notification, 4-4
ewallet.p12, 6-3, 6-4, 6-6, 6-7, 6-22, A-6, B-4, B-6
examples
of DN matching in predicates, 5-24
existing certificates
using, 4-7
expired, 2-6
expired certificate, 3-13
expired certificates, 5-4, 5-11
export, 7-17
certificate from browser, 7-17
export command
migoca, 6-17
expression
predicate, 5-2
complete, 5-12
contiguous, 5-12
Expression text box, 5-17
expressions
logical, 5-22
operators, 5-22
predicate, 5-22
extensions, 1-4, D-1

F

Field Name
form, 3-4
file permissions
protect SSO wallet, 6-6
files
admin.log, 6-13
admin.trc, 6-12, 6-13
cwallet.sso, 6-22
ewallet.p12, 6-22
httpd.conf, 6-22
ias.properties, 6-15
log, 4-7
oca_cps.html, 4-10
oca.conf, 6-18, 6-22
oca.trc, 6-12, 6-13
ocm_apache.conf, 6-22
ocmpassword.p12, 6-22
operating system, 6-13
osso.conf, 3-22, 3-23, 6-22
.p12, 7-19
trace, 4-7
find, 3-14
finding (see listing & search), 3-14
fingerprint
certificate, 1-4
flexible policy, 2-7
form
administrator, 2-8
authentication, 3-3
field names, 3-4
format, A-7

G

Gemplus, 3-5, 7-5, 7-6
General subtab, 4-6
database & directory settings, 4-6
DN defaults, 4-6
parameters, 4-6
publishing, 4-6
settings, 6-18
SSL & SSO, 4-6
general subtab tasks & discussions, 4-4
generate CRL, 2-8
generatewallet, A-2, A-3, A-4, A-10, A-11
generating
Sub CA wallet, B-5
Sub CA wallets, B-6
generating the CRL, 3-17
get certificate, 2-10
Glossary, E-1
Go (not Enter), 3-14
graphical user interface (see GUI), 4-1

H

help, A-3, A-4
Hierarchical Certificate Authority Support, 2-11
hierarchy of CAs, B-3
hierarchy of trust, 1-3, 2-11
geographically distributed, 2-11
high availability, 1-1
high-availability features, 6-1, 6-18
Hold (revocation reason), 3-12
home page, 3-7, 7-2
host port number, 3-19
HTTP Server, 3-2, A-6, B-7
in SSL mode, 6-3
HTTP server, 6-19
HTTP Server (Apache), 6-22
httpd.conf, 6-22
HTTPS, 2-9, 2-10, 2-12, 6-3, B-6

I

ias.properties file, 6-15
icon
lock, 7-8, 7-13, 7-19
identity, 1-3, 1-7
Identity Management, 1-5, 2-1, 2-3, 2-4, 2-6
identity management
solution, 2-1
Identity Management Infrastructure, 1-7
ID/Serial, 3-14
IETF, 1-4, 2-7
IM Services
changing OCA's, 6-14, 6-15
import, 3-11, 3-14, 7-3, 7-4, 7-7, 7-14, 7-16
administrator certificate, 3-3
CA certificate, 6-6
certificate, 3-20
trusted activities, 7-8
into browser
certificate or CRL, 7-3
import CA certificate, 6-6
Import Certificate, 3-6
import command
migoca, 6-17
import subCA certificate, B-1
Import to Browser, 7-6
SSO, 3-22
Import to Browser (CRL), 3-18
importation, 3-4
importing
Sub CA Wallet, B-3
the administrator's certificate, 2-8
Importing a Certificate from Your File System, 7-19
Importing a Certificate to Your Browser, 7-16
importwallet, A-3, A-4
inconsistent state
after CA revocation, 6-7
Information message, 5-20
infrastructure, 1-1, 1-5, 2-1, 2-4
re-associating, 6-14
installation, 2-12
installing
Sub CA Wallet, B-3
installing new CA
steps, 6-7
integrity, 1-6
Internet Explorer, 2-7, 2-9, 3-5, 7-2, 7-5, 7-6, 7-14, 7-15, 7-18, 7-19
interoperability, 1-8
introduction to OracleAS PKI, 1-6
invalidating
certificates, 6-7

J

J2EE, 2-5
JAAS, 2-5
jar, 5-15, 5-20, 5-32
Java class, 5-2, 5-31, 5-32
Javadoc, 5-31
jobs
scheduled, 4-6

K

key, 1-2
asymmetric, 1-2
binary number, 1-2
in a PKI, 1-2
owner, 1-3
pairs, 1-2
private, 1-2
public, 1-2, 1-3
separate, 1-2
symmetric, 1-2
validation, 1-3
Key Compromise (revocation reason), 3-12
Key Features of Oracle Certificate Authority, 2-7
key lengths, 2-7
Key Size, 3-5, 7-5, 7-6
key size, 3-3, 3-5
default maximum, 5-5
default minimum, 5-5
minimum & maximum, 5-4
predicate, 5-5
RSAKeyConstraints, 5-4, 5-5
key sizes
defaults, 5-15
narrow/widen range, 5-15
Key Store, 3-5, 7-6
KEY_CERT_SIGN, B-3
KEY_COMPROMISE (revocation code), 3-7
key-pairs, 1-6, 3-5, 3-6, 7-6
keys
distribution methods, 1-1
KeyUsageExtensions, B-3

L

LDAP, 1-9, 2-7, A-5
least significant component of DN, 5-24
least significant RDN, 5-25
levels
CAs, 1-3
trust, 1-3
link OCA with SSO, 3-19
linksso, 3-20, A-3, A-4
list, 3-14
of ports, 3-7
revoked certificates, 3-15
Listing a Certificate Request or an Issued Certificate, 3-14
little-endian order, 5-24
local entry name, 5-24
localities
as domain components, E-3
lock icon, 7-8, 7-13, 7-19
LOG, A-5
log, 6-12
clearing, 6-13
elements, 4-9
stored in repository, 6-13
log file, 4-7
logger, A-6, A-8
logging, 4-7
logical
operators, 5-22
logical expression
used in predicates, 5-22
logs
messages re errors during OCA use, 4-9
viewing, 3-1, 4-9

M

managing
certificates, 3-1, 3-9
configuration, 3-1
policies, 5-1, 5-14
overview, 5-2
Managing Certificates, 3-9
managing certificates, 3-1
Manual
Authentication, 7-11
manual, 7-4
Manual Approval, 2-11
manual approval, 7-3
additional options, 2-11
information required, 2-11
server and subordinate CA, 2-11
manual authentication, 7-11
manual user certificate, 5-6
match
predicate, 5-21
matching
DNs, 5-24
first not best, 5-25
policy evaluations, 5-24
results if no match, 5-25
rules re DNs, 5-24
MD5 with RSA, 3-18
message
shows change worked, 5-20
message digests
signing, 7-3
messages
private, 1-2
Microsoft
Basic Crypto, 3-5, 7-6
Enhanced Crypto, 3-5, 7-6
Gemplus, 3-5
migoca
export command, 6-17
import command, 6-17
migoca script, 6-16
migoca.dmp file, 6-17
mod_osso, 3-22
SSO, 2-9
modifying policy rules, 5-3
most significant component of DN, 5-24
multiple
CRLs, 3-18
predicates, 5-5
multiple certificates, 5-4
allow/disallow, 5-16
constraint, 5-8
same usage, 5-16
Multiple Predicate Evaluation, 5-24
multiple predicates, 5-23
evaluation example, 5-25, 5-26
multiple servers, 3-18

N

name
certificate signer, 7-6, 7-9
naming
a policy plug-in, 5-3
National Language Support (NLS), 2-8, 6-9
Netscape, 2-9, 3-5, 7-2, 7-5, 7-6, 7-7, 7-15, 7-17, 7-19
Netscape Communicator, 2-7
nickname, 3-23
NLS, 2-8, 6-9
NON_REPUDIATION., B-3
non-repudiation, 1-1, 1-6
signed messages, 1-2
not equal to, 5-22
notification
events, 4-4
notification subtab, 4-4
notification subtab tasks & discussions, 4-3
notifications
CA SMIME wallet, 6-3
configuring, 4-5, 6-3, 6-4

O

OC4J, 2-12, 3-2, 6-19, A-5, A-7, A-8, A-14, A-16, B-3, B-4, B-7
starting & stopping, 3-20, 5-33, 6-9, 6-16, 6-17, A-8, A-14, B-3
stopping & starting, A-14, B-3
OCA, 1-7, A-5
repository, 2-9
OCA connection information
where stored & displayed, 6-18
OCA repository, 6-2, A-10
oca_cps.html, 4-10
oca/bin, A-2
oca.conf, 6-18, 6-22, A-6, A-16
ocactl, 2-8, 3-2, 3-6, 3-13, 6-2, 6-4, 6-8, 6-19, A-1 to A-16
configure OCA link with SSO, 3-20
general form, A-2
Operations and Parameters, A-3
requires admin password, 6-5
oca.trc, 6-12, 6-13
ocm_apache.conf, 6-22
ocmpassword.p12, 6-22
OFF, A-5
OHS, 2-12, 3-2, A-7
ohs
starting & stopping, 5-33, 6-16, A-8, A-14, B-3
stopping & starting, A-14, B-3
OID, 1-9, 2-12, 3-2, 6-18
SSO usage, 3-21
ON, A-5
one-time session password, 1-9
open standards, 2-7
operating system file permissions
protecting SSO wallet, 6-3
operating system files
removing, 6-13
operations, A-3
PKI, 1-5
operators
logical, 5-22
OPMN, 6-3
OR logical expression, 5-23
Oracle Application Server Certificate Authority, 2-6
components needed, 2-12
Oracle Certificate Authority
OCA, 1-7
Oracle Collaboration Suite, 2-6
Oracle Home, 2-12
Oracle HTTP Server
Apache, 6-3
checks SSL validity, 3-18
Oracle Identity Management, 1-1, 1-5
Oracle Internet Directory, 1-7, 1-9, 2-3, 2-5, 2-10, 3-2, 6-18
SSO usage, 3-21
Oracle Label Security, 2-5
Oracle Single Sign-on Authentication, 2-10
Oracle wallet, 1-5
Oracle Wallet Manager, 1-8, B-1, B-5
Oracle Wallet Manager (OWM), B-5
ORACLE_HOME, 4-10, 5-20, 6-3, 6-6, 6-12, 6-13, 6-22, B-6
order of policies, 5-3
order of predicates, 5-25
osso.conf, 3-22
osso.conf file, 3-22, 3-23, 6-22
overriding policies
when issuing a certificate, 5-15
overview
web administrative interface, 3-7
OWM, 1-8, 6-6, B-1, B-5
owner, 3-16

P

.p12 file, 7-19
parameters, 5-2, 5-16, A-2, A-3
allowExpiredCerts, 5-11
defaults ranges & values, 5-2
policy, 5-15
validity constraints, 5-6, 5-7
values, 5-17
password, 3-6
admin
required for ocactl, 6-5
administrator, 2-8, 3-2, 3-3, 3-5, 3-6, 3-7, B-4
browser security, 3-6
database, 6-5
encrypting private key, 6-2, A-10
lost, 6-8
requested during generation, 6-2, A-10
SSL Server wallet, 6-6
store, B-4
wallet, 6-3, 7-19
changing, 6-5
password store, A-11
passwords, 7-17, 7-18, A-2, A-8, A-9, A-11
CA, 6-5
CA SSL wallet, 6-5
CASMIME, 6-5
path
CRL, 3-18
path length, 3-11
path-length
number of Sub CA levels, B-5
pathlength, D-1
peer identity, 1-5
pending, 2-8, 3-9, 3-15, 3-17
pending certificate requests, 3-8
PKCS #12, 1-8
PKCS Standards, 2-7
PKCS#10, 7-13, B-5
PKCS#10 Certificate Request, B-1
PKCS#10 certificate request, 1-8, 2-7
PKCS#12, 1-8, 6-3, 6-6, 7-18, A-6
PKCS#7, B-2
PKI, 1-1, 7-13
benefits, 1-6, 1-7
certificate, 1-3
components, 1-8
containers, 1-5
credentials, 1-5
earlier costs and difficulties, 1-7
introduction, 1-6
operations, 1-5
requires SSL, 3-19
what is a, 1-1
with SSO and OCA, 3-22
pki
for secure data transmission and storage, 1-1
PKI-based single sign-on, 1-9
PKIX, 2-7
plug-in policy modules, 2-7
plug-ins, 5-1, 5-2, 5-3, 5-23, 5-31, 5-32
class, 5-15
custom
examples, 5-31
custom policy, 5-16
default, 5-31
jar, 5-15
policies, 2-1, 2-11, 3-3
add (custom only), 5-20
adding, 5-14, 5-15
administering, 5-3
altering requests, 5-4
applying, 5-3
certification practice, 4-10
changes require restart, 5-15
class, 5-15
custom, 5-31
no predicates, 5-21
default rules, 5-4
delete (custom only), 5-17
deleting, 5-15
disabling, 5-15
edit, 5-16
enable, 5-17
enforcing, 5-3
evaluate requests, 5-2
for different user populations, 5-22
formulating and applying, 5-2
jar, 5-15
managing, 5-1, 5-14
order, 5-3
overriding
when issuing a certificate, 5-15
parameters, 5-15
predicates, 5-15
processing, 5-3
renewal, 5-16
RenewalRequestConstraint, 5-4, 5-11
reorder, 5-17
reordering, 5-14
restricting parameter values, 5-3
RevocationConstraints, 5-4, 5-10
RSAKeyConstraints, 5-4
sample custom, 5-16
sequence, 5-14
supplied, 5-4
supplied rules, 5-4
UniqueCertificateConstraint, 5-4, 5-8
ValidityRule, 5-4
what they specify, 5-14
policy, 2-7
add (custom only), 5-20
concepts terms and definitions, 5-2
creating
steps, 5-32
custom plug-ins, 5-1
defaults
when used, 5-21
delete, 5-17
deleted, 5-17
description, 5-20
edit, 5-16
enable, 5-17
flexible, 2-7
Java class, 5-2
management, 5-2
name, 5-20
object class, 5-20
predicate, 5-2
processing
sequential, 5-3
processor module, 5-3
rule, 5-2
security, 2-7, 2-11
Policy Actions
edit enable disable delete reorder or add, 5-16
policy default values
applying, 5-25
policy evaluations
DN matching, 5-24
policy modules, 2-7
customize, 2-8
policy rule
multiple predicates, 5-24
policy rules
all re renewals, 5-14
all re requests, 5-13
all re revocations, 5-14
and plug-ins, 5-3
creating, 5-3
enable disable or modify, 5-3
Policy Sub-tab, 5-13
Policy subtab, 5-3
policy subtab tasks & discussions, 4-4
port, 3-4, 3-7, 7-2
host, 3-19
information, 3-7
list, 3-7
SSL, 3-19
practice statement, 4-10
elements, 4-10
predicate, 5-2
adding, 5-28
attributes, 5-23
certificate types, 5-23
corresponding values used, 5-22
delete, 5-17
expression, 5-2
if no match, 5-25
key size, 5-5
matching request element, 5-21
multiple, 5-23
evaluation example, 5-25, 5-26
not in custom policies, 5-21
operators, 5-22
optional, 5-21
order, 5-25
RenewalRequestConstraint, 5-12
reordering, 5-26
RSAKeyConstraints, 5-5
specifics, 5-21
strings
case-insensitive, 5-23
validity period, 5-7
value
asterisk, 5-23
values, 5-23
Predicate Attributes, 5-23
predicate expression
complete, 5-12
contiguous, 5-12
evaluation, 5-21
logical, 5-22
not matched, 5-21
predicate order
criterion, 5-25
predicates, 5-16
complex, 5-5
examples, 5-5
multiple sets, 5-5
policy, 5-15
Predicates in Policy Rules, 5-21
preventing
repudiation of signed messages, 1-2
unauthorized access, 1-2
private key, 1-2, 1-6, 3-12, 7-3, 7-13, 7-18
compromised, 3-6, 6-8
encrypted, 6-2, A-10
for decryption, 1-2
lost, 3-6
new CA, 6-2, A-10
password lost, 6-8
signs certificate, 1-3
stolen, 3-6, 6-8
validation using public key, 1-3
private messages, 1-2
privileges, 1-9
propagating, 2-6
properties
certificate, 2-8
properties file, 6-15
protocols
PKCS#10, 2-7
Signed Public Key and Challenge, 2-7
provisioning, 2-10
automatic, 2-9
conventional, 2-9
Provisioning Integration, 2-6
public key, 1-2, 7-3, 7-14
can verify CA signature, 1-3
for encryption, 1-2
owner, 1-3
Public Key Infrastructure, 1-1
public-key certificates, 1-6
publish
OCA URL for SSO users, 3-19
SSO certificate, 3-21
publishing, 2-6
certificates, 4-7, 6-18

R

RA, 1-4, 1-5, 1-7
within OCA, 1-6
ranges, 5-2
RDN, 3-17, 5-24, E-3
child of RDN, 5-24
least significant, 5-24, 5-25
multiple usage, 5-24
reason codes
revoke, 3-7
reasons
revocation, 6-8
re-associating
infrastructure, 6-14
repository, 6-14
Re-associating Oracle Application Server Certificate Authority Infrastructure, 6-14
recommended deployment, 2-12
advantages, 2-12
installation instructions, 2-13
regenerating
CA signing certificate, 6-2
CA SMIME wallet, 6-2, 6-3, A-10
CA SSL certificate
circumstances, B-6
CA SSL Wallet, 6-3
CA SSL wallet, 6-2, A-10
CA Wallet, 6-2
wallets, 6-2, 6-3, B-6
Re-generating the CA Wallet, 6-2
Regenerating the Certificate Authority's SSL Certificate and Wallet, A-11
Regenerating the Root Certificate Authority's Certificate, A-10
register
class, 5-31
Registration Authority
RA, 1-4
registration authority, 1-5, 1-7
registration tool
SSO, 3-22
reject, 2-8, 3-10, 3-11, 3-14
rejected, 2-8, 3-9, 3-15, 3-17
Rejecting Certificate Requests, 3-11
relative distinguished name, 5-24
relative DN, 3-17
Remove From CRL (revocation reason), 3-12
remove link with SSO, 3-20
REMOVE_FROM_CRL (revocation code), 3-7
removing
operating system files, 6-13
renew, 1-5, 3-10, 3-14, 5-4, 5-12, 5-16, 7-3, 7-12
expired certificates, 5-4
whether/when, 5-16
renewal, 5-12
all policy rules, 5-14
default period, 5-12, 5-16
policy, 5-16
renewal window, 3-10, 3-13, 5-12, 5-16
renewalNotAfter, 5-12, 5-16
renewalNotBefore, 5-12
RenewalRequestConstraint, 5-4, 5-16
predicate, 5-12
renewcert, A-3, A-4
renewed, 3-13
renewing, 6-4
critical wallets, 6-4
expiring certificates, 6-4
Renewing Certificates, 3-13
Reorder, 5-17
reorder, 5-16
reorder a policy, 5-17
reordering
policies, 5-14
Reordering Predicates, 5-26
replace
administrator certificate, 3-6
repository, 2-9, 2-10, 2-12, 3-2
connections, 6-18
contains logs, 6-13
OCA, 6-2, A-10
re-associating, 6-14
separate, 6-14
request, 1-8, 2-7, 2-8, 2-9, 2-10, 2-11, 3-3, 3-9, 3-10, 3-16, 7-4
CA signing, 7-13
code signing, 7-13
new, 7-3
pending, 3-8
signing, 7-13
SSL/encryption, 7-13
validity, 5-2
requests
altering by policies, 5-4
policies rejecting, 5-3
subjected to policies, 5-3
required fields, 2-10
re-registering
OCA with SSO, 3-22
Reregistering OCA's Virtual Host to SSO Server, 3-22
re-registerng command, 3-22
restart, 3-2, 3-6
restarting
SSO server, 3-20
restricting
certificate parameter values, 5-3
retrieve, 7-12
revocation
reasons, 3-7, 6-8
revocation reasons, 3-12
RevocationConstraintRule, 5-16
RevocationConstraints, 5-4, 5-10
revoke, 1-5, 2-6, 2-8, 2-10, 3-6, 3-10, 3-12, 3-14, 7-3, 7-6, 7-12, 7-13
all policy rules, 5-14
expired certificates, 5-10, 5-16
revokecert, 6-7, A-3, A-4
revoked, 3-14
revoked CA
administrator cannot access, 6-7
revoked certificates
list, 3-15
revoking
a Certificate Authority certificate, 6-7
reasons, 6-8
required before installing new CA, 6-7
root certificate authority certificate, 6-7
web administrator's certificate, 6-8
Revoking Certificates, 3-12
RFC1779
DN usage, 5-23
role, A-5, A-9
root, 2-11, 7-14, A-10
CA, 1-3
root CA
certificate, 3-13
root CA wallet, B-5
root certificate authority (CA), 6-2
root of directory information subtree
DN as, E-3
Root Store, 7-7
RSA, 2-7, 3-18
RSAKeyConstraints, 5-4
default maximum key size, 5-5
default minimum key size, 5-5

S

scalability, 1-1
Scalability, Performance, and High Availability, 2-9
scheduled jobs, 4-6
seamless, 2-6
search, 3-14, 7-4
advanced, 3-15
criteria, 3-15
all pending requests, 3-14
by
DN or DN component, 3-15
email, 3-15
serial number, 3-15
for single certificate or request, 3-14
single issued certificate, 3-14
single request, 3-14
using advanced DN, 3-17
using Certificate Status, 3-17
using DN, 3-16
using request status, 3-16
using serial number range, 3-17
Search Certificate Request using Request Status, 3-16
Search Using Advanced DN, 3-17
Search Using Certificate Status, 3-17
Search Using DN, 3-16
Search Using Serial Number Range, 3-17
secure communications, 1-1
secure email, 2-5
Secure Socket Layer (SSL-based) Authentication, 2-10
Secure Sockets Layer, 1-8
SSL, 1-8
security icon, 7-17
security policy, 2-11
self-service, 2-6
Send SMIME E-Mails, 6-3
sending
signed alerts & notifications, 4-5, 6-3, 6-4
serial number
certificate, 1-4
new Sub CA, B-4
range, 3-15
range search, 3-17
Sub CA, B-6
serial number search, 3-15
server, 3-16
certificate type, 5-23
certificates, 5-6, 7-3, 7-13
types, 7-13
SSL authentication, 6-3
server certificate
acquiring, 7-13
server entities, 7-1
verification, 3-18
server request
manual, 2-11
servers
multiple, 3-18
Server/SubCA
certificate request, 7-13, 7-14, B-2, B-5, B-6
enrollment form, 7-13, 7-14, B-2, B-5, B-6
Server/SubCA Certificates Tab, 7-13
Server/SubCA Certificates tab, 2-8, 7-4
session key management, 1-9
set, A-3, A-5
setpasswd, A-3, A-5, A-9
settings
database, 4-8
directory host/agent/port in use, 4-8
General subtab, 6-18
SHA1 with RSA, 3-18
sign digital transactions, 1-6
signature
digital, 1-1, 1-4
signature algorithm, 3-18
signer, 7-6, 7-9
signing, 1-3, 2-9, 7-3, 7-7, 7-14, A-2, A-11
certificate, 7-4
certificate authority, 1-3
certificates, 7-4
code, 7-4
message digests, 7-3
software, 7-4
signing certificate, 2-11
single certificate or request
finding, 3-14
Single Sign-on, 2-6
single sign-on, 1-1, 1-7, 1-9, 2-3
Single Sign-on (see SSO), 3-18
Single Sign-on Authentication (SSO), 7-5
smart card, 2-7, 3-5, 7-5
smart cards, 2-9
SMIME, 3-18
SMIME wallet, 6-2, 6-4
smime_enc
usage type in predicates, 5-23
smime_sign
usage type in predicates, 5-23
software
signing, 7-4
SSL, 1-4, 1-5, 1-8, 1-9, 2-11, 7-4, 7-10, A-9
authentication, 7-4
certificate, 2-11
not SSO default, 3-19
PKI requires, 3-19
port, 3-7, 3-19
publishing, 4-7
user
validity period, 5-7
user can renew, 7-12
user can revoke, 7-12
validity check, 3-18
with OCA, 6-3, B-6
ssl
usage type in predicates, 5-23
SSL authentication
server, 6-3
SSL mode
configured automatically, 6-6
SSL server
wallet password, 6-6
SSL Server wallet, A-6
SSL wallet, 6-2
SSO, 1-9, 2-3, 2-8, 2-9, 2-10, 2-11, 2-12, 3-18, 7-4, 7-5, A-7
application usage, 3-23
broadcast OCA request page, 3-18, 3-19
can use OCA certificate, 3-20
default deployment, 3-19
enabling PKI with OCA, 3-22
getting an OCA certificate directly, 3-18
import certificate to browser, 3-22
link with OCA, 3-20
login page, 7-5
mod_osso, 2-9
OCA configuration choices, 3-18
registration tool, 3-22
re-registering, 3-22
server restart, 3-20
usage of certificates, 3-23
user
validity period, 5-7
user can renew, 7-12
user can revoke, 7-12
users
choose key size, 3-21
wallet, 6-6
welcome page, 3-21
SSO Certificate Request, 3-19
SSO wallet
encrypted, 6-6
protected by file permissions, 6-6
standards, D-1
start, 2-8, 3-1, 3-2, 3-7, A-2, A-3, A-5, A-8
OC4J, 3-20, 5-33, 6-9, 6-16, 6-17, A-8, A-14, B-3
ohs, 5-33, 6-16, A-8, A-14, B-3
status, 3-2, A-5, A-8
approved, rejected, or pending, 3-14
certificate
valid, revoked, expired, 3-15, 3-17
RenewalRequestConstraint, 5-12
RevocationConstraints, 5-11
RSAKeyConstraints, 5-5
uniquecertificateconstraint, 5-9
validity rule, 5-7
Steps in Creating a New Policy Plug-in, 5-32
stop, 2-8, 3-1, 3-2, 3-6, A-3, A-6, A-8
OC4J, 3-20, 5-33, 6-9, 6-16, 6-17, A-8, A-14, B-3
ohs, 5-33, 6-16, A-8, A-14, B-3
storing connection information, 6-18
string values, 5-23
Structure of the Administration Interface, 4-1
Sub CA
common name, B-6
new
invalidates older SMIME certificate, B-7
invalidates older SSL certificate, B-6
serial number, B-4
serial number, B-6
Sub CA certificate, 3-11
sub CA certificate
acquire and import, B-1
Sub CA Wallet
installing/importing, B-3
Sub CA wallet
directory, B-4
generating, B-5
Sub CA wallets, B-5
SUBCA, A-4
subdivisions
as domain components, E-3
Subject Name, 3-4
Subordinate CA
certificates, 7-13
subordinate CA, 1-3, 2-11, 7-13
geographical advantages, 2-11
subordinate CA request
manual, 2-11
subordinate certificate authority
acquire and import, B-1
subordinate organizations
Sub CA wallets, B-5
subscriber name, 3-23
subtabs, 3-8, 5-13
General, 4-6
SUPERSEDED (revocation code), 3-7
Superseded (revocation reason), 3-12
Support for Open Standards, 2-7
symmetric, 1-2
synchronization
directory, 4-6
syntax, A-3, A-7

T

tabs, 2-8
Administration Setup, 2-8
Certificate Management, 2-8
certificate management, 3-8
tasks
configuration, 4-3
general subtab, 4-4
notification subtab, 4-3
policy subtab, 4-4
Thawte, 1-3
third-party, 7-14
SSL wallet, 6-6
trusted, 1-3
third-party wallet, A-6
top-down evaluation of predicates, 5-26
TRACE, A-5
trace, 6-12
clearing, 6-13
oca.trc, 6-13
trace file, 4-7
tracer, A-6, A-8
tracing, 4-7
trust
levels, 1-3
paths, 2-11
trust environment, 3-18
trust point, 6-6, B-1
trust points
copying, B-6
trusted certificate, B-5
editing uses, 7-7, 7-8
trusted entities, 1-2, 1-3, 3-11
trusted-certificate-DNs
allow/disallow requests, 5-16
Trusting a Certificate Issuer in Internet Explorer, 7-7
trusting a certificate issuer in Netscape, 7-8
type, A-2, A-9
types
certificate, 7-3
in predicates, 5-23

U

unauthorized access, 1-6
prevention, 1-2
UniqueCertificateConstraint, 5-4, 5-8
checks usage and DN, 5-9
uniquecertificateconstraint
parameter, 5-10
UNIX, 3-7
unlinksso, 3-20, A-3, A-6
UNSPECIFIED (revocation code), 3-7
Unspecified (revocation reason), 3-12
update CRL, 2-8
updateconnection, A-3, A-6
updating the CRL, 3-17
URL
certificate request for SSO users, 3-19
URLC token, 3-23
usage
CA signing, B-5
usages
in predicates, 5-23
User Certificates page, 2-8
User Certificates tab, 2-8
user interface
accessing, 7-2
certificate operations, 7-12
certificate renewal, 7-12
certificate retrieval, 7-12
certificate revocation, 7-12
configuring your browser to trust OCA, 7-7
downloading a CA certificate, 7-14
downloading CRL, 7-15, 7-16
end-user tabs and processes, 7-3
exporting wallet from browser, 7-17
importing certificate from your file system, 7-19
importing certificate to browser, 7-16
manual authentication, 7-11
server/subca certificates tab, 7-13
SSL, 7-10
SSO, 7-5
subordinate CA certificates, 7-13
user certificates tab, 7-4
Using Advanced Search, 3-15

V

validation
key, 1-3
validity period, 3-3, 3-5, 3-11, 3-14, 5-4, 7-6, 7-13
default maximum, 5-7
default minimum, 5-7
default period, 5-7
defaults, 5-16
for SSO- or SSL-authenticated users, 3-13
for the CA, 5-8
default, 5-8
minimum and maximum, 5-6
narrow/widen range, 5-16
predicate, 5-7
rejecting, 5-6
renewcert, 6-4
validityPeriod
renewal default, 5-12
ValidityRule, 5-4, 5-6
values, 5-2
in predicates, 5-23
parameters, 5-17
Verisign, 1-3
view, 3-11, 7-3
log or trace, 4-7
View Details, 3-10, 3-14
View Logs Tab, 4-9
View Policies For, 5-14
Viewing Details of Certificates, 3-11
viewing logs, 3-1

W

wallet
as container, 1-5
CA SMIME
regenerating, 6-2, A-10
CA SSL
regenerating, 6-2, A-10
compromised or corrupted, 6-3, B-6
contents, 1-5
Oracle, 1-5
password, 6-3, 7-19
changing, 6-5
password superseded, 6-6
regenerated, 6-3, B-6
regenerating, 6-2
wallet operations, 6-1
wallet-location, A-7
wallets, 1-8, 6-1, 6-4, A-2, A-11
backing up, 6-6
CA SMIME, 6-3
regenerating, 6-3
SMIME, 6-4
SSO format, 6-6
walletwrl, A-7
web administration interface, 3-7
web administrative interface, 3-1
access, 3-4
web administrator certificate, 3-3, 3-6
web administrator's certificate
revoking, 6-8
web interface
administrative, 2-8
end-user, 2-8
welcome page, 3-3
for SSO users, 3-21
window
renewal, 3-10, 3-13, 5-12, 5-16
Windows NT, 3-7
writing a policy plug-in, 5-3

X

X.500, E-3
X.509, 1-4, 1-8, 2-1, 2-7, 2-9, 2-10
Go to previous page
Oracle
Copyright © 2002, 2003 Oracle Corporation.
All Rights Reserved.
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Table Of Contents
Contents