Skip Headers

Table of Contents Image Oracle® Application Server Certificate Authority Administrator's Guide
10g (9.0.4)
Part Number B10663-01
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Index
Index

Go to next page

Contents

Title and Copyright Information

Send Us Your Comments

Preface

Audience
Documentation Accessibility
Oracle Identity Management
Organization
Related Documentation
Conventions

1 Public Key Infrastructure and OracleAS

What Is a PKI?
Key Pairs
Certification Authority (CA) and Digital Certificates
CA Signing
Levels of Trust
Contents and Uses of a Digital Certificate
Containers for PKI Credentials
Registration Authority (RA)
Benefits of a PKI
Introduction to the OracleAS PKI
Earlier Costs and Difficulties
Benefits of the OracleAS PKI
Components of the OracleAS PKI
Containers, Oracle Wallets, and Oracle Wallet Manager (OWM)
Secure Sockets Layer (SSL)
Oracle Internet Directory and Single Sign-on (SSO)
Oracle Application Server Certificate Authority

2 Identity Management and
OracleAS Certificate Authority Features

Identity Management Components and Architecture
Oracle Identity Management
Leveraging Oracle Identity Management in the Enterprise
Role of Oracle Identity Management in the Oracle Security Architecture
Role of OracleAS Certificate Authority in Oracle Identity Management
Simplified Provisioning through SSO Integration
Key Features of Oracle Application Server Certificate Authority
Support for Open Standards
Flexible Policy
Ease of Use for Administrators and End Users
National Language Support (NLS) for OCA Screens
Scalability, Performance, and High Availability
Automatic or Conventional Provisioning
Oracle Single Sign-on Authentication
Secure Socket Layer (SSL-based) Authentication
Manual Approval
Hierarchical Certificate Authority Support
Deployments and Installations

3 Introduction to OCA Administration and Certificate Management

Starting and Stopping Oracle Application Server Certificate Authority
Requesting the Administrator Certificate
Replacing the Administrator Certificate
Overview of the OracleAS Certificate Authority Administration Interface
Certificate Management Tab
Managing Certificates
Approving or Rejecting Certificate Requests
To Approve a Certificate Request
To Reject a Certificate Request
Viewing Details of Certificates
Revoking Certificates
Renewing Certificates
Listing a Single Certificate Request or Issued Certificate
Using Advanced Search
Search Certificate Requests using Request Status
Search Using DN (Distinguished Name)
Search Using Advanced DN
Search Using Serial Number Range
Search Using Certificate Status
Updating the Certificate Revocation List (CRL)
Single Sign-on (SSO) and OracleAS Certificate Authority (OCA)
Broadcasting the OCA Certificate Request URL to SSO-Authenticated Users
Bringing SSO-Authenticated Users to the OCA Certificate Request URL
Enabling PKI Authentication with SSO and OCA
Re-registering OCA's Virtual Host to SSO Server
Example
User Certificates and SSO Usage
Default Install Values for OracleAS Certificate Authority

4 Configuring Oracle Application Server Certificate Authority

Structure of the Administration Interface
Configuration Management Tab
Summary of Configuration Tasks
Notification Sub-tab
Mail Details
Alerts
Scheduled Jobs
General Sub-tab
Certificate Publishing
SSL and SSO Authentication
Logging and Tracing
Default Base DN Components
Database Settings
Directory Settings
View Logs Tab
Creating and Updating Your Certification Practice Statement

5 Managing Policies in Oracle Application Server Certificate Authority

Definitions
Overview of Policy Management
Oracle Application Server Certificate Authority Policies
RSAKeyConstraints
ValidityRule
UniqueCertificateConstraint
RevocationConstraints
RenewalRequestConstraint
Policy Sub-tab of Oracle Application Server Certificate Authority
Certificate Request Policies as Shipped
Certificate Revocation Policy as Shipped
Certificate Renewal Policy as Shipped
Policy Actions
Edit
Enable or Disable
Delete
Reordering Policies
Adding Policies
Predicates in Policy Rules
Multiple Predicate Evaluation
Evaluation Example for Multiple Predicates
One Further Example of Evaluating Multiple Predicates
Reordering Predicates
Adding Predicates
Developing a Custom Policy Plug-in
What Processing Does a Policy Do?
Steps in Creating a New Policy Plug-in
An Example of a Custom Policy Plug-in
Generic Error Messages

6 OracleAS Certificate Authority Administration: Advanced Topics

Wallet Operations for OracleAS Certificate Authority
Regenerating the CA Signing Wallet
Regenerating the CA SSL and CA SMIME Wallets
The CA SMIME Wallet
Renewing Critical Wallets
Changing Passwords
Configuration Operations for OracleAS Certificate Authority
Configuring Oracle HTTP Server to Use a Third Party SSL Wallet
Revoking a Certificate Authority Certificate
Revoking the OCA Web Administrator's Certificate
Configuring National Language Support (NLS) for OCA Screens
Customization Support
Log or Trace OCA Actions for Oracle Application Server Certificate Authority
Clearing Log or Trace Information for OracleAS Certificate Authority
Changing the Infrastructure Services That OCA Uses
Changing Identity Management (IM) Services (SSO/OID) Used by OCA
Changing Metadata Repository (MR) Services Used by OCA
Export Utility
Import Utility
Where OCA Connection Information Is Stored and Displayed
OracleAS Certificate Authority and High-Availability Features
OracleAS Certificate Authority Deployment Using Cold Failover
OracleAS Certificate Authority Deployment Using Real Application Clusters
OracleAS Certificate Authority Backup and Recovery Considerations
Restricting the Realm of Certificate Publication

7 End-User Interface of the Oracle Application Server Certificate Authority

Accessing the User Interface
End-User Tabs and Processes
User Certificates Tab
Single Sign-on Authentication (SSO)
Configuring Your Browser to Trust OracleAS Certificate Authority
Trusting a Certificate Issuer in Internet Explorer
Trusting a Certificate Issuer in Netscape
Secure Sockets Layer (SSL) Authentication
Manual Authentication
Certificate Retrieval, Renewal, and Revocation
Certificate Retrieval
Certificate Renewal
Certificate Revocation
Server/SubCA Certificates Tab
Subordinate CA Certificates
Downloading a CA Certificate
Importing the Certificate Revocation List (CRL) into Your Browser
In Netscape
In Internet Explorer (IE)
Downloading Certificate Revocation Lists into Your File System
Importing a Certificate to Your Browser
Exporting (Backing up) Your Wallet from Your Browser
Importing a Certificate from Your File System

A Command-Line Administration

Command-Line Tool
"Convertwallet" Explained with Examples
Starting the Oracle Certificate Authority Server
Stopping the Oracle Application Server Certificate Authority Server
Finding the Status of the Oracle Certificate Authority Services
Changing Privileged Passwords
Regenerating the Root Certificate Authority's Certificate
Regenerating the Certificate Authority's SSL Certificate and Wallet
Revoking a Root CA Certificate
Converting a CA SSL Server Wallet into SSO Form
Generating a Sub CA Wallet from Oracle Application Server Certificate Authority
Installing/Importing a Sub CA Wallet
Generating a CA SSL Wallet for a Sub CA
Clearing Log or Trace Storage
Updating OCA Repository Connection Information
Setting SSO Authentication (linksso, unlinksso commands)
Setting Log/Trace Options

B Setting up a CA Hierarchy

Generating a Sub CA Wallet
Installing and Using the New Sub CA Wallet
Configuring an OCA Instance to Be a Subordinate CA of Another CA
Generating CA SSL and CA SMIME Wallets for a Sub CA

C Known Troubleshooting Tips

1. Prerequisite Issues and Warnings
a. Issue: Failure of Key Pair Generation during Certificate Requests on Windows.
b. Issue: Cannot Log in as Administrator after Logging in as Normal User
c. Issue: Changing Passwords Must Use OCA's Commandline Tool ocactl
2. Browser Issues
Issue: Browser issues a warning if the CA SSL Server's CN is not identical to the machine name.
Issue: Browsers use only the first (rightmost) CN component
Netscape
i. Issue: Only one certificate appears in the popup window, though multiple certificates are available.
ii. Issue: Browser continues to ask if CA certificate is trusted.
iii. Issue: "Certificate is expired" warning appears.
iv. Issue: SubCA and CA SSL client certificates are listed.
Internet Explorer (IE)
i. Issue: "Page can not be displayed" Message
ii. Issue: Failure to import CRL to Browser
iii. Issue: Message that a page contains both secure and non-secure information
iv. Issue: Opening online Help can generate a security alert.
3. Network Issues
a. Issue: Error message when logging on to OCA using SSO username/password
b. Issue: "Network Error" message.
4. Certificate Issues
a. Issue: Importing user certificate does not import CA certificate on Netscape
b. Issue: Inability to Access or Use the Certificate Management Tab
c. Issue: Administrator Needs to Work from a Different Machine
5. Single Sign-on (SSO) Issues
a. Issue: Name shown on an SSO certificate appears only as "User"
b. Issue: VBScript Error Message While Generating Keys
c. Issue: "Page can not be displayed" Message in Internet Explorer
d. Issue: Going to the SSO login page in Internet Explorer can get a security warning dialog
6. Search Issues
a. Issue: Pressing "Enter" in search screens produces "Internal Error".
7. Backup Protection Issues
a. Issue: Ensuring Recoverability of the OCA Internal Repository
8. General Issues
a. Issue: Pages taking too long to load, or hanging
b. Issue: JAZN error when enrolling a new web administrator
c. Issue: No SMIME signing certificate in Outlook Express
d. Issue: Browser warning about CA SSL Server's CN

D Extensions

E Glossary

Index

Go to next page
Oracle
Copyright © 2002, 2003 Oracle Corporation.
All Rights Reserved.
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Index
Index