Preface

Oracle Application Server Certificate Authority enables an organization to issue and manage digital certificates based on PKI (public key infrastructure) technology. With Oracle Application Server Certificate Authority's ease of administration and management, such certificates improve security and reduce the time and resources required for user authentication.

Oracle Application Server Certificate Authority (OCA) enables end-entities (users and servers) to authenticate themselves using certificates that OCA issues based on OracleAS Single Sign-On, SSL, or other pre-existing authentication methods. Use of these certificates makes authentication a speedier and more secure process, relying on certificate identification. Each certificate is published to Oracle Internet Directory when it is issued and removed when it expires or is revoked. Users can access the OCA web interface to request issuance, revocation, or renewal of their own certificates. No special privilege is required for end-users to access the OCA web interface. However, to get a certificate issued, revoked, or renewed, they must be already authenticated by OracleAS Single Sign-On or by SSL using a previously issued certificate from OCA. Otherwise, manual authentication by the OCA administrator is required.

This Oracle Application Server Certificate Authority Administrator's Guide explains how to perform administration and management of public key certificates.

This preface contains these topics:

• Intended Audience

• Documentation Accessibility

• Oracle Identity Management

• Structure

• Related Documentation

• Conventions

Intended Audience

This guide is intended for

• administrators of Oracle Application Server Certificate Authority, who will manage certificate requests and certificate-related operations, and

• users of certificates issued by OCA, for authentication, encryption, and diverse other purposes.

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at

http://www.oracle.com/accessibility/

Accessibility of Code Examples in Documentation

JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

Oracle Identity Management

The Oracle¨ Application Server Certificate Authority (OCA) is a component of Oracle Identity Management, an integrated infrastructure that provides distributed security services for Oracle products and other enterprise applications. The Oracle Identity Management infrastructure includes the following components and capabilities:

• Oracle Internet Directory, a scalable, robust LDAP V3-compliant directory service implemented on the Oracle Database.

• Oracle Directory Integration and Provisioning, part of Oracle Internet Directory, which enables synchronization between Oracle Internet Directory and other directories and user repositories. This service also provides automatic provisioning services for Oracle components and applications and, through standard interfaces, for third-party applications.

• Oracle Delegated Administration Services, part of Oracle Internet Directory, which provides trusted proxy-based administration of directory information by users and application administrators.

• Oracle Application Server Single Sign-On, which provides single sign-on access to Oracle and third party web applications.

• Oracle Application Server Certificate Authority, which generates and publishes X.509 V3 PKI certificates to support strong authentication methods, secure messaging, etc.

  In addition to its use of SSL, OC4J, and HTTP Server, Oracle Application Server Certificate Authority has a built-in reliance on OracleAS Single Sign-On and Oracle Internet Directory. OCA publishes each valid certificate in an Oracle Internet Directory entry for the DN in use, and supports certificate enrollment and saving or installing through Netscape, Internet Explorer, or Mozilla. OracleAS Single Sign-On and other components can rely on these Oracle Internet Directory entries because OCA removes revoked certificates immediately from Oracle Internet Directory and, on a regular basis, expired certificates as well. The administrator also has the option of configuring OCA to publish its URL through OracleAS Single Sign-On. This configuration choice causes every OracleAS Single Sign-On-authenticated user who lacks a certificate to see the OCA page for requesting one. OCA certificates can be used to authenticate to any Oracle component or to authorize use of any application that is OracleAS Single Sign-On-enabled.

In a typical enterprise application deployment, a single Oracle Identity Management infrastructure is deployed, consisting of multiple server and component instances. Such a configuration provides benefits that include high availability, information localization, and delegated component administration. Each additional application deployed in the enterprise then leverages the shared infrastructure for identity management services. This deployment model has a number of advantages, including:

• One-time cost: Planning and implementing the identity management infrastructure becomes a one-time cost, rather than a necessary part of each enterprise application deployment. As a result, new applications such as portals, J2EE applications, and e-business applications can be rapidly deployed.

• Central management: Managing identities is done centrally, even if administered in multiple places, and changes are instantly available to all enterprise applications.

• User single sign-on: Having a centralized security infrastructure makes it possible to realize user single sign-on across enterprise applications.

• Single point of integration: A centralized identity management infrastructure provides a single point of integration between the enterprise Oracle environment and other identity management systems, eliminating the need for multiple custom "point-to-point" integration solutions.

For more information about planning, deploying, and using the Oracle Identity Management infrastructure, see the Oracle Identity Management Administrator's Guide.

For the default deployment configuration of OCA, installation instructions appear in section 6.20 of the Oracle Application Server Installation Guide. For the recommended deployment configuration and installation procedure, see section 11.9 of that Guide.

Structure

This manual contains seven chapters and five appendices.

Chapter 1, "Public Key Infrastructure and OracleAS"

This chapter briefly describes public key infrastructure and its Oracle implementation

Chapter 2, "Identity Management and OracleAS Certificate Authority Features"

This chapter describes the key features & interface (scalable, web-browser) to administer industry-standard certificates, integrate with LDAP directories and Single Sign-On, and apply policies.

Chapter 3, "Introduction to OCA Administration and Certificate Management"

This chapter describes using the web administrator interface to accomplish OCA administration and certificate management

Chapter 4, "Configuring Oracle Application Server Certificate Authority"

This chapter describes the OCA user interface to request renew, or revoke certificates

Chapter 5, "Managing Policies in Oracle Application Server Certificate Authority"

This chapter describes how to manage or modify policies delivered with OCA, and how to make and manage new ones, for handling requests to issue, renew, or revoke certificates. The Administrator can modify policies using the web interface.

Chapter 6, "OracleAS Certificate Authority Administration: Advanced Topics"

This chapter describes Oracle Application Server Certificate Authority's requirements and interactions with Oracle® Application Server High Availability features and standard back-up-and-recovery procedures

Chapter 7, "End-User Interface of the Oracle Application Server Certificate Authority"

This chapter describes the web interface for end-users to request, acquire, renew, or revoke certificates

Appendix A, "Command-Line Administration"

This appendix presents syntax & examples for all uses of the ocactl command line tool for administration and certificate management

Appendix B, "Setting up a CA Hierarchy"

This appendix describes how to acquire and install a subordinate certificate authority, which is a CA whose certificate is signed by some higher CA authority.

Appendix C, "Known Troubleshooting Tips"

This appendix presents workarounds and other suggestions for handling certain issues or error messages that can arise while installing, administering, or using Oracle Application Server Certificate Authority.

Appendix D, "Extensions"

This appendix describes X.509 V3 and IETF's PKIX standard extensions, with which Oracle Application Server Certificate Authority is compliant

Appendix E, "Enabling SSL and PKI on SSO"

This appendix gives an overview of all the necessary and advisable steps and procedures for enabling SSL and PKI on OracleAS Single Sign-On as of OracleAS 10g Release 2 (10.1.2). It also supplies references to other manuals containing detailed descriptions and additional context explanations.

Appendix F, "External Access to Protected OCA"

This appendix provides definitions for key terms and concepts relating to OracleAS Certificate Authority

Appendix G, "SMIME with OracleAS Certificate Authority"

This appendix provides definitions for key terms and concepts relating to OracleAS Certificate Authority

Appendix H, "Glossary"

This appendix provides definitions for key terms and concepts relating to OracleAS Certificate Authority

Related Documentation

• Oracle Application Server Installation Guide

• Oracle Application Server Administrator's Guide

• Oracle Application Server Security Guide

• Oracle Application Server Single Sign-On Administrator's Guide

• Oracle Application Server High Availability Guide

• Oracle10i Backup and Recovery Advanced User's Guide

• Oracle Internet Directory Administrator's Guide

• Oracle Advanced Security Administrator's Guide.

Many of the examples in this book use the sample schemas of the seed database, which is installed by default when you install Oracle. Refer to Oracle10i Sample Schemas for information on how these schemas were created and how you can use them yourself.

In North America, printed documentation is available for sale in the Oracle Store at

http://oraclestore.oracle.com/

Customers in Europe, the Middle East, and Africa (EMEA) can purchase documentation from

http://www.oraclebookshop.com/

Other customers can contact their Oracle representative to purchase printed documentation.

To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at

http://www.oracle.com/technology/membership/index.html

If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at

http://www.oracle.com/technology/documentation/index.html

Conventions

This section describes the conventions used in the text and code examples of this documentation set. It describes:

• Conventions in Text

• Conventions in Code Examples

Conventions in Text

We use various conventions in text to help you more quickly identify special terms. The following table describes those conventions and provides examples of their use.

Convention	Meaning	Example
Bold	Bold typeface indicates terms that are defined in the text or terms that appear in a glossary, or both.	When you specify this clause, you create an index-organized table.
Italics	Italic typeface indicates book titles or emphasis.	Oracle10i Database Concepts Ensure that the recovery catalog and target database do not reside on the same disk.
UPPERCASE monospace (fixed-width font)	Uppercase monospace typeface indicates elements supplied by the system. Such elements include parameters, privileges, datatypes, RMAN keywords, SQL keywords, SQL*Plus or utility commands, packages and methods, as well as system-supplied column names, database objects and structures, usernames, and roles.	You can specify this clause only for a NUMBER column. You can back up the database by using the BACKUP command. Query the TABLE_NAME column in the USER_TABLES data dictionary view. Use the DBMS_STATS.GENERATE_STATS procedure.
lowercase monospace (fixed-width font)	Lowercase monospace typeface indicates executables, filenames, directory names, and sample user-supplied elements. Such elements include computer and database names, net service names, and connect identifiers, as well as user-supplied database objects and structures, column names, packages and classes, usernames and roles, program units, and parameter values. Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.	Enter sqlplus to open SQL*Plus. The password is specified in the orapwd file. Back up the datafiles and control files in the /disk1/oracle/dbs directory. The department_id, department_name, and location_id columns are in the hr.departments table. Set the QUERY_REWRITE_ENABLED initialization parameter to true. Connect as oe user. The JRepUtil class implements these methods.
lowercase monospace (fixed-width font) italic	Lowercase monospace italic font represents placeholders or variables.	You can specify the parallel_clause. Run Uold_release.SQL where old_release refers to the release you installed prior to upgrading.

Conventions in Code Examples

Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line statements. They are displayed in a monospace (fixed-width) font and separated from normal text as shown in this example:

SELECT username FROM dba_users WHERE username = 'MIGRATE';

The following table describes typographic conventions used in code examples and provides examples of their use.

Convention	Meaning	Example
[ ]	Brackets enclose one or more optional items. Do not enter the brackets.	DECIMAL (digits [ , precision ])
{ }	Braces enclose two or more items, one of which is required. Do not enter the braces.	{ENABLE | DISABLE}
|	A vertical bar represents a choice of two or more options within brackets or braces. Enter one of the options. Do not enter the vertical bar.	{ENABLE | DISABLE} [COMPRESS | NOCOMPRESS]
...	Horizontal ellipsis points indicate either: That we have omitted parts of the code that are not directly related to the example That you can repeat a portion of the code	CREATE TABLE ... AS subquery; SELECT col1, col2, ... , coln FROM employees;
. . .	Vertical ellipsis points indicate that we have omitted several lines of code not directly related to the example.
Other notation	You must enter symbols other than brackets, braces, vertical bars, and ellipsis points as shown.	acctbal NUMBER(11,2); acct CONSTANT NUMBER(4) := 3;
Italics	Italicized text indicates placeholders or variables for which you must supply particular values.	CONNECT SYSTEM/system_password DB_NAME = database_name
UPPERCASE	Uppercase typeface indicates elements supplied by the system. We show these terms in uppercase in order to distinguish them from terms you define. Unless terms appear in brackets, enter them in the order and with the spelling shown. However, because these terms are not case sensitive, you can enter them in lowercase.	SELECT last_name, employee_id FROM employees; SELECT * FROM USER_TABLES; DROP TABLE hr.employees;
lowercase	Lowercase typeface indicates programmatic elements that you supply. For example, lowercase indicates names of tables, columns, or files. Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.	SELECT last_name, employee_id FROM employees; sqlplus hr/hr CREATE USER mjones IDENTIFIED BY ty3MU9;