Contents
- Intended Audience
- Documentation Accessibility
- Oracle Identity Management
- Structure
- Related Documentation
- Conventions
- What Is a PKI?
- Key Pairs
- Certification Authority (CA) and Digital Certificates
- CA Signing
- Levels of Trust
- Contents and Uses of a Digital Certificate
- Containers for PKI Credentials
- Registration Authority (RA)
- Benefits of a PKI
- Introduction to the OracleAS PKI
- Earlier Costs and Difficulties
- Benefits of the OracleAS PKI
- Components of the OracleAS PKI
- Containers, Oracle Wallets, and Oracle Wallet Manager (OWM)
- Secure Sockets Layer (SSL)
- Oracle Internet Directory and Single Sign-on (SSO)
- Oracle Application Server Certificate Authority
- Identity Management Components and Architecture
- Oracle Identity Management
- Leveraging Oracle Identity Management in the Enterprise
- Role of Oracle Identity Management in the Oracle Security Architecture
- Role of OracleAS Certificate Authority in Oracle Identity Management
- Simplified Provisioning through SSO Integration
- Third Party PKI Support in Oracle Identity Management
- Key Features of Oracle Application Server Certificate Authority
- Support for Open Standards
- Flexible Policy
- Ease of Use for Administrators and End Users
- National Language Support (NLS) for OCA Screens
- Scalability, Performance, and High Availability
- Secure Email Through SMIME Digital Encryption and Signing
- Automatic or Conventional Provisioning
- Oracle Single Sign-on Authentication
- Certificate-based Authentication Using Secure Socket Layer (SSL)
- Manual Approval
- Hierarchical Certificate Authority Support
- Deployments and Installations
- Starting and Stopping Oracle Application Server Certificate Authority
- Requesting the Administrator Certificate
- Replacing the Administrator Certificate
- Overview of the OracleAS Certificate Authority Administration Interface
- Certificate Management Tab
- Managing Certificates
- Approving or Rejecting Certificate Requests
- To Approve a Certificate Request
- To Reject a Certificate Request
- Viewing Details of Certificates
- Revoking Certificates
- Renewing Certificates
- Listing a Single Certificate Request or Issued Certificate
- Using Advanced Search
- Search Certificate Requests using Request Status
- Search Using DN (Distinguished Name)
- Search Using Advanced DN
- Search Using Serial Number Range
- Search Using Certificate Status
- Updating the Certificate Revocation List (CRL)
- Single Sign-on and OracleAS Certificate Authority (OCA)
- Broadcasting the OCA Certificate Request URL to SSO-Authenticated Users
- Bringing SSO-Authenticated Users to the OCA Certificate Request URL
- User Certificates and SSO Usage
- Default Install Values for OracleAS Certificate Authority
- Enabling PKI Authentication with SSO and OCA
- Structure of the Administration Interface
- Configuration Management Tab
- Summary of Configuration Tasks
- Notification Sub-tab
- Mail Details
- Alerts
- Scheduled Jobs
- Email Templates
- Values for the tokens
- General Sub-tab
- Certificate Publishing
- SSL and SSO Authentication
- Default usage for client certificates
- Subject Alternate Name Extension
- Logging and Tracing
- Default Base DN Components
- Database Settings
- Directory Settings
- View Logs Tab
- Creating and Updating Your Certification Practice Statement
- Definitions
- Overview of Policy Management
- Oracle Application Server Certificate Authority Policies
- RSAKeyConstraints
- ValidityRule
- UniqueCertificateConstraint
- RevocationConstraints
- RenewalRequestConstraint
- Policy Sub-tab of Oracle Application Server Certificate Authority
- Certificate Request Policies as Shipped
- Certificate Revocation Policy as Shipped
- Certificate Renewal Policy as Shipped
- TrustPointDNCustomRule as Shipped
- Policy Actions
- Edit
- Enable or Disable
- Delete
- Reordering Policies
- Adding Policies
- Predicates in Policy Rules
- Multiple Predicate Evaluation
- Evaluation Example for Multiple Predicates
- One Further Example of Evaluating Multiple Predicates
- Reordering Predicates
- Adding Predicates
- Developing a Custom Policy Plug-in
- What Processing Does a Policy Do?
- Steps in Creating a New Policy Plug-in
- An Example of a Custom Policy Plug-in
- Generic Error Messages
- Wallet Operations for OracleAS Certificate Authority
- Regenerating the CA Signing Wallet
- Regenerating the CA SSL and CA SMIME Wallets
- The CA SMIME Wallet
- Renewing Critical Wallets
- Changing Passwords
- Configuration Operations for OracleAS Certificate Authority
- Configuring Oracle HTTP Server to Use a Third Party SSL Wallet
- Revoking a Certificate Authority Certificate
- Revoking the OCA Web Administrator's Certificate
- Configuring Globalization Support for OCA Screens
- Performance Tuning for OracleAS Certificate Authority
- Tuning Database Connections
- Tuning OCA Interactions with OracleAS Single Sign-On
- Tuning Maximum Memory
- Tuning Oracle Internet Directory Connections
- Tuning Other Components
- Customization Support
- Log or Trace OCA Actions for Oracle Application Server Certificate Authority
- Clearing Log or Trace Information for OracleAS Certificate Authority
- Changing the Infrastructure Services That OCA Uses
- Changing Identity Management (IM) Services Used by OCA
- Changing Metadata Repository (MR) Services Used by OCA
- Where OCA Connection Information Is Stored and Displayed
- OracleAS Certificate Authority and High-Availability Features
- OracleAS Certificate Authority Deployment Using Cold Failover
- OracleAS Certificate Authority Deployment Using Real Application Clusters
- OracleAS Certificate Authority Backup and Recovery Considerations
- Restricting the Realm of Certificate Publication
- Replacing the CA and Deinstalling OracleAS Certificate Authority
- Accessing the User Interface
- End-User Tabs and Processes
- User Certificates Tab
- Single Sign-on Authentication (SSO)
- Configuring Your Browser to Trust OracleAS Certificate Authority
- Secure Sockets Layer (SSL) Authentication
- Manual Authentication
- Certificate Retrieval, Renewal, and Revocation
- Certificate Retrieval
- Certificate Renewal
- Certificate Revocation
- Server/SubCA Certificates Tab
- Subordinate CA Certificates
- Installing a CA Certificate
- Handling Certificate Revocation Lists (CRLs)
- Installing a CRL into Your Browser
- Installing the CRL In Netscape 7.x
- Installing the CRL In Internet Explorer (IE)
- Saving the Binary or BASE64 CRL to Disk
- Importing a Newly Issued Certificate to Your Browser
- Exporting (Backing up) Your Wallet from Your Browser
- Importing a Certificate from Your File System
- Command-Line Tool
- Converting a CA SSL Server Wallet into SSO Form ("Convertwallet")
- Starting the Oracle Certificate Authority Server
- Stopping the Oracle Application Server Certificate Authority Server
- Finding the Status of the Oracle Certificate Authority Services
- Changing Privileged Passwords
- Regenerating the Root Certificate Authority's Certificate
- Regenerating the Certificate Authority's SSL Certificate and Wallet
- Revoking a Root CA Certificate
- Generating a Sub CA Signing Wallet from OCA
- Installing/Importing a Sub CA Signing Wallet
- Generating a CA SSL Wallet for a Sub CA
- Clearing Log or Trace Storage
- Updating OCA Repository Connection Information
- Setting SSO Authentication (linksso, unlinksso commands)
- Setting Log/Trace Options
- Generating a Sub CA Signing Wallet
- Installing and Using the New Sub CA Signing Wallet
- Configuring an OCA Instance to Be a Subordinate CA of Another CA
- Generating CA SSL and CA SMIME Wallets for a Sub CA
- 1. Prerequisite Issues and Warnings
- a. Issue: Failure of Key Pair Generation during Certificate Requests on Windows.
- b. Issue: Cannot Log in as Administrator after Logging in as Normal User
- c. Issue: Changing Passwords Must Use OCA's Commandline Tool ocactl
- d. Issue: Remembering and Restoring Passwords
- 2. Browser Issues
- a. Issue: Browser issues a warning if the CA SSL Server's CN does not match the machine name.
- b. Issue: Browsers use only the first (rightmost) CN component
- c. Netscape Issues
- i. Issue: Multiple certificates are available, but only one appears in popup window
- ii. Issue: Browser continues to ask if CA certificate is trusted.
- iii. Issue: Error When Connecting to User Pages.
- iv. Issue: "Certificate is expired" warning appears.
- v. Issue: SubCA and CA SSL client certificates are listed.
- vi. Issue: Pressing "Enter" in search screens produces "Internal Error".
- d. Internet Explorer (IE) Issues
- i. Issue: Failure to import CRL to Browser
- ii. Issue: Message that a page contains both secure and non-secure information
- iii. Issue: Opening online Help can generate a security alert.
- iv. Issue: Message about generating an excessive number of certificate requests.
- 3. Network Issues
- a. Issue: Error message when logging on to OCA using SSO username/password
- b. Issue: "Network Error" message.
- c. Issue: OCA Stops Working, or Network/Server Messages Appear
- 4. Certificate Issues
- a. Issue: Installing user certificate does not install CA certificate on Netscape
- b. Issue: Inability to Access or Use the Certificate Management Tab
- c. Issue: Administrator Needs to Work from a Different Machine
- 5. Single Sign-on Issues
- a. Issue: Name shown on an SSO certificate appears only as "User"
- b. Issue: VBScript Error Message While Generating Keys
- c. Issue: "Page can not be displayed" Message in Internet Explorer
- d. Issue: Going to SSO login page in IE can get a security warning dialog
- e. Certificate Acquired Through Single Sign-On Not Seen for SSL Authentication
- 6. Backup Protection Issues
- a. Issue: Ensuring Recoverability of the OCA Internal Repository
- 7. General Issues
- a. Issue: Pages taking too long to load, or hanging
- b. Issue: No SMIME signing certificate in Outlook Express
- c. Issue: Browser warning about CA SSL Server's CN
- 8. Need More Help?
- Certificate Usage
- Policy Application to Certificates
- Enabling SSL on SSO
- Enabling PKI on SSO
- Re-registering OCA's Virtual Host with the SSL-Enabled SSO
- Example of Re-Registration OCA
- Enabling OCA to Support Proxy Servers
- Disabling OCA's Support for Proxy Servers
- SMIME Operations
- Setup
- Getting certificates
- Setting SMIME parameters
- Sending Messages
- Outlook Mail Client
- Mozilla/Netscape Mail Client
- Receiving Messages
- Outlook Mail Client
- Mozilla/Netscape Mail Client
- Getting Other People's Encryption Certificates