|
Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for hp-ux PA-RISC (64-bit) B15511-05 |
|
 Previous |
 Next |
|
Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for hp-ux PA-RISC (64-bit) B15511-05 |
|
|
Previous |
Next |
This chapter describes issues with Oracle Application Server Certificate Authority (OracleAS Certificate Authority, OCA). It includes the following topics:
This section describes configuration issues and their workarounds for OracleAS Certificate Authority. It includes the following topics:
If the CN for ROOTCA contains an 8-Bit Western European character (CN = Típicocn, OU = Típicoou, O = Típicoorg, C = BR), the install succeeds, but the administrator will be unable to log in to OCA.
No workaround exists for this bug. You are advised not to use 8-bit Western European characters in the CA's DN. Please contact Oracle Support Services if you need assistance.
When you install OCA, the Root CA's DN cannot contain an apostrophe. For example, the DN cannot be specified as CN=Oracle's CA, O=oracle,C=us.
If you want to have an apostrophe in the root CA's DN, use the following steps as a workaround:
During installation, establish the root CA using any value of DN that does not contain an apostrophe.
After installation, take the following steps:
Stop OHS and OC4J:
$OH/opmn/bin/opmnctl stopproc type=ohs $OH/opmn/bin/opmnctl stopproc process-type=oca
Revoke the dummy root CA certificate:
$OH/oca/bin/ocactl revokecert -type CA
Regenerate the root CA certificate (you can now enter the root CA's DN with an apostrophe):
$OH/oca/bin/ocactl generatewallet -type CA
Regenerate CA SSL wallet:
$OH/oca/bin/ocactl generatewallet -type CASSL
Regenerate the LDAP client wallet:
$OH/oca/bin/ocactl generatewallet -type LDAP
Start OHS, OC4J, and OCA:
$OH/opmn/bin/opmnctl startproc type=ohs $OH/opmn/bin/opmnctl startproc process-type=oca $OH/oca/bin/ocactl start
If Oracle Internet Directory connection failures arise while generating certificates, the workaround is to restart OCA. This workaround also applies if Oracle Internet Directory connection failures are reported in the OCA log.
Connection failures arise because whenever Oracle Internet Directory is restarted, all OCA connections to the directory stop working.
Restarting Oracle Internet Directory can occur for reasons such as the following:
Oracle Internet Directory crashed and was automatically restarted by opmn.
After changing some settings, an administrator explicitly restarted the directory.
Oracle Internet Directory is operating on a separate machine, where something occurred that required the directory be brought down and restarted.
A load balancer switched from one Oracle Internet Directory to another. OCA cannot automatically connect to the other directory instance until explicitly restarted to do so.
OCA was not used for a long time, and its connections to the directory timed out.
Often it is not clear that OCA cannot connect to the directory, because OCA is designed to work with the directory unavailable. OCA keeps a list of tasks to do once the directory is again available, at which time OCA performs those tasks. Therefore OCA does not give any error message when it cannot connect to the directory. Often the only way the OCA administrator can become aware that OCA needs to be restarted is to look at the OCA logs.
However, users will see the connection failures in one scenario. If OCA is configured to have the subject alternate name extension for generated certificates, OCA must connect to the directory to issue them. If that connection cannot occur, users would start seeing Oracle Internet Directory connection failure problems, making it very easy for the administrator to know that OCA needs to be restarted.
