| Oracle® Application Server Certificate Authority Administrator's Guide 10g (10.1.4.0.1) Part Number B15989-01 |
|
|
View PDF |
| Oracle® Application Server Certificate Authority Administrator's Guide 10g (10.1.4.0.1) Part Number B15989-01 |
|
|
View PDF |
The term "end-users" includes persons, of course, but also server entities that acquire certificates to facilitate authentication among servers and applications.
Separate HTML interfaces exist for end-user and administrator interaction with the OracleAS Certificate Authority server. Using these HTML forms, end-users can perform personal certificate-related operations and the administrator can perform certificate administration and management.
|
See Also: For the OracleAS Certificate Authority web administrator interface, see |
The present chapter describes the end-user interface in the following sections:
Both Netscape and Internet Explorer are supported.
To access the home page for the end-user interface to OracleAS Certificate Authority, launch your web browser and enter the URL and port number of the administration server as they were displayed at the end of installation. For example:
https://server1.example.com:6600/oca/user
The Oracle Application Server Certificate Authority user home page appears:
As the page itself explains, you can use this web interface to request, renew, revoke, or find any certificate or certificate request. To access these capabilities, you can click either the User Certificates tab or the Server / SubCA Certificates tab.
You can also use the click here links to install into your browser the Certificate Authority's certificate or the latest certificate revocation list (CRL).
Similarly, administrators can use their click here links to save the CA certificate or CRL into their file system for additional uses.
The OracleAS Certificate Authority web interface enables two types of end-user interaction with OracleAS Certificate Authority, as represented by the two tabs:
From the User Certificates tab you can
authenticate yourself to the OracleAS Certificate Authority, either by using existing Single Sign-On or SSL certificates, or by requesting manual authentication by an administrator,
create a new certificate request for manual approval by the OracleAS Certificate Authority administrator (for end-users or servers),
request and receive a certificate automatically (for SSL and OracleAS Single Sign-On users),
save or install the latest certificate revocation list (CRL).
Table 8-1 lists the types of certificates that Oracle Application Server Certificate Authority supports and provides a brief explanation for each.
Table 8-1 Choices for Certificate Usage
| Function | Description |
|---|---|
|
Authentication |
Enables secure identification when requesting or providing access or services, such as when logging into an enterprise portal. (Typically, SSL protocol is used.) The user of an Authentication certificate intends the certificate to be used during SSL authentication. |
|
Encryption |
Enables encrypting and decrypting electronic documents, including email messages, using SMIME. When using an Encryption certificate to encrypt email, the user provides it to others to enable them to send messages to him, encrypted with his public key. Then only he can decipher them using the private key. (Note 1) To use an Encryption certificate with mail clients, such as Outlook or Mozilla, see Appendix G, "S/MIME with OracleAS Certificate Authority". |
|
Signing |
Enables verifiable signature for (and assures non-tampering of) electronic documents, including email (using S/MIME, the Secure Multipurpose Internet Mail Extension) The user of a Signing certificate intends to use it to sign message digests with his private key, enabling others to use his public key to verify that he originated the message and it is unchanged. To use a Signing certificate with mail clients, such as Outlook or Mozilla, see Appendix G, "S/MIME with OracleAS Certificate Authority". |
|
Authentication, Encryption |
Certificate can be used for both purposes. |
|
Authentication, Signing |
Certificate can be used for both purposes. |
|
Authentication, Encryption, and Signing |
Certificate can be used for all three purposes. |
|
Encryption, Signing |
Certificate can be used for both purposes. |
|
CA Signing |
Enables requesting subordinate CA certificates A Certificate Authority uses the private key of a CA Signing certificate to sign the certificates it issues, enabling recipients to use its public key to verify that the certificate was in fact signed by this specific Certificate Authority. |
|
Code Signing |
Provides verifiable signature for the provider of (and assures non-tampering of) Java code, JavaScript, and other signed files. The user of a Code Signing certificate intends to sign software his private key, enabling clients to use his public key to verify that he is indeed the source of the software. |
From the Server/SubCA Certificates tab, you can
search for certificates and certificate requests by ID, serial number, or Common Name, and so on,
install the CA certificate or the certificate revocation list (CRL).
Upon first entering this tab, you see the Authentication page, which enables you to select how you authenticate yourself to Oracle Application Server Certificate Authority.
Table 8-2 lists the available types and methods:
Table 8-2 Types of Authentication
| Authentication Type | Description | Method in brief (details in following sections) |
|---|---|---|
|
Authentication is automated, based on your single sign-on server. Typically it is password-based. |
Click the radio button labeled Use your OracleAS Single Sign-On name and password and then click Submit. |
|
|
Authentication is automated, based on your pre-issued SSL certificate. |
Click the radio button labeled Use Your Existing Certificate and then click Submit |
|
|
Authentication is not automated. You must fill out a Certificate Request form, submit it, and wait for approval from the administrator. |
Click the radio button labeled Use manual approval/authentication and then click Submit. |
|
See Also: Chapter 2, "Identity Management and OracleAS Certificate Authority Features" about authentication. |
These types and methods are explained in greater detail in the following sections:
Configuring Your Browser to Trust OracleAS Certificate Authority
The following steps enable OracleAS Single Sign-On users to get a certificate automatically, or to manage their certificates, by supplying the required OracleAS Single Sign-On authentication information, such as username and password:
In the Authentication form, select the option labeled Use Your OracleAS Single Sign-On Name and Password and click Submit. You will be redirected to the OracleAS Single Sign-On login page.
Enter your OracleAS Single Sign-On user name and password. The User Certificates - SSO form appears, showing your valid certificates and enabling you to do the following tasks:
Get a Certificate.
View Details of a Selected Certificate.
Renew a current certificate.
To get a certificate, do steps 3 through 5:
Click Request a Certificate on the User Certificates - SSO form to display the Certificate Request form.
In the Certificate Request form, enter the information appropriate to you and submit the form. The choices you see when using Netscape are slightly different from those you see when using Internet Explorer:
In Netscape, the phrase Certificate Key Size appears, referring to the size, in bits, of the key-pair to be generated: 512, 1024, ...
In Internet Explorer, the phrase Cryptographic Service Provider appears, referring to a choice of providers for cryptography service. Standard choices include Microsoft Basic Crypto Provider, Microsoft Enhanced Crypto Provider, and Microsoft Strong Crypto Provider. The OracleAS Certificate Authority default is the "Strong" choice, if available, followed by Enhanced, if available, and then by Basic. Other choices may also be present, such as Gemplus for smartcard usage. Select the size according to your requirements.
Certificate Usage: Choose the types of operations for which you will use this certificate. Your OracleAS Certificate Authority administrator sets the standard default shown first in the list, but you can, if you wish, choose a different item from the drop-down list, as shown in Table 8-1.
Validity Period: Duration of the certificate's validity, in days. However, OracleAS Single Sign-On users need not key in the validity period information because it is automatically set by the Oracle Application Server Certificate Authority, using the number specified for the "default Validity period" in the ValidityRule policy.
After you submit the filled-out form, the Certificate form appears, showing the information recorded on the certificate.
After checking that the information about you is correct, make a note of the name of the signer of the certificate: you will need that name later. Then click the Install to Browser button to install the certificate into your browser. Netscape and Internet Explorer report successful installation differently:
|
Note: If you click OK instead of Install in Browser, your certificate is created, stored in the OracleAS Certificate Authority repository, and published to the Oracle Internet Directory. However, your browser cannot supply it to a server until you install it. See "Importing a Newly Issued Certificate to Your Browser". |
In Netscape, you will know the certificate has been installed when you see the words "Document Done" in the status bar at the lower left of your browser. At that point, click OK: even though the cursor continues to show the hourglass, the action is completed. The corresponding CA's (Signer's) certificate has also been installed.
|
Note: For this certificate to be trusted, you need to edit the CA certificate's uses, specifying that you trust certificates issued by this Certificate Authority for network sites, email users, software developers, or all three. Checkboxes for these choices are reached through the Security choice on Netscape's menu bar: see "Trusting a Certificate Issuer in Netscape". |
In Internet Explorer, you know the certificate has been installed when you see the message "Certificate has been installed successfully". You are also asked whether you want the Signer's certificate installed, on a window showing the details of that CA. Click OK to ensure that certificate is also installed. Internet Explorer automatically treats such a certificate as trusted.
This process is slightly different in Internet Explorer, Netscape, and Mozilla Firefox.
When you install a certificate using Internet Explorer, it asks whether you wish to add that certificate to the Root Store:
Clicking Yes installs the certificate and sets the issuer as "trusted." You can view your certificates by selecting the menu choices "Tools - Internet Options - Content - Certificates." The four tabs then shown enable you to see your own certificates, those supplied by others to authenticate them to you, intermediate certificate authorities who have supplied certificates to you, and the root certificate authorities you have chosen to trust.
When you install a certificate using Netscape, it installs both the certificate you requested and the certificate representing the certificate authority that signed and issued your new CA certificate. The only notification you get is the message "Document Done" in the lower-left status-bar area of your browser. However, your new certificate is not trusted until you explicitly identify for Netscape those activities for which you want to trust the signer's certificate.
You do so by the following steps:
Open Netscape's Security Info page by clicking the "lock" icon in the status bar at the lower left of your browser. (Or by selecting "Communicator - Tools - Security Info" from the menu bar.) A page like the following appears:
Click the "Signers" link. A page like the following appears:
Click the name of the signer that you noted when viewing the certificate's details, and click Edit. A page like the following appears:
Click the three checkboxes shown as checked in the illustration, and then click OK.
The CA certificate is now trusted to verify the certificates of network sites this browser connects to, of signed or encrypted messages received, or of signed software.
When you install a certificate using Mozilla Firefox, it notifies you that the issuing certificate authority is unknown:
To make this a trusted certificate, select the Accept this certificate permanently checkbox and click OK.
You can inspect a certificate before accepting it, by clicking the Examine Certificate button. You will see a display like the following:
Select any field to display its value.
If you already have an SSL certificate from the Certificate Authority, you can obtain an OracleAS Certificate Authority certificate for future authentication purposes by using the current SSL certificate as identification, as follows:
From the Authentication form, select Use Your Existing Certificate option and click Submit. The User Certificates - SSL form appears, from which the following tasks can be performed:
Get a Certificate.
View Details of a Selected Certificate.
Renew a current certificate.
Revoke a current certificate.
To get a certificate, do steps 2 through 5:
From the User Certificates - SSL form, click Request a Certificate to display the Certificate Request form.
In the Certificate Request form, enter the information appropriate to you and submit the form. The Netscape interface is slightly different from that of Internet Explorer, as explained earlier in "Single Sign-on Authentication (SSO)".
After you submit the filled-out form, the Certificate form appears, showing the information recorded on the certificate.
After checking that the information is correct, click the Install in Browser button to install the certificate into your browser.
Click OK to return.
To obtain a certificate using manual authentication, perform the following steps:
From the Authentication form, select Use Manual Approval Authentication and click Submit. The User Certificates form appears, enabling you to specify your DN and contact information, as well as select the key size, usage, and validity period for the certificate you are requesting.
On the User Certificates form, click Request a Certificate to display the Certificate Request form.
In the Certificate Request form, enter the DN and contact information appropriate to you. (Separate DN entries with a comma.) Use the Enrollment form's drop-down list to select key size and Authentication (SSL) certificate (plus Encryption or Signing if desired), and then submit the form to the Oracle Certificate Authority administrator.
A Request ID is allocated, specific to this user request, which you use to locate the certificate once it is approved.
The certificate becomes available only after receiving the administrator's approval.
Once the administrator communicates that the certificate is approved, go to the Certificate Retrieval form, search for your certificate using your Request ID or DN, and install the certificate.
After a certificate request is approved, the issued certificate can be retrieved for review and installation. Use the same machine and browser as when you requested the certificate.
After an OracleAS Single Sign-On- or SSL-certificate has been in use for a period, it can be renewed during a configurable time-window around its expiration date.
An issued certificate can be revoked if it is, for some reason upon review, incorrect or inappropriate or no longer valid for its intended user or activities.
These certificate operations are described in the following sections:
After you receive notification that your manual-authentication certificate request is approved, you need to review the certificate and install it. You can find your certificate by entering the serial number from that notification into the search field on the User Certificates page. After it is found and you select it by clicking the radio button next to the serial number, you can click View Details to review the data used in generating it. Then you can install it as described in "Importing a Newly Issued Certificate to Your Browser".
If, for a particular certificate, these data are not correct, then that certificate should be revoked and replaced by applying for a new certificate.
OracleAS Single Sign-On and SSL certificate users can renew their certificates
A user can renew such a certificate within a certain period of days before and after a certificate is due to expire. By default, this period is 10 days before and 10 days after the certificate's expiration date. However, the administrator can alter this period by using the Configuration tab in the administration web interface. Users can select a certificate, click View Details, and then renew the certificate.
OracleAS Single Sign-On and SSL certificate users can revoke certificates.
If errors or problems are found with a certificate, or if a private key is stolen, and so on, the certificate should be revoked. The user can supply correct information for a new certificate. Using the new certificate should cancel out whatever issues were associated with the earlier one.
Revoking a certificate will mark it as revoked in OracleAS Certificate Authority repositories and causes it to be added to the CRL the next time the CRL is generated. However, revoked certificates are not removed automatically from your browser database. You should remove them manually. In Netscape, you click the Security icon on the browser, click the Yours choice under Certificates, select the revoked certificate from the list displayed, and click Delete.
An administrator for any server can obtain a server certificate enabling PKI authentication for that server with other servers or users. To do so, a PKCS#10 request form is needed, which can be generated using Oracle Wallet Manager (or an equivalent third-party tool). See the Oracle Wallet Manager chapter in the Oracle Application Server Security Guide.
From the Server Certificates tab page, use the following steps:
On the Home page, select the Server/Sub CA Certificates tab to display the Server Certificate form.
Click the Request a Certificate button.
On the Server / SubCA Certificate Request form, you paste in the completed PKCS#10 request form generated earlier by Oracle Wallet Manager, and choose the type of certificate you want. You can request Authentication (SSL)/Encryption, Signing, Code Signing, or CA Signing server certificates. To function as a subordinate CA, specify CA Signing as the certificate usage in the enrollment form. You also choose the validity period for your requested certificate, from the drop-down choices presented.
Enter the appropriate information and submit the form to the administrator.
The server administrator obtains authentication only after the administrator approves this request.
In circumstances where a single CA is impractical, such as separate continental divisions in a single company, multiple CAs can be maintained within the PKI structure. In a hierarchical PKI, the root CA is the single CA trusted by all users. The root CA's public key is what serves as the beginning of the trust path for a security domain.
OracleAS Certificate Authority can be a root CA or it can obtain a Subordinate CA certificate from a third-party CA. OracleAS Certificate Authority can certify the certificate signature of another CA, thereby creating a subordinate CA. The subordinate CA may in turn issue certificates to even lower-level CAs, creating what is called a certificate chain. An individual certificate signed by one of the subordinate CAs must present the certificates of all CAs up to the root. Because each authority's certificate is signed by a higher CA, a user can verify the validity of a particular certificate by tracing the certificate authority path back to the root CA.
To obtain a subordinate CA certificate, perform the following steps:
On the Home page, select the Server/Sub CA Certificates tab to display the Subordinate CA Certificates form.
Click the Request a Certificate button.
In the Subordinate CA Certificate Request form, enter the appropriate information, select certificate usage type as CA signing, and submit the form to the administrator.
The requester obtains a certificate only after the administrator approves this request.
In Netscape, after you click Request a Certificate, OracleAS Certificate Authority presents a sequence of dialog boxes. These dialogs describe the operations that need to happen in order to accept the OracleAS Certificate Authority certificate. Click Next on each dialog box as it is presented, and Finish on the last one. Your CA certificate will be automatically installed into your browser.
For Internet Explorer, you are asked simply to accept or reject the CA Certificate install. You may wish to do so simply to trust servers whose certificates are issued by this CA, even if you do not want to get a certificate from it. The browser will ask whether you want to save the certificate or open it from the current location. To install the CA certificate into your browser, you select Open the file from its current location and click OK. In the next window that opens, choose Install Certificate and accept the certificate install to place the CA certificate into the browser's repository.
CRLs can be installed in your browser or saved to disk to enable recognition and rejection of certificates that have expired or been revoked.
Upon clicking Save CRL, the CRL is displayed, showing all revoked and expired certificates. At the bottom of the page are the buttons Install CRL in Browser, Save Binary CRL to Disk, and Save BASE64 CRL to Disk.
Installing a certificate revocation list enables your browser to warn you if an incoming certificate offered by an individual or company has been revoked. Use of a revoked certificate could indicate a possible problem with impersonation or with a product being offered or used. Being warned can help you avoid potentially inappropriate interactions.
The steps for installing the CRL are browser-dependent:
The operations to save a CRL to the file system are discussed in "Saving the Binary or BASE64 CRL to Disk".
From the User Certificates tab of Oracle Application Server Certificate Authority, do the following tasks:
Click the Install CRL in Browser button. A Netscape dialog box tells you the import was successful. If automatic update was enabled for this CRL, you can view those settings by clicking Yes, or dismiss the dialog by clicking No.
If you click Yes, you can see when the next update is scheduled and what site provides that update.
You can manually delete or update this CRL by using this navigation path:
In Netscape, follow Edit/Preferences/Privacy & Security/Validation/Manage CRLs
In Firefox, follow Tools/Options/Advanced/Validation/Manage CRLs
If you already have the CRL and its validity is the same or later than the CRL being installed, a small dialog box informs you that the CRL you are attempting to install is not later than one already in your browser.
In IE, the CRL is not directly imported into the browser. As in the case of importing a CA Certificate, IE asks the question Save to Disk or Open from the Current Location. In the latter case, the CRL is not imported. If you choose Save to Disk, you then do the following actions:
Select the directory in which you want to store the CRL.
Click OK.
In addition to installing the CRL into your browser, you can also
save a binary copy of the CRL (named OCAcrl.crl) by clicking Save Binary CRL to Disk and choosing the directory in which you want it stored, or
save an copy in Base64 format (named OCAcrlBase64.txt), which you can cut and paste, by clicking Save BASE64 CRL to Disk and choosing the target directory.
Saving a certificate revocation list (CRL) to disk in your file system enables other programs to use it to detect revoked or expired certificates offered by an individual or a company. Avoiding the use of such a certificate can protect your resources and applications from inappropriate or unauthorized uses.
To save a CRL to disk, follow these steps:
Go to the OracleAS Certificate Authority User Certificates Page.
Click Save CRL to Disk.
Click either Save Binary CRL to Disk or Save Binary BASE64 CRL to Disk.
Save the CRL into a directory of your choice.
Modify your http.conf file, located in $ORACLE_HOME/apache/apache/conf, to include the "SSLCARevocationFilePath" parameter, and point that parameter to the directory containing the new CRL file. For example:
SSLCARevocationFilePath=/usr/myname/certstoreject.crl
After your request for a certificate is approved, OracleAS Certificate Authority displays its details for you in a new window so that you can check that the details match what you intended. Check that the name, validity period, and other attributes on the certificate are as they should be. If those details include any serious error, you should revoke this certificate and apply for a new one, specifying all the correct information on the request form.
When you are satisfied, click the Import Certificate button to import a copy of the certificate into your browser. You will see the message Document Done in the lower-left status-bar area of your browser. You can then click OK.
If you were to simply click OK without clicking Import Certificate, the server would have a copy of your certificate but your browser would not. It could not supply the certificate when needed for authentication to an application, a directory, or another server.
The action of importing the certificate also imports the chain of CAs up to the root CA. However, in Netscape and Mozilla Firefox, the CA certificate imported along with the user certificate is not automatically trusted. You need to establish the trust, as follows:
In Netscape:
Click Edit/Preferences/Privacy & Security/Certificates/Manage Certificates
In Mozilla Firefox:
Click Tools -> Options
In the left pane, select the Advanced tab
In the right pane, expand the certificate item
Click Manage Certificates
In both Netscape and Mozilla Firefox:
Click the Authorities tab.
Select the appropriate CA Certificate by name. (You may be prompted for the repository password.)
Click Edit.
Check the appropriate check boxes to trust this certificate for identifying Web sites and encrypting Web site connections, for signing or encrypting email users, or for identifying software makers.
Select OK.
This process establishes the desirable trust relationships so that the browser will trust the certificates issued by this imported certificate for the purposes you selected as Certificate Usage when you try to establish an SSL session.
You can (and should) export your wallet to your file system for safekeeping, so that you can restore the contents after any possible disruption to your system or your browser. The wallet contains your certificate, private key, and the chain of certificates for the trusted Certificate Authority that issued your certificate.
Use the following steps to export a certificate:
In Netscape:
Click Edit/Preferences/Privacy & Security/Certificates/Manage Certificates
In Mozilla Firefox:
Click Tools -> Options
In the left pane, select the Advanced tab
In the right pane, expand the certificate item
Click Manage Certificates
In both Netscape 7.x and Mozilla Firefox, continue as follows:
Select the certificate that needs to be exported and click Backup.
Enter the file name for the PKCS#12 wallet and click Save.
Enter the Netscape repository password, and click OK.
A window appears, with the prompt Please enter the master password for the Software Security Device. Upon entering the correct password (the browser repository password), a new window appears.
In this window, labeled Choose a Certificate Backup password, you enter the password with which the PKCS#12 wallet will be encrypted. You will need to enter the same password again to confirm the password. A password quality meter in this window gives information on the quality of the password provided.
Click OK. An alert appears saying that backup is successful.
In Internet Explorer, use the following steps to export a certificate:
From the Tools menu, select Internet Options.
A window opens showing six tabs you can choose from.
Select the Content tab, and click the Certificates button.
The Certificate Manager window opens, with four tabs enabling you to see your personal certificates, those of other people, plus the names and expiration dates for trusted and intermediate issuers of certificates.
In the Personal tab, click the particular certificate you want to export.
Click the Export button under the subordinate window.
Click Next in the Certificate Manager Export Wizard.
If you wish to export the private key, click the Yes radio button. (If not, click the No radio button.) Clicking Yes means your private key is also stored.
Click Next.
Choose PKCS #12 and check the two checkboxes beneath it, and click Next.
When asked, enter a password to preserve the security of the private key. You will be asked for it twice, and what you enter must match.
As usual, you must remember this password in order to retrieve and reuse this private key. Without the password, it will not be usable.
When asked, enter the file system destination, path name, and filename where this encrypted certificate and key is to be stored.
A new window shows the choices you've made. After verifying this information, click Finish.
A message appears saying The export was completed successfully.
Click OK, Close, and OK to exit from the windows used for this process.
You can import a certificate into your browser from a file stored on your file system. The file must be of type pkcs12, with extension .p12. You will need to know the password that was used to encrypt that wallet.
Use the following steps to import a certificate from a PKCS#12 wallet in Netscape and Mozilla Firefox browsers:
In Netscape:
Click Edit/Preferences/Privacy & Security/Certificates/Manage Certificates
In Mozilla Firefox:
Click Tools -> Options
In the left pane, select the Advanced tab
In the right pane, expand the certificate item
Click Manage Certificates
In both Netscape and Mozilla Firefox, continue as follows:
Click Import.
Choose the PKCS#12 wallet containing the certificate and key to be imported and click Open.
Enter the Netscape Repository password in the popup that appears, and click OK.
A prompt appears: Please enter the master password for the Software Security Device. Upon entering that password, a new window appears, labeled Password Entry Dialog.
In this new window, enter the password that will be used to decrypt the PKCS#12 wallet, and click OK.
An alert appears, saying that restoration of the certificate and private key is successful.
In Internet Explorer (IE), use the following steps to import a certificate from a PKCS#12 wallet:
From the Tools men, select Internet Options.
A window opens showing six tabs you can choose from.
Select the Content tab, and click the Certificates button. The Personal tab lists your certificates.
Click Import. The Certificate Import Wizard window appears.
Click Next and then Browse to the directory containing your desired certificate.
Double-click to put the full path into the Wizard, and then click Next.
Enter the password for the wallet you selected.
Click Next.
Internet Explorer can automatically select the certificate store based on the type of certificate, or you can tell it where you want the certificates by clicking the other radio button and entering the path to that store.
Click Next.
Click Finish.
If the certificate store being used by IE does not yet contain the certificate of the the CA who issued your certificate, a dialog box will appear asking if you want to add it to that store.
Click Yes. Having that certificate makes it possible to authenticate with other servers or users whose certificates were also issued by that CA (or another authority in the same chain of trust).
IE displays a dialog box telling you the import was successful.
Click Close and OK to exit from the certificate and security area of IE.
