To use the SSL protocol and public key security to protect communication between principals and the Oracle Tuxedo domain, you need to install a special license. For information about installing the license, see Installing the Oracle Tuxedo System.Any digital certificate that is obtained and used must be issued from a trusted certificate authority defined in the trusted CA file. For more information, see “Defining the Trusted Certificate Authorities” on page 4‑7.
key.der request.pem The CSR file which you submit to the certificate authority. It contains the same data as the .dem file but the file is encoded in ASCII so that you can copy it into e-mail or paste it into a Web form.LDAP directory services define a hierarchy of object classes. While there are a number of different object classes, there is a small set associated with digital certificates. Figure 4‑1 illustrates the object classes typically associated with digital certificates.
• Digital certificates for the IIOP Listener/Handler and any principals are stored in the LDAP directory service with an attribute of userCertificate on an object class with that attribute defined. Typically, these digital certificates are stored as an instance of the strongAuthenticationUser object class as defined by X.500.
• Digital certificates for certificate authorities are stored in LDAP directory service with an attribute of caCertificate on an object class with that attribute defined. Typically, these digital certificates are stored as an instance of the certificateAuthority class as defined by X.500.If your LDAP scheme requires the use of different classes, you will need to modify the LDAP search file as described in “Editing the LDAP Search Filter File” on page 4‑4.Refer to Installing the Oracle Tuxedo System for information about integrating an LDAP directory service into the CORBA security environment.
•
• A filter stanza that searches the directory service for digital certificates assigned to principals. The filter limits its search to instances of the strongAuthenticationUser object class.If the directory service scheme for your organization is defined to store digital certificates in object classes other than certificationAuthority and strongAuthenticationUser, the LDAP search filter file must be modified to specify those object classes.You can specify a location of the LDAP search filter file during the installation of the Oracle Tuxedo product. For more information, see Installing the Oracle Tuxedo System.
• BEA_person_lookup specifies to search the LDAP directory service for principals by their e-mail addresses.
• BEA_issuer_lookup specifies to search the LDAP directory service for principals by their common names (cn).
1.
2. All characters after the dot (.) character are deleted.
3. A .PEM file extension is appended to the file.For example, if the name of the principal is milozzi@bigcompany.com the resulting private key file is milozzi_bigcompany.pem. This naming convention allows an enterprise to have multiple principals that share a common username but are in different e-mail domains.The $TUXDIR/udataobj/security/keys directory should be protected so that only the owner has read privileges for the directory and all other users do not have privileges to access the directory.Listing 4‑1 provides an example of a private key file.Listing 4‑1 Example of Private Key FileRetrieve from the LDAP directory service the digital certificates for the certificate authorities that are to be trusted. Cut and paste the PEM formatted digital certificates into a file named trust_ca.cer which is stored in $TUXDIR/udataobj/security/certs. The trust_ca.cer can be edited with any text editor.The trust_ca.cer file should be owned by the administrator account. Oracle recommends that the file be protected so that only the owner has read and write privileges for the file and all other users have only read privileges for the file.Listing 4‑2 provides an example of a Trusted Certificate Authority file.Listing 4‑2 Example of Trusted Certificate Authority FileThe Peer Rules are maintained in an ASCII file named peer_val.rul. Store the peer_val.rul file in the following location in the Oracle Tuxedo directory structure:Listing 4‑3 provides an example of a Peer Rules file.Listing 4‑3 Example of Peer Rules FileEach rule in the Peer Rules file is comprised of a set of elements that are identified by a key. The Oracle Tuxedo product recognizes the key names listed in Table 4‑1.
Table 4‑1 Supported Keys for Peer Rules File Each key is followed by an optional white space, the character =, an optional white space, and finally the value to be compared. The key is not case sensitive. A rule is not a match unless the subject’s distinguished name contains each of the specified elements in the rule and the values of those elements match the values specified in the rule, including case and punctuation.Each line in the Peer Rules file contains a single rule that is used to determine if a secure connection is to be established. Rules cannot span lines; the entire rule must appear on a single line. Each element in the rule can be separated by either a comma (,) or semicolon (;) character.Lines beginning with the pound character (#) are comments. Comments cannot appear on the same line as the name of an organization.