3.3.2.1 TLS Certificates and Public/Private Key Pairs
TLS connections require digital certificates. Certificates rely on asymmetric encryption (or public-key encryption) algorithms that have two encryption keys (a public key and a private key). A certificate owner can show the certificate to another party as proof of identity. A certificate consists of its owner's public key. Any data encrypted with this public key can be decrypted only using the corresponding, matching private key, which is held by the owner of the certificate.
Oracle
issues Privacy Enhanced Mail (PEM)-encoded TLS X.509v3 certificates and
encryption keys to the SOAP server and provisioning clients needing to
establish an TLS connection with the SOAP server. These files can be found on
the SDS server under
/usr/TKLC/sds/ssl. These files should
be copied to the server running the provisioning client.
Table 3-2 TLS X.509 Certificate and Key PEM-encoded Files
| Certificate and Key PEM-Encoded Files | Description |
|---|---|
| tklcCaCert.pem | Self-signed trusted root Certification Authority (CA) X.509v3 certificate. |
| serverCert.pem | The SOAP servers X.509v3 certificate and 2,048-bit RSA public key digitally signed by Certification Authority (CA) using SHA-1 message digest algorithm. |
| serverKey.nopass.pem | The SOAP servers corresponding, matching 2,048-bit RSA private key without passphrase digitally signed by Certification Authority (CA) using SHA-1 message digest algorithm. |
| clientCert.pem | Provisioning client's X.509v3 certificate and 2,048-bit RSA public key digitally signed by Certification Authority (CA) using SHA-1 message digest algorithm. |
| clientKey.nopass.pem | Provisioning client's corresponding, matching 2,048-bit RSA private key without passphrase digitally signed by Certification Authority (CA) using SHA-1 message digest algorithm. |
Provisioning clients are required to send an TLS authenticating X.509v3 certificate when requested by the SOAP server during the secure connection handshake protocol for mutual (two-way) authentication. If the provisioning client does not submit a certificate that is issued/signed by Certification Authority (CA), it will not be able to establish a secure connection with the SOAP server.