3.3.2.1 TLS Certificates and Public/Private Key Pairs

TLS connections require digital certificates. Certificates rely on asymmetric encryption (or public-key encryption) algorithms that have two encryption keys (a public key and a private key). A certificate owner can show the certificate to another party as proof of identity. A certificate consists of its owner's public key. Any data encrypted with this public key can be decrypted only using the corresponding, matching private key, which is held by the owner of the certificate.

Oracle issues Privacy Enhanced Mail (PEM)-encoded TLS X.509v3 certificates and encryption keys to the SOAP server and provisioning clients needing to establish an TLS connection with the SOAP server. These files can be found on the SDS server under /usr/TKLC/sds/ssl. These files should be copied to the server running the provisioning client.

Table 3-2 TLS X.509 Certificate and Key PEM-encoded Files

Certificate and Key PEM-Encoded Files Description
tklcCaCert.pem Self-signed trusted root Certification Authority (CA) X.509v3 certificate.
serverCert.pem The SOAP servers X.509v3 certificate and 2,048-bit RSA public key digitally signed by Certification Authority (CA) using SHA-1 message digest algorithm.
serverKey.nopass.pem The SOAP servers corresponding, matching 2,048-bit RSA private key without passphrase digitally signed by Certification Authority (CA) using SHA-1 message digest algorithm.
clientCert.pem Provisioning client's X.509v3 certificate and 2,048-bit RSA public key digitally signed by Certification Authority (CA) using SHA-1 message digest algorithm.
clientKey.nopass.pem Provisioning client's corresponding, matching 2,048-bit RSA private key without passphrase digitally signed by Certification Authority (CA) using SHA-1 message digest algorithm.

Provisioning clients are required to send an TLS authenticating X.509v3 certificate when requested by the SOAP server during the secure connection handshake protocol for mutual (two-way) authentication. If the provisioning client does not submit a certificate that is issued/signed by Certification Authority (CA), it will not be able to establish a secure connection with the SOAP server.