Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for hp-ux PA-RISC (64-Bit) B25187-02 |
|
Previous |
Next |
This chapter describes issues with Oracle Application Server Certificate Authority (OracleAS Certificate Authority, OCA). It includes the following topics:
This section describes general usage issues for OracleAS Certificate Authority and their workarounds. It includes the following topics:
Section 19.1.2, "Third Party Wallet Import Fails Due To localID Value"
Section 19.1.3, "DN Validation Does Not Correctly Check "=" Character"
If the Common Name of a certificate request contains a backslash character "\
", OracleAS Certificate Authority fails to process the DN. Here is an example of an incorrect request:
CN=a \& b,O=aime,C=US
Rather than escaping the &
symbol, the CN value of the certificate issued by OracleAS Certificate Authority contains two backslashes ("\\
").
To work around this issue, do not use special symbols which require a backslash in front when entering the common name for generating wallets. In the example cited earlier, the Common Name in the request can be rewritten as:
CN= a and b, O=aime, C=US
When importing a wallet, OracleAS Certificate Authority expects the value of localID
in the wallet to match the private key and certificate, but some third party wallets do not use localID
for this purpose. Consequently, OracleAS Certificate Authority fails to import the third party wallet as SubCA.
If a Common Name value contains the "=
" character, OracleAS Certificate Authority incorrectly accepts it as a valid character. Here is an example of an incorrect request:
CN=abc=, O=aime,C=US
In this example, "abc=
" is an invalid entry due to the presence of "=
" which is a special character.
The workaround for this issue is to avoid using the "=
" character in this way within RDN values.
This section describes configuration issues and their workarounds for OracleAS Certificate Authority. It includes the following topics:
OracleAS Certificate Authority may exhibit incorrect or unexpected behavior after it is shut down to revoke the web administrator certificate or CA certificate, and is not restarted correctly. Here are some examples:
The OracleAS Certificate Authority service is stopped, and the web administrator and CA certificates are revoked. A new CA is created, and new CA and CASSL wallets are generated. After restarting the OracleAS Certificate Authority service, the newly enrolled web administrator sees the error message:
Error Certificate of the connecting SSL user does not exist in OCA repository
when trying to perform administrative actions.
With the browser interface open, the OracleAS Certificate Authority service is stopped, and the web administrator and CA certificates are revoked. Nevertheless, the open browser session can still be used to update the Certificate Revocation List (CRL).
In both situations, the problem is due to incorrect handling of the OracleAS Certificate Authority service and its supporting services following shutdown. After you revoke the web administrator certificate or CA certificate, it is necessary to restart not only OracleAS Certificate Authority, but also OHS and the certificate authority's OC4J components using the OPMN service:
$ORACLE_HOME/opmn/bin/opmnctl stopall $ORACLE_HOME/opmn/bin/opmnctl startall
As documented in Table 6-9 of the OracleAS Certificate Authority Administrator's Guide, the usage
attribute of a policy predicate, which specifies how the certificate may be used, can be assigned values 1 through 9. Currently, however, OracleAS Certificate Authority allows only usages 1,2,4,8,9 when creating predicates. Usage values 3,5,6,7 are not being allowed even though they are valid.