Skip Headers
Oracle® Application Server Release Notes
10g Release 2 (10.1.2) for hp-ux Itanium
B25195-02
  Go To Documentation Library
Home
Go To Table Of Contents
Contents

Previous
Previous
Next
Next
 

22 Oracle Application Server Certificate Authority

This chapter describes issues with Oracle Application Server Certificate Authority (OracleAS Certificate Authority, OCA). It includes the following topics:

22.1 General Issues and Workarounds

This section describes general usage issues for OracleAS Certificate Authority and their workarounds. It includes the following topics:

22.1.1 Adding "\" to RDN Causes Misprocessing

If the Common Name of a certificate request contains a backslash character "\", OracleAS Certificate Authority fails to process the DN. Here is an example of an incorrect request:

CN=a \& b,O=aime,C=US

Rather than escaping the & symbol, the CN value of the certificate issued by OracleAS Certificate Authority contains two backslashes ("\\").

To work around this issue, do not use special symbols which require a backslash in front when entering the common name for generating wallets. In the example cited earlier, the Common Name in the request can be rewritten as:

CN= a and b, O=aime, C=US

22.1.2 Third Party Wallet Import Fails Due To localID Value

When importing a wallet, OracleAS Certificate Authority expects the value of localID in the wallet to match the private key and certificate, but some third party wallets do not use localID for this purpose. Consequently, OracleAS Certificate Authority fails to import the third party wallet as SubCA.

22.1.3 DN Validation Does Not Correctly Check "=" Character

If a Common Name value contains the "=" character, OracleAS Certificate Authority incorrectly accepts it as a valid character. Here is an example of an incorrect request:

CN=abc=, O=aime,C=US

In this example, "abc=" is an invalid entry due to the presence of "=" which is a special character.

The workaround for this issue is to avoid using the "=" character in this way within RDN values.

22.2 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds for OracleAS Certificate Authority. It includes the following topics:

22.2.1 Unexpected Behavior After Revoking Web Administrator or CA Certificate

OracleAS Certificate Authority may exhibit incorrect or unexpected behavior after it is shut down to revoke the web administrator certificate or CA certificate, and is not restarted correctly. Here are some examples:

  • The OracleAS Certificate Authority service is stopped, and the web administrator and CA certificates are revoked. A new CA is created, and new CA and CASSL wallets are generated. After restarting the OracleAS Certificate Authority service, the newly enrolled web administrator sees the error message:

    Error
    Certificate of the connecting SSL user does not exist in OCA repository
    
    

    when trying to perform administrative actions.

  • With the browser interface open, the OracleAS Certificate Authority service is stopped, and the web administrator and CA certificates are revoked. Nevertheless, the open browser session can still be used to update the Certificate Revocation List (CRL).

In both situations, the problem is due to incorrect handling of the OracleAS Certificate Authority service and its supporting services following shutdown. After you revoke the web administrator certificate or CA certificate, it is necessary to restart not only OracleAS Certificate Authority, but also OHS and the certificate authority's OC4J components using the OPMN service:

$ORACLE_HOME/opmn/bin/opmnctl stopall 
$ORACLE_HOME/opmn/bin/opmnctl startall

22.2.2 Allowable Values of Predicate Usage

As documented in Table 6-9 of the OracleAS Certificate Authority Administrator's Guide, the usage attribute of a policy predicate, which specifies how the certificate may be used, can be assigned values 1 through 9. Currently, however, OracleAS Certificate Authority allows only usages 1,2,4,8,9 when creating predicates. Usage values 3,5,6,7 are not being allowed even though they are valid.