Oracle® Application Server Certificate Authority Administrator's Guide
10g Release 2 (10.1.2) B14080-02 |
|
Previous |
Next |
This appendix describes common problems that you might encounter when using OracleAS Certificate Authority and explains how to solve them. It contains the following topics:
This section describes common problems and solutions. It contains the following topical groups:
This section describes certain issues that need to be addressed before further progress in using OracleAS Certificate Authority can go forward, and are therefore termed "prerequisite":
Key Pair Generation Fails during Certificate Requests on Windows
Cannot Log in as Administrator after Logging in as Normal User
Changing Passwords Requires OracleAS Certificate Authority's Command-line Tool ocactl
Problem
For Windows client machines, this operation requires NT to have Service pack 5 or higher.
Solution
Visit Microsoft's Web site and download the necessary upgrades for your configuration.
Problem
If you first log in to OracleAS Certificate Authority as a normal user through SSL, then trying to go to Certificate Management causes a JAZN error. The reason is that you are not recognized as the web administrator unless you log in as such, even though you are enrolled as the web administrator. The SSL session established between OracleAS Certificate Authority and you as a non-administrative user remains active; your enrollment does not change your SSL session.
Solution
To log in as web administrator, you must
Enroll as web administrator if you do not have a web administrator certificate
Exit your browser, and
Log in as web administrator, by choosing your web administrator certificate for authentication.
For more information, see Chapter 5, "Configuring Oracle Application Server Certificate Authority".
Note: This login issue is due to a Netscape browser problem. |
Problem
OracleAS Certificate Authority uses passwords for a number of tasks; for example, there are passwords for the CA SSL wallet, the internal metadata repository, and the OracleAS Certificate Authority administrator. It may occasionally be desirable or advisable to change a password. Generally speaking, if any tool other than ocactl
is used to change any of these passwords, OracleAS Certificate Authority will stop working.
For example, if the metadata repository password is changed outside OracleAS Certificate Authority, that is, by using a tool other than ocactl, then OracleAS Certificate Authority will not start up.
Solution
The following discussion examines the implications of changing passwords outside OracleAS Certificate Authority.
OracleAS Certificate Authority's Metadata Repository Password
The OracleAS Certificate Authority metadata schema password is initially set (at install time) to be the same as the administrator password, but either password can be changed independently with the ocactl setPassword –type DB command and the ocactl setPassword –type CA command. As mentioned earlier, if this password is changed outside of OracleAS Certificate Authority (that is, not using the ocactl tool), then OracleAS Certificate Authority will not start up. This circumstance also prevents you from resetting the repository password with ocactl. To resolve this, you must log in to the database as any DBA, such as SYS or SYSTEM, and change the password back to its original value.
For additional information about this password, see "Remembering and Restoring the Metadata Repository Password".
OracleAS Certificate Authority's Administrator Password
The administrator password cannot be changed outside OracleAS Certificate Authority.
OracleAS Certificate Authority's SSL Password
The OracleAS Certificate Authority SSL password (the password for the SSL wallet, which is in oca/wallet/ssl) should only be changed using ocactl
. Changing this password with Oracle Wallet Manager will disable OracleAS Certificate Authority because the changed password is no longer reflected in the OracleAS Certificate Authority password store. However, you can recover from this situation by using ocactl setpasswd CASSL
to reset the SSL password.
OracleAS Certificate Authority's S/MIME Password
The OracleAS Certificate Authority S/MIME password (the password for the SMIME wallet, which is stored in the database, not on the file system) cannot be changed using Oracle Wallet Manager. You can only change it through ocactl.
OracleAS Certificate Authority's Oracle Internet Directory Password
This is a randomly generated password. It cannot be changed through ocactl. But if it is altered using the Oracle Internet Directory administration tool, OracleAS Certificate Authority will not be able to talk to Oracle Internet Directory as it does not know the new password.
WARNING: Generally speaking (subject to the rules mentioned in the preceding discussion), always use |
Problem
Complex sites with separate administrators for different functions, components, or organizations can sometimes encounter conflicts. For example, a database administrator can change the password for the OracleAS Certificate Authority metadata repository (schema) without realizing that this should only be done through OracleAS Certificate Authority itself. This change prevents OracleAS Certificate Authority from working.
Solution
Understanding the following scenarios can aid in preventing or resolving such a conflict:
If the DB password in the password store has never been changed from the default (which happens to be OCA-admin-password
as established during installation), then regaining access to the database (after someone changed the password originally recognized by the repository) can be accomplished by this command:
alter user OracleAS Certificate Authority identified by OCA-admin-password
This resetting of the repository password to the OCA-admin-password
causes it to match what is in the password store as the repository password.
If the DB password in the password store has been changed and the OracleAS Certificate Authority administrator does know what it is (for example, new_DB_pswd_in_store
, then if the repository password is changed (by a database administrator, perhaps), the OracleAS Certificate Authority administrator can restore database accessibility by using the command:
alter user OracleAS Certificate Authority identified by new_DB_pswd_in_store
If the DB password in the password store has been changed and the OracleAS Certificate Authority administrator does not know (or remember) what it is, changing the repository password will prevent OracleAS Certificate Authority operations. Here's why: database access will not be granted unless the password offered by OracleAS Certificate Authority for the password store matches the current repository password. If the repository password is changed, then either that password or the DB password in the password store must be changed so that they again match. Since the DB password in the password store is unknown, the administrator cannot supply it in an "alter user" command. Nor can she change the DB password in the password store, because ocactl
requires the current DB password before allowing it to be changed. So no recovery is possible. The unknown DB password remains unchangeable.
These resolutions all rely on the OracleAS Certificate Authority administrator retaining the privileges necessary to invoke alter user oca.
Problem
When Oracle Application Server 10g was originally installed, the option to install OracleAS Certificate Authority was not selected. Consequently no password file was created, and it cannot be created after the fact in the original Oracle home. The majority of OracleAS Certificate Authority files do get installed, but OracleAS Certificate Authority is unusable since it was not installed and configured during the original Oracle Application Server 10g installation.
Solution
Install a new instance of OracleAS Certificate Authority in a new Oracle home. It can be installed:
on the same computer as the OracleAS Infrastructure
on a different computer
with its own OracleAS Metadata Repository
against an existing OracleAS Metadata Repository.
As explained in the following discussion, practical considerations determine how these options are combined.
Installing OracleAS Certificate Authority only
In this case, OracleAS Certificate Authority will share the previously installed OracleAS Metadata Repository. If you are installing OracleAS Certificate Authority on the same computer as the OracleAS Infrastructure instance, sharing the repository is preferable for performance reasons.
Installing OracleAS Certificate Authority with its own OracleAS Metadata Repository
If you are installing OracleAS Certificate Authority with its own repository, it is preferable to install it on a separate computer from the OracleAS Infrastructure; otherwise you would need to run two databases on the same computer, which could degrade performance.
References
Oracle Application Server Installation Guide, Section 6.23, "Installing Identity Management Components Only (Excluding Oracle Internet Directory)"
Oracle Application Server Installation Guide, Section 15.6, "OracleAS Certificate Authority Topology"
This section describes these known browser-related issues:
Note: These issues are explicitly related to browsers and occur only when you are using a certain type or level of browser. Unless stated otherwise, they can typically be resolved within the browser itself; contact the browser vendor for assistance if necessary. |
The machine name is likely used widely and inconvenient to change. Therefore, the CN for the CA SSL Server must be made identical to that machine name, requiring a new certificate.
Problem
When a DN has more than one CN component, the browser names the certificate for that DN using only its first CN component (from the right). Consequently, the popup display for SSL Mutual Authentication lists all the certificates as "users" (in both MicroSoft Internet Explorer and Netscape/Mozilla), making it impossible to distinguish different users.
Solution
You can identify the user and obtain additional details by viewing the certificate.
The following issues affect only Netscape clients:
Problem
If the time zone of the client is behind that of the server, there can be a period of time in which Netscape/Mozilla might issue a 'certificate is expired' warning. The reason is that the CASSL certificate is not yet valid in the user's time zone.
Solution
The problem should resolve itself in a relatively short period of time, depending on the time zone differential.
Problem
If the user has two SSL client certificates, one from the CA and another from a SubCA of that CA, then during client authentication to the SubCA, both certificates are listed.
Solution
Select the certificate appropriate to the CA in use for this SSL site.
The following issues affect only Internet Explorer clients:
Message that a page contains both secure and non-secure information
Message about generating an excessive number of certificate requests
Problem
The Internet Explorer Import... button does show the CRL for viewing, but it does not actually install the CRL into the browser.
Solution
Save the CRL to disk and use the following Internet Explorer menu command sequence: Tools -> Internet Options -> Content -> Certificates -> Import. This brings you to the Certificate Import Wizard; follow the steps indicated by the wizard to complete the import.
Problem
In User Pages -> Manual Authentication -> Save CA certificate -> Advanced, clicking Help opens a new window that may display an error message saying that the page contains both secure and non-secure information. This is not a security breach.
Problem
When online help is opened while using OracleAS Certificate Authority, IE will display a security alert. It appears that the alert is generated whenever an https URL is in use and then a second https URL is invoked.
Solution
This behavior can be switched off by changing the security options under Tools -> Internet Options -> Security -> Custom Level. Under Settings, look for "Display Mixed Content" and select the enable option under that heading.
Problem
Sometimes after generating many certificate requests using Internet Explorer, an additional dialog box may appear containing such a message.
Solution
You can continue by clicking "Yes", indicating you are generating certificate requests to a certification authority.
You can remove excess certificate requests using the instructions in the online Microsoft Internet Explorer guide, in the section "Deleting a Certificate Request".
You may encounter the following VBScript error message when attempting to import a user certificate to the browser:
Failed to import certificate. Check your browser repository. Please contact Administrator.
This error occurs if an incorrect certificate key store was specified when submitting the request.
Solution
When requesting a new certificate on Internet Explorer, specify the correct key store, for example Microsoft Enhanced Cryptographic Provider v1.0. The Key Store choices presented on the certificate request screen vary, depending on the browser and the existence and type of smart card service on the machine where the certificate was requested. See "User Certificates Tab" in Chapter 8 for details.
The following network-related messages or issues may arise during OracleAS Certificate Authority operation:
Error message when logging on to OracleAS Certificate Authority using SSO username/password
OracleAS Certificate Authority Stops Working, or Network/Server Messages Appear
Problem
The following message:
"Forbidden You don't have permission to access /oca/sso/ssoInitServlet on this server"
arises from an IP address check if a proxy server with multiple IP addresses is used between the browser and the OracleAS Single Sign-On server.
Solution
When the access is through an intranet, the browser should be configured not to use a proxy, following the instructions in the browser documentation.
If this is not the case, or if such a change does not solve the problem, then the value of the OssoIpCheck directive in the OracleAS Single Sign-On configuration file must be set to "off". To make this server-side change, navigate to the file located at
$ORACLE_HOME/Apache/Apache/conf/mod_osso.conf
and edit the line containing OssoIpCheck to say
OssoIpCheck off
After modifying the configuration file, restart the Oracle HTTP Server by executing the following stop and start commands:
dcmctl updateConfig -v -d opmnctl stopproc process-type=HTTP_Server opmnctl startproc process-type=HTTP_Server opmnctl stopproc process-type=OC4J_SECURITY opmnctl startproc process-type=OC4J_SECURITY
Problem
This message can arise when a browser requires re-authentication because an operation was attempted with Oracle Application Server Certificate Authority after some period of inactivity.
Solution
You need to re-authenticate yourself to OracleAS Certificate Authority by going to the Certificate Management tab and, when asked, choosing the Web Admin Certificate.
Problem
These symptoms can arise when a configuration change has altered the connection strings that OracleAS Certificate Authority uses to connect to its repository or to Oracle Internet Directory (for publishing certificates). Changes can include altered ports or Real Application Clusters (RAC) nodes, for example. The messages may say "Cannot Establish Connection" or "Internal Server Error".
Solution
Enable OracleAS Certificate Authority to re-acquire the new connection strings by issuing the following command:
$ORACLE_HOME/oca/bin/ocactl updateconnection
Command completion updates the configuration file at $ORACLE_HOME/oca/conf/oca.conf
.
After using this command, you must restart OracleAS Certificate Authority by issuing the following commands:
$ORACLE_HOME/oca/bin/ocactl stop
$ORACLE_HOME/oca/bin/ocactl start
The following issues relate primarily to certificates or certificate management:
Problem
An attempt to install a user certificate does not succeed.
Solution
All CA/Sub CA certificates must contain the O (Organization) component in their Subject DN. The components mandatory in the CA/Sub CA DN are C, O, and CN each separated from the next by a comma.
When installing Oracle Application Server Certificate Authority, or regenerating the Root CA, users should input a DN that includes at least country, organization, and common name ("C, O, CN").
When installing a Sub CA, ensure that the DN of the CA signing certificate has O (organization) RDN in its subject DN.
Problem
Attempts to access or use the Certificate Management facility fail.
Solution
Before you can access Certificate Management, your browser must have imported a valid Web Administrator certificate. You must apply for and receive such a certificate before clicking Certificate Management. You do so in the Administration Setup tab, by clicking the button labeled Web Administrator Enrollment... .
Problem
An OracleAS Certificate Authority administrator may wish to do certificate management tasks from any of multiple machines. However, his Web Administrator certificate is contained in the browser of the machine he used when originally authenticating himself to be the OracleAS Certificate Authority Web Administrator.
Solution
To switch from one machine to another and maintain the ability to do certificate management tasks, you need to export the certificate from the previous browser and import it into the new browser, as follows:
Exporting the certificate on Netscape/Mozilla: Choose Security->Certificates->Yours->choose the Web Admin Cert ->Export
Importing the certificate on Netscape/Mozilla: Choose Security->Certificates->Yours->Import Certificate.
Exporting the certificate on Internet Explorer: Choose Internet options ->Content->Certificates->Personal-><choose your Web Admin Cert> ->Export
Importing the certificate on Internet Explorer: Choose Internet options->Content->Certificates->Personal->Import
Some issues relate primarily to Single Sign-on capabilities:
Going to SSO login page in IE can get a security warning dialog
Certificate Acquired with Single Sign-on not Seen for SSL Authentication
Problem
These certificates do not show the common name or DN. They are distinguishable only by having different certificate serial numbers.
Solution
Click "View" to check the certificate serial number, and pick the certificate identified by the serial number you wish to use.
Problem
In Oracle Application Server Single Sign-On, you request a certificate by clicking "Submit" in the popup window. Since there is no message to wait and no visible indication of progress, users sometimes click "Submit" again, causing this error.
Solution
Try again, being sure to click "Submit" only once and to wait until the certificate is returned.
Problem
After logging in to OracleAS Single Sign-On by name and password, but then changing authentication by choosing SSL, a known Internet Explorer bug gives the "Page cannot be displayed" error.
Solution
Try to reload the page. If that does not resolve the issue, exit from the current browser session, return to OracleAS Certificate Authority and try again.
This is expected behavior; it is a warning that is issued due to switching from SSL protocol (https) to non-SSL protocol (http). No action is needed.
Problem
After using the Mozilla browser to log in to OracleAS Single Sign-On, get a certificate, and import it, a user might still not see this just-imported certificate in the client authentication window.
Solution
If the user did not include "Authentication" among the intended usages specified when requesting the certificate, then that certificate will not appear in the client authentication box for authentication use.
To confirm the chosen usages, search for the certificate by its the serial number and see its details. If the Usages do not show Client Authentication, then this certificate cannot be used for SSL authentication.
The solution is to request a new certificate, ensuring that Authentication is specified as one of the usages for the certificate.
Another reason the certificate might not appear is that the CASSL certificate is unusable for some reason. In this case, the administrator must replace it.
The following issue relates to making recovery possible after a failure.
Problem
Errors and unpredictable events can threaten the continuity of OracleAS Certificate Authority operations.
Solution
Take a backup of the metadata repository periodically. For details, see Oracle Application Server Administrator's Guide, particularly the sections on Backup Strategies and Procedures and Recovery Strategies and Procedures.
This section describes how to recover from a major issue affecting OracleAS Certificate Authority operation:
Problem
Under certain conditions, the OracleAS Certificate Authority Administrator may be unable to access the Certificate Management page. The browser reports a 404/Page Not Found error. Possible conditions for this error include, but are not limited to, the following:
The administrator certificate is installed on one browser, but you try to access the Certificate Management page from a different browser.
When applying for the CA certificate, the DN's specified the machine name only, and the domain information was omitted. For example, "CN=asunmach17 admin user,C=US" was specified instead of "CN=asunmach17.us.mycompany.com admin user,C=US".
Solution
If the problem is due to incorrect domain information in the CA certificate, you must re-create the CA's SSL wallet and refresh affected components using these steps:
WARNING: This is a last-resort workaround and is not to be used casually. Implement it only if you have exhausted other possibilities. |
Regenerate the new CA SSL wallet. Make sure the CN is the same as the host name; domain is optional.
See "Regenerating the CA SSL and CA S/MIME Wallets" in Chapter 7 for details.
Restart OHS.
Once the CA certificate is regenerated, create the CASSL wallet. This operation is performed by the new CA.
Restart OHS to pick up the new CA SSL wallet.
Refresh the SSL session between the client's browser and the OracleAS Certificate Authority server.
The following issues are general in nature and do not fall into the previous categories:
Problem
Sometimes such delays can occur, possibly after OracleAS Certificate Authority has been in operation for a substantial period.
Solution
Restart OracleAS Certificate Authority's OC4J instance, which will return you to faster operations.
See Also: For additional performance tips, see "Performance Tuning for OracleAS Certificate Authority" in Chapter 7.For restart operations, see "Starting and Stopping Oracle Application Server Certificate Authority" in Chapter 4. |
Problem
In some Windows environments, when you select the certificate for SMIME signing in Outlook Express, there is no certificate listed. The reason is that there is an installed version of Microsoft Outlook.
Solution
You will need to use Microsoft Outlook and not Outlook Express.
You can find more solutions on Oracle MetaLink, http://metalink.oracle.com
. If you do not find a solution for your problem, log a service request.
See Also: Oracle Application Server Release Notes, available on the Oracle Technology Network:http://www.oracle.com/technology/documentation/index.html
|