Skip Headers
Oracle® Application Server Certificate Authority Administrator's Guide
10g Release 2 (10.1.2)
B14080-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

C Troubleshooting OracleAS Certificate Authority

This appendix describes common problems that you might encounter when using OracleAS Certificate Authority and explains how to solve them. It contains the following topics:

C.1 Problems and Solutions

This section describes common problems and solutions. It contains the following topical groups:

C.1.1 Prerequisite Issues and Warnings

This section describes certain issues that need to be addressed before further progress in using OracleAS Certificate Authority can go forward, and are therefore termed "prerequisite":

C.1.1.1 Key Pair Generation Fails during Certificate Requests on Windows

Problem

For Windows client machines, this operation requires NT to have Service pack 5 or higher.

Solution

Visit Microsoft's Web site and download the necessary upgrades for your configuration.

C.1.1.2 Cannot Log in as Administrator after Logging in as Normal User

Problem

If you first log in to OracleAS Certificate Authority as a normal user through SSL, then trying to go to Certificate Management causes a JAZN error. The reason is that you are not recognized as the web administrator unless you log in as such, even though you are enrolled as the web administrator. The SSL session established between OracleAS Certificate Authority and you as a non-administrative user remains active; your enrollment does not change your SSL session.

Solution

To log in as web administrator, you must

  1. Enroll as web administrator if you do not have a web administrator certificate

  2. Exit your browser, and

  3. Log in as web administrator, by choosing your web administrator certificate for authentication.

For more information, see Chapter 5, "Configuring Oracle Application Server Certificate Authority".


Note:

This login issue is due to a Netscape browser problem.

C.1.1.3 Changing Passwords Requires OracleAS Certificate Authority's Command-line Tool ocactl

Problem

OracleAS Certificate Authority uses passwords for a number of tasks; for example, there are passwords for the CA SSL wallet, the internal metadata repository, and the OracleAS Certificate Authority administrator. It may occasionally be desirable or advisable to change a password. Generally speaking, if any tool other than ocactl is used to change any of these passwords, OracleAS Certificate Authority will stop working.

For example, if the metadata repository password is changed outside OracleAS Certificate Authority, that is, by using a tool other than ocactl, then OracleAS Certificate Authority will not start up.

Solution

The following discussion examines the implications of changing passwords outside OracleAS Certificate Authority.

OracleAS Certificate Authority's Metadata Repository Password

The OracleAS Certificate Authority metadata schema password is initially set (at install time) to be the same as the administrator password, but either password can be changed independently with the ocactl setPassword –type DB command and the ocactl setPassword –type CA command. As mentioned earlier, if this password is changed outside of OracleAS Certificate Authority (that is, not using the ocactl tool), then OracleAS Certificate Authority will not start up. This circumstance also prevents you from resetting the repository password with ocactl. To resolve this, you must log in to the database as any DBA, such as SYS or SYSTEM, and change the password back to its original value.

For additional information about this password, see "Remembering and Restoring the Metadata Repository Password".

OracleAS Certificate Authority's Administrator Password

The administrator password cannot be changed outside OracleAS Certificate Authority.

OracleAS Certificate Authority's SSL Password

The OracleAS Certificate Authority SSL password (the password for the SSL wallet, which is in oca/wallet/ssl) should only be changed using ocactl. Changing this password with Oracle Wallet Manager will disable OracleAS Certificate Authority because the changed password is no longer reflected in the OracleAS Certificate Authority password store. However, you can recover from this situation by using ocactl setpasswd CASSL to reset the SSL password.

OracleAS Certificate Authority's S/MIME Password

The OracleAS Certificate Authority S/MIME password (the password for the SMIME wallet, which is stored in the database, not on the file system) cannot be changed using Oracle Wallet Manager. You can only change it through ocactl.

OracleAS Certificate Authority's Oracle Internet Directory Password

This is a randomly generated password. It cannot be changed through ocactl. But if it is altered using the Oracle Internet Directory administration tool, OracleAS Certificate Authority will not be able to talk to Oracle Internet Directory as it does not know the new password.


WARNING:

Generally speaking (subject to the rules mentioned in the preceding discussion), always use ocactl to change any password related to OracleAS Certificate Authority. Never use any other tool; OracleAS Certificate Authority will stop working.


C.1.1.4 Remembering and Restoring the Metadata Repository Password

Problem

Complex sites with separate administrators for different functions, components, or organizations can sometimes encounter conflicts. For example, a database administrator can change the password for the OracleAS Certificate Authority metadata repository (schema) without realizing that this should only be done through OracleAS Certificate Authority itself. This change prevents OracleAS Certificate Authority from working.

Solution

Understanding the following scenarios can aid in preventing or resolving such a conflict:

  1. If the DB password in the password store has never been changed from the default (which happens to be OCA-admin-password as established during installation), then regaining access to the database (after someone changed the password originally recognized by the repository) can be accomplished by this command:

    alter user OracleAS Certificate Authority identified by OCA-admin-password
    
    

    This resetting of the repository password to the OCA-admin-password causes it to match what is in the password store as the repository password.

  2. If the DB password in the password store has been changed and the OracleAS Certificate Authority administrator does know what it is (for example, new_DB_pswd_in_store, then if the repository password is changed (by a database administrator, perhaps), the OracleAS Certificate Authority administrator can restore database accessibility by using the command:

    alter user OracleAS Certificate Authority identified by new_DB_pswd_in_store
    
    
  3. If the DB password in the password store has been changed and the OracleAS Certificate Authority administrator does not know (or remember) what it is, changing the repository password will prevent OracleAS Certificate Authority operations. Here's why: database access will not be granted unless the password offered by OracleAS Certificate Authority for the password store matches the current repository password. If the repository password is changed, then either that password or the DB password in the password store must be changed so that they again match. Since the DB password in the password store is unknown, the administrator cannot supply it in an "alter user" command. Nor can she change the DB password in the password store, because ocactl requires the current DB password before allowing it to be changed. So no recovery is possible. The unknown DB password remains unchangeable.

These resolutions all rely on the OracleAS Certificate Authority administrator retaining the privileges necessary to invoke alter user oca.

C.1.1.5 Using ocactl raises "Error:Password store missing" message

Problem

When Oracle Application Server 10g was originally installed, the option to install OracleAS Certificate Authority was not selected. Consequently no password file was created, and it cannot be created after the fact in the original Oracle home. The majority of OracleAS Certificate Authority files do get installed, but OracleAS Certificate Authority is unusable since it was not installed and configured during the original Oracle Application Server 10g installation.

Solution

Install a new instance of OracleAS Certificate Authority in a new Oracle home. It can be installed:

  • on the same computer as the OracleAS Infrastructure

  • on a different computer

  • with its own OracleAS Metadata Repository

  • against an existing OracleAS Metadata Repository.

As explained in the following discussion, practical considerations determine how these options are combined.

Installing OracleAS Certificate Authority only

In this case, OracleAS Certificate Authority will share the previously installed OracleAS Metadata Repository. If you are installing OracleAS Certificate Authority on the same computer as the OracleAS Infrastructure instance, sharing the repository is preferable for performance reasons.

Installing OracleAS Certificate Authority with its own OracleAS Metadata Repository

If you are installing OracleAS Certificate Authority with its own repository, it is preferable to install it on a separate computer from the OracleAS Infrastructure; otherwise you would need to run two databases on the same computer, which could degrade performance.

References

  • Oracle Application Server Installation Guide, Section 6.23, "Installing Identity Management Components Only (Excluding Oracle Internet Directory)"

  • Oracle Application Server Installation Guide, Section 15.6, "OracleAS Certificate Authority Topology"

C.1.2 Browser Issues

This section describes these known browser-related issues:


Note:

These issues are explicitly related to browsers and occur only when you are using a certain type or level of browser. Unless stated otherwise, they can typically be resolved within the browser itself; contact the browser vendor for assistance if necessary.

C.1.2.1 Browser issues a warning if the CA SSL Server's CN does not match the machine name

The machine name is likely used widely and inconvenient to change. Therefore, the CN for the CA SSL Server must be made identical to that machine name, requiring a new certificate.

C.1.2.2 Certificate list shows all users as "Users"

Problem

When a DN has more than one CN component, the browser names the certificate for that DN using only its first CN component (from the right). Consequently, the popup display for SSL Mutual Authentication lists all the certificates as "users" (in both MicroSoft Internet Explorer and Netscape/Mozilla), making it impossible to distinguish different users.

Solution

You can identify the user and obtain additional details by viewing the certificate.

C.1.2.3 Netscape/Mozilla Issues

The following issues affect only Netscape clients:

C.1.2.3.1 "Certificate is expired" warning appears

Problem

If the time zone of the client is behind that of the server, there can be a period of time in which Netscape/Mozilla might issue a 'certificate is expired' warning. The reason is that the CASSL certificate is not yet valid in the user's time zone.

Solution

The problem should resolve itself in a relatively short period of time, depending on the time zone differential.

C.1.2.3.2 SubCA and CA SSL client certificates are listed

Problem

If the user has two SSL client certificates, one from the CA and another from a SubCA of that CA, then during client authentication to the SubCA, both certificates are listed.

Solution

Select the certificate appropriate to the CA in use for this SSL site.

C.1.2.4 Internet Explorer (IE) Issues

The following issues affect only Internet Explorer clients:

C.1.2.4.1 Failure to import CRL to Browser

Problem

The Internet Explorer Import... button does show the CRL for viewing, but it does not actually install the CRL into the browser.

Solution

Save the CRL to disk and use the following Internet Explorer menu command sequence: Tools -> Internet Options -> Content -> Certificates -> Import. This brings you to the Certificate Import Wizard; follow the steps indicated by the wizard to complete the import.

C.1.2.4.2 Message that a page contains both secure and non-secure information

Problem

In User Pages -> Manual Authentication -> Save CA certificate -> Advanced, clicking Help opens a new window that may display an error message saying that the page contains both secure and non-secure information. This is not a security breach.

C.1.2.4.3 Opening online Help can generate a security alert

Problem

When online help is opened while using OracleAS Certificate Authority, IE will display a security alert. It appears that the alert is generated whenever an https URL is in use and then a second https URL is invoked.

Solution

This behavior can be switched off by changing the security options under Tools -> Internet Options -> Security -> Custom Level. Under Settings, look for "Display Mixed Content" and select the enable option under that heading.

C.1.2.4.4 Message about generating an excessive number of certificate requests

Problem

Sometimes after generating many certificate requests using Internet Explorer, an additional dialog box may appear containing such a message.

Solution

You can continue by clicking "Yes", indicating you are generating certificate requests to a certification authority.

You can remove excess certificate requests using the instructions in the online Microsoft Internet Explorer guide, in the section "Deleting a Certificate Request".

C.1.2.4.5 VBScript error when importing a certificate

You may encounter the following VBScript error message when attempting to import a user certificate to the browser:

Failed to import certificate. Check your browser repository. Please contact Administrator.

This error occurs if an incorrect certificate key store was specified when submitting the request.

Solution

When requesting a new certificate on Internet Explorer, specify the correct key store, for example Microsoft Enhanced Cryptographic Provider v1.0. The Key Store choices presented on the certificate request screen vary, depending on the browser and the existence and type of smart card service on the machine where the certificate was requested. See "User Certificates Tab" in Chapter 8 for details.

C.1.3 Network Issues

The following network-related messages or issues may arise during OracleAS Certificate Authority operation:

C.1.3.1 Error message when logging on to OracleAS Certificate Authority using SSO username/password

Problem

The following message:

"Forbidden You don't have permission to access /oca/sso/ssoInitServlet on this server"

arises from an IP address check if a proxy server with multiple IP addresses is used between the browser and the OracleAS Single Sign-On server.

Solution

  • When the access is through an intranet, the browser should be configured not to use a proxy, following the instructions in the browser documentation.

  • If this is not the case, or if such a change does not solve the problem, then the value of the OssoIpCheck directive in the OracleAS Single Sign-On configuration file must be set to "off". To make this server-side change, navigate to the file located at

    $ORACLE_HOME/Apache/Apache/conf/mod_osso.conf

    and edit the line containing OssoIpCheck to say

    OssoIpCheck off
    
    
  • After modifying the configuration file, restart the Oracle HTTP Server by executing the following stop and start commands:

    dcmctl updateConfig -v -d 
    opmnctl stopproc process-type=HTTP_Server 
    opmnctl startproc process-type=HTTP_Server 
    opmnctl stopproc process-type=OC4J_SECURITY 
    opmnctl startproc process-type=OC4J_SECURITY
    

C.1.3.2 "Network Error" message

Problem

This message can arise when a browser requires re-authentication because an operation was attempted with Oracle Application Server Certificate Authority after some period of inactivity.

Solution

You need to re-authenticate yourself to OracleAS Certificate Authority by going to the Certificate Management tab and, when asked, choosing the Web Admin Certificate.

C.1.3.3 OracleAS Certificate Authority Stops Working, or Network/Server Messages Appear

Problem

These symptoms can arise when a configuration change has altered the connection strings that OracleAS Certificate Authority uses to connect to its repository or to Oracle Internet Directory (for publishing certificates). Changes can include altered ports or Real Application Clusters (RAC) nodes, for example. The messages may say "Cannot Establish Connection" or "Internal Server Error".

Solution

Enable OracleAS Certificate Authority to re-acquire the new connection strings by issuing the following command:

$ORACLE_HOME/oca/bin/ocactl updateconnection

Command completion updates the configuration file at $ORACLE_HOME/oca/conf/oca.conf.

After using this command, you must restart OracleAS Certificate Authority by issuing the following commands:

$ORACLE_HOME/oca/bin/ocactl stop

$ORACLE_HOME/oca/bin/ocactl start

C.1.4 Certificate Issues

The following issues relate primarily to certificates or certificate management:

C.1.4.1 Installing user certificate does not install CA certificate on Netscape/Mozilla

Problem

An attempt to install a user certificate does not succeed.

Solution

  • All CA/Sub CA certificates must contain the O (Organization) component in their Subject DN. The components mandatory in the CA/Sub CA DN are C, O, and CN each separated from the next by a comma.

  • When installing Oracle Application Server Certificate Authority, or regenerating the Root CA, users should input a DN that includes at least country, organization, and common name ("C, O, CN").

  • When installing a Sub CA, ensure that the DN of the CA signing certificate has O (organization) RDN in its subject DN.

C.1.4.2 Inability to Access or Use the Certificate Management Tab

Problem

Attempts to access or use the Certificate Management facility fail.

Solution

Before you can access Certificate Management, your browser must have imported a valid Web Administrator certificate. You must apply for and receive such a certificate before clicking Certificate Management. You do so in the Administration Setup tab, by clicking the button labeled Web Administrator Enrollment... .

C.1.4.3 Administrator Needs to Work from a Different Machine

Problem

An OracleAS Certificate Authority administrator may wish to do certificate management tasks from any of multiple machines. However, his Web Administrator certificate is contained in the browser of the machine he used when originally authenticating himself to be the OracleAS Certificate Authority Web Administrator.

Solution

To switch from one machine to another and maintain the ability to do certificate management tasks, you need to export the certificate from the previous browser and import it into the new browser, as follows:

  • Exporting the certificate on Netscape/Mozilla: Choose Security->Certificates->Yours->choose the Web Admin Cert ->Export

  • Importing the certificate on Netscape/Mozilla: Choose Security->Certificates->Yours->Import Certificate.

  • Exporting the certificate on Internet Explorer: Choose Internet options ->Content->Certificates->Personal-><choose your Web Admin Cert> ->Export

  • Importing the certificate on Internet Explorer: Choose Internet options->Content->Certificates->Personal->Import

C.1.5 Single Sign-on Issues

Some issues relate primarily to Single Sign-on capabilities:

C.1.5.1 Name shown on an SSO certificate appears only as "User"

Problem

These certificates do not show the common name or DN. They are distinguishable only by having different certificate serial numbers.

Solution

Click "View" to check the certificate serial number, and pick the certificate identified by the serial number you wish to use.

C.1.5.2 VBScript Error Message While Generating Keys

Problem

In Oracle Application Server Single Sign-On, you request a certificate by clicking "Submit" in the popup window. Since there is no message to wait and no visible indication of progress, users sometimes click "Submit" again, causing this error.

Solution

Try again, being sure to click "Submit" only once and to wait until the certificate is returned.

C.1.5.3 "Page can not be displayed" Message in Internet Explorer

Problem

After logging in to OracleAS Single Sign-On by name and password, but then changing authentication by choosing SSL, a known Internet Explorer bug gives the "Page cannot be displayed" error.

Solution

Try to reload the page. If that does not resolve the issue, exit from the current browser session, return to OracleAS Certificate Authority and try again.

C.1.5.4 Going to SSO login page in IE can get a security warning dialog

This is expected behavior; it is a warning that is issued due to switching from SSL protocol (https) to non-SSL protocol (http). No action is needed.

C.1.5.5 Certificate Acquired with Single Sign-on not Seen for SSL Authentication

Problem

After using the Mozilla browser to log in to OracleAS Single Sign-On, get a certificate, and import it, a user might still not see this just-imported certificate in the client authentication window.

Solution

  • If the user did not include "Authentication" among the intended usages specified when requesting the certificate, then that certificate will not appear in the client authentication box for authentication use.

    To confirm the chosen usages, search for the certificate by its the serial number and see its details. If the Usages do not show Client Authentication, then this certificate cannot be used for SSL authentication.

    The solution is to request a new certificate, ensuring that Authentication is specified as one of the usages for the certificate.

  • Another reason the certificate might not appear is that the CASSL certificate is unusable for some reason. In this case, the administrator must replace it.

C.1.6 Backup Protection Issue

The following issue relates to making recovery possible after a failure.

C.1.6.1 Ensuring Recoverability of the OracleAS Certificate Authority Internal Repository

Problem

Errors and unpredictable events can threaten the continuity of OracleAS Certificate Authority operations.

Solution

Take a backup of the metadata repository periodically. For details, see Oracle Application Server Administrator's Guide, particularly the sections on Backup Strategies and Procedures and Recovery Strategies and Procedures.

C.1.7 Recovery Issue

This section describes how to recover from a major issue affecting OracleAS Certificate Authority operation:

C.1.7.1 Clicking on the Certificate Management tab from the OracleAS Certificate Authority Administrative page returns a browser 404 error

Problem

Under certain conditions, the OracleAS Certificate Authority Administrator may be unable to access the Certificate Management page. The browser reports a 404/Page Not Found error. Possible conditions for this error include, but are not limited to, the following:

  • The administrator certificate is installed on one browser, but you try to access the Certificate Management page from a different browser.

  • When applying for the CA certificate, the DN's specified the machine name only, and the domain information was omitted. For example, "CN=asunmach17 admin user,C=US" was specified instead of "CN=asunmach17.us.mycompany.com admin user,C=US".

Solution

If the problem is due to incorrect domain information in the CA certificate, you must re-create the CA's SSL wallet and refresh affected components using these steps:


WARNING:

This is a last-resort workaround and is not to be used casually. Implement it only if you have exhausted other possibilities.


  1. Regenerate the new CA SSL wallet. Make sure the CN is the same as the host name; domain is optional.

    See "Regenerating the CA SSL and CA S/MIME Wallets" in Chapter 7 for details.

  2. Restart OHS.

  3. Once the CA certificate is regenerated, create the CASSL wallet. This operation is performed by the new CA.

  4. Restart OHS to pick up the new CA SSL wallet.

  5. Refresh the SSL session between the client's browser and the OracleAS Certificate Authority server.

C.1.8 General Issues

The following issues are general in nature and do not fall into the previous categories:

C.1.8.1 Pages taking too long to load, or hanging

Problem

Sometimes such delays can occur, possibly after OracleAS Certificate Authority has been in operation for a substantial period.

Solution

Restart OracleAS Certificate Authority's OC4J instance, which will return you to faster operations.

C.1.8.2 No SMIME signing certificate in Outlook Express

Problem

In some Windows environments, when you select the certificate for SMIME signing in Outlook Express, there is no certificate listed. The reason is that there is an installed version of Microsoft Outlook.

Solution

You will need to use Microsoft Outlook and not Outlook Express.

C.1.8.3 Browser warning about CA SSL Server's CN

Problem

This warning is raised if the CA SSL Server's CN is not identical to the machine name.

Solution

You will need to make the CN and machine name the same.

C.2 Need More Help?

You can find more solutions on Oracle MetaLink, http://metalink.oracle.com. If you do not find a solution for your problem, log a service request.


See Also:

Oracle Application Server Release Notes, available on the Oracle Technology Network: http://www.oracle.com/technology/documentation/index.html