Oracle® Application Server Certificate Authority Administrator's Guide
10g Release 2 (10.1.2) B14080-02 |
|
Previous |
Next |
Oracle Application Server Certificate Authority (OCA) enables an organization to issue and manage digital certificates based on PKI (public key infrastructure) technology. With Oracle Application Server Certificate Authority's ease of administration and management, such certificates improve security and reduce the time and resources required for user authentication.
Oracle Application Server Certificate Authority enables end-entities (users and servers) to authenticate themselves using certificates that OracleAS Certificate Authority issues based on OracleAS Single Sign-On, SSL, or other pre-existing authentication methods. Use of these certificates makes authentication a speedier and more secure process, relying on certificate identification. Each certificate is published to Oracle Internet Directory when it is issued and removed when it expires or is revoked. Users can access the OracleAS Certificate Authority web interface to request issuance, revocation, or renewal of their own certificates. No special privilege is required for end-users to access the OracleAS Certificate Authority web interface. However, to get a certificate issued, revoked, or renewed, they must be already authenticated by OracleAS Single Sign-On or by SSL using a previously issued certificate from OCA. Otherwise, manual authentication by the OCA administrator is required.
This Oracle Application Server Certificate Authority Administrator's Guide explains how to perform administration and management of public key certificates.
This preface contains these topics:
This document is intended for
administrators of Oracle Application Server Certificate Authority, who will manage certificate requests and certificate-related operations, and
users of certificates issued by OCA, for authentication, encryption, and diverse other purposes.
Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/
Accessibility of Code Examples in Documentation
Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation
This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
TTY Access to Oracle Support Services
Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, seven days a week. For TTY support, call 800.446.2398.
Oracle Application Server Certificate Authority is a component of Oracle Identity Management, an integrated infrastructure that provides distributed security services for Oracle products and other enterprise applications. The Oracle Identity Management infrastructure includes the following components and capabilities:
Oracle Internet Directory, a scalable, robust LDAP V3-compliant directory service implemented on the Oracle Database.
Oracle Directory Integration and Provisioning, part of Oracle Internet Directory, which enables synchronization between Oracle Internet Directory and other directories and user repositories. This service also provides automatic provisioning services for Oracle components and applications and, through standard interfaces, for third-party applications.
Oracle Delegated Administration Services, part of Oracle Internet Directory, which provides trusted proxy-based administration of directory information by users and application administrators.
Oracle Application Server Single Sign-On, which provides single sign-on access to Oracle and third party web applications.
Oracle Application Server Certificate Authority, which generates and publishes X.509 V3 PKI certificates to support strong authentication methods, secure messaging, and so on.
In addition to its use of SSL, OC4J, and HTTP Server, OCA has a built-in reliance on OracleAS Single Sign-On and Oracle Internet Directory. OracleAS Certificate Authority publishes each valid certificate in an Oracle Internet Directory entry for the DN in use, and supports certificate enrollment and saving or installing through Netscape, Internet Explorer, or Mozilla. OracleAS Single Sign-On and other components can rely on these Oracle Internet Directory entries because OracleAS Certificate Authority removes revoked certificates immediately from Oracle Internet Directory and, on a regular basis, expired certificates as well. The administrator also has the option of configuring OracleAS Certificate Authority to publish its URL through OracleAS Single Sign-On. This configuration choice causes every OracleAS Single Sign-On-authenticated user who lacks a certificate to see the OracleAS Certificate Authority page for requesting one. OracleAS Certificate Authority certificates can be used to authenticate to any Oracle component or to authorize use of any application that is OracleAS Single Sign-On-enabled.
In a typical enterprise application deployment, a single Oracle Identity Management infrastructure is deployed, consisting of multiple server and component instances. Such a configuration provides benefits that include high availability, information localization, and delegated component administration. Each additional application deployed in the enterprise then leverages the shared infrastructure for identity management services. This deployment model has a number of advantages, including:
One-time cost: Planning and implementing the identity management infrastructure becomes a one-time cost, rather than a necessary part of each enterprise application deployment. As a result, new applications such as portals, J2EE applications, and e-business applications can be rapidly deployed.
Central management: Managing identities is done centrally, even if administered in multiple places, and changes are instantly available to all enterprise applications.
User single sign-on: Having a centralized security infrastructure makes it possible to realize user single sign-on across enterprise applications.
Single point of integration: A centralized identity management infrastructure provides a single point of integration between the enterprise Oracle environment and other identity management systems, eliminating the need for multiple custom "point-to-point" integration solutions.
For more information about planning, deploying, and using the Oracle Identity Management infrastructure, see the Oracle Identity Management Administrator's Guide.
For the default deployment configuration of OCA, installation instructions appear in section 6.20 of the Oracle Application Server Installation Guide. For the recommended deployment configuration and installation procedure, see section 11.9 of that Guide.
Oracle Application Server Installation Guide
Oracle Application Server Single Sign-On Administrator's Guide
Oracle10i Backup and Recovery Advanced User's Guide
Oracle Advanced Security Administrator's Guide.
Many of the examples in this book use the sample schemas of the seed database, which is installed by default when you install Oracle. Refer to Oracle10i Sample Schemas for information on how these schemas were created and how you can use them yourself.
The following text conventions are used in this document:
Convention | Meaning |
---|---|
boldface | Boldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary. |
italic | Italic type indicates book titles, emphasis, or placeholder variables for which you supply particular values. |
monospace
|
Monospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter. |