Skip Headers
Oracle® Application Server Certificate Authority Administrator's Guide
10
g
Release 2 (10.1.2)
B14080-02
Home
Solution Area
Index
Next
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Oracle Identity Management
Related Documentation
Conventions
1
Public Key Infrastructure and OracleAS
1.1
What Is a PKI?
1.1.1
Key Pairs
1.1.2
Certification Authority (CA) and Digital Certificates
1.1.2.1
CA Signing
1.1.2.2
Levels of Trust
1.1.2.3
Contents and Uses of a Digital Certificate
1.1.2.4
Containers for PKI Credentials
1.1.3
Registration Authority (RA)
1.2
Benefits of a PKI
1.3
Introduction to the OracleAS PKI
1.3.1
Earlier Costs and Difficulties
1.3.2
Benefits of the OracleAS PKI
1.3.3
Components of the OracleAS PKI
1.3.3.1
Containers, Oracle Wallets, and Oracle Wallet Manager (OWM)
1.3.3.2
Secure Sockets Layer (SSL)
1.3.3.3
Oracle Internet Directory and Single Sign-on (SSO)
1.3.3.4
Oracle Application Server Certificate Authority
2
Identity Management and OracleAS Certificate Authority Features
2.1
Identity Management Components and Architecture
2.1.1
Oracle Identity Management
2.1.2
Leveraging Oracle Identity Management in the Enterprise
2.1.3
Role of Oracle Identity Management in the Oracle Security Architecture
2.1.4
Role of OracleAS Certificate Authority in Oracle Identity Management
2.1.5
Simplified Provisioning through SSO Integration
2.1.6
Third Party PKI Support in Oracle Identity Management
2.2
Key Features of Oracle Application Server Certificate Authority
2.2.1
Support for Open Standards
2.2.2
Flexible Policy
2.2.3
Ease of Use for Administrators and End Users
2.2.4
Globalization Support for OCA Screens
2.2.5
Scalability, Performance, and High Availability
2.2.6
Secure Email Through S/MIME Digital Encryption and Signing
2.3
Automatic or Manual Provisioning of Certificates
2.3.1
Oracle Single Sign-on Authentication
2.3.2
Certificate-based Authentication Using Secure Socket Layer (SSL)
2.3.3
Manual Approval
2.4
Hierarchical Certificate Authority Support
3
OracleAS Certificate Authority Deployment Guidelines
3.1
Road Map for Setting up a Certificate Authority
3.2
Certificate Requirements and Policies
3.2.1
Define Certificate Requirements and Properties
3.2.1.1
Certificate Provisioning
3.2.1.2
Certificate Types
3.2.1.3
Certificate Properties
3.2.1.4
Certificate Renewal and Revocation
3.2.1.5
Distributing the CA Certificate
3.2.2
Define Certificate Policies and Practices
3.2.3
Define CRL Policies
3.2.4
Define Alerts and Notifications
3.3
Planning your OracleAS Certificate Authority Architecture
3.3.1
CA Trust Hierarchy
3.3.1.1
Online and Offline CAs
3.3.2
Securing the CA
3.4
Deployment Considerations and Base Scenarios
3.4.1
Required Components for OracleAS Certificate Authority
3.4.2
Default Deployment
3.4.3
Production Deployment
3.4.4
DMZ Deployment
3.4.5
High Availability Deployment Options
3.4.5.1
Cold Failover Cluster
3.4.5.2
Disaster Recovery
3.4.5.3
Cold Failover Cluster and Disaster Recovery
3.5
OracleAS Certificate Authority Implementation and Use Case
3.5.1
Implementation Checklist
3.5.2
Use Case: MyPKIsite.com
3.5.2.1
Scenario
3.5.2.2
Administrative Roles
3.5.2.3
CA Hierarchy for MyPKIsite.com
3.5.2.4
User Entries in Oracle Internet Directory
3.5.2.5
Component Instances
3.5.2.6
Certificate Requirements for MyPKIsite.com
3.5.2.7
Security Considerations
3.5.2.8
High Availability Considerations
3.5.2.9
Detailed Implementation Checklist for MyPKIsite.com
4
Introduction to Administration and Certificate Management
4.1
Starting and Stopping Oracle Application Server Certificate Authority
4.2
Requesting the Administrator Certificate
4.3
Replacing the Administrator Certificate
4.4
Overview of the OracleAS Certificate Authority Administration Interface
4.4.1
Certificate Management Tab
4.5
Managing Certificates
4.5.1
Approving or Rejecting Certificate Requests
4.5.1.1
To Approve a Certificate Request
4.5.1.2
To Reject a Certificate Request
4.5.2
Viewing Details of Certificates
4.5.3
Revoking Certificates
4.5.3.1
Reasons for Revocation
4.5.4
Renewing Certificates
4.5.5
Listing a Single Certificate Request or Issued Certificate
4.5.6
Using Advanced Search
4.5.6.1
Search Certificate Requests using Request Status
4.5.6.2
Search Using DN (Distinguished Name)
4.5.6.3
Search Using Advanced DN
4.5.6.4
Search Using Serial Number Range
4.5.6.5
Search Using Certificate Status
4.6
Updating the Certificate Revocation List (CRL)
4.7
Oracle Internet Directory Integration
4.7.1
Retrieving the Certificate Revocation List
4.8
Single Sign-on and OracleAS Certificate Authority
4.8.1
Broadcasting the OracleAS Certificate Authority Certificate Request URL to SSO-Authenticated Users
4.8.2
Bringing SSO-Authenticated Users to the OracleAS Certificate Authority Certificate Request URL
4.8.3
User Certificates and SSO Usage
4.9
Default Install Values for OracleAS Certificate Authority
4.9.1
Enabling PKI Authentication with SSO and OracleAS Certificate Authority
5
Configuring Oracle Application Server Certificate Authority
5.1
Structure of the Administration Interface
5.2
Configuration Management Tab
5.2.1
Summary of Configuration Tasks
5.2.2
Notification Sub-tab
5.2.2.1
Mail Details
5.2.2.2
Alerts
5.2.2.3
Scheduled Jobs
5.2.3
Email Templates
5.2.3.1
Values for the tokens
5.2.4
General Sub-tab
5.2.4.1
Certificate Publishing
5.2.4.2
SSL and SSO Authentication
5.2.4.3
Default usage for client certificates
5.2.4.4
Subject Alternate Name Extension
5.2.4.5
Logging and Tracing
5.2.4.6
Default Base DN Components
5.2.4.7
Database Settings
5.2.4.8
Directory Settings
5.3
View Logs Tab
6
Managing Policies in Oracle Application Server Certificate Authority
6.1
Definitions
6.2
Overview of Policy Management
6.3
Oracle Application Server Certificate Authority Policies
6.3.1
RSAKeyConstraints
6.3.2
ValidityRule
6.3.3
UniqueCertificateConstraint
6.3.4
RevocationConstraints
6.3.5
RenewalRequestConstraint
6.4
Policy Sub-tab of Oracle Application Server Certificate Authority
6.4.1
Default Certificate Request Policies
6.4.2
Default Certificate Revocation Policy
6.4.3
Certificate Renewal Policy as Shipped
6.4.4
TrustPointDNCustomRule as Shipped
6.4.5
Policy Actions
6.4.5.1
Edit
6.4.5.2
Enable or Disable
6.4.5.3
Delete
6.4.5.4
Reordering Policies
6.4.5.5
Adding Policies
6.5
Predicates in Policy Rules
6.5.1
Multiple Predicate Evaluation
6.5.1.1
Evaluation Example for Multiple Predicates
6.5.1.2
One Further Example of Evaluating Multiple Predicates
6.5.1.3
Reordering Predicates
6.5.1.4
Adding Predicates
6.6
Developing a Custom Policy Plug-in
6.6.1
What Processing Does a Policy Do?
6.6.2
Steps in Creating a New Policy Plug-in
6.6.3
Rules for Custom Policies
6.6.4
An Example of a Custom Policy Plug-in
6.6.5
Generic Error Messages
7
OracleAS Certificate Authority Administration: Advanced Topics
7.1
Wallet Operations for OracleAS Certificate Authority
7.1.1
Regenerating the CA Signing Wallet
7.1.2
Regenerating the CA SSL and CA S/MIME Wallets
7.1.2.1
The CA SSL Wallet
7.1.2.2
The CA S/MIME Wallet
7.1.3
Renewing Critical Wallets
7.1.4
Changing Passwords
7.2
Configuration Operations for OracleAS Certificate Authority
7.2.1
Configuring Oracle HTTP Server to Use a Third Party SSL Wallet
7.2.2
Revoking a Certificate Authority Certificate
7.2.3
Revoking the OracleAS Certificate Authority Web Administrator's Certificate
7.2.4
Configuring Globalization Support for Screens
7.3
Performance Tuning for OracleAS Certificate Authority
7.3.1
Tuning Database Connections
7.3.2
Tuning Interactions with OracleAS Single Sign-On
7.3.3
Tuning Maximum Memory
7.3.4
Tuning Oracle Internet Directory Connections
7.3.5
Tuning Other Components
7.4
Customization Support
7.5
Log or Trace OracleAS Certificate Authority Actions
7.5.1
Clearing Log or Trace Information for OracleAS Certificate Authority
7.6
Changing the Infrastructure Services
7.6.1
Changing Identity Management (IM) Services
7.6.2
Changing Metadata Repository (MR) Services
7.6.3
Where Connection Information Is Stored and Displayed
7.7
OracleAS Certificate Authority and High-Availability Features
7.7.1
OracleAS Certificate Authority Deployment Using Cold Failover
7.7.2
OracleAS Certificate Authority Deployment Using Real Application Clusters
7.8
OracleAS Certificate Authority Backup and Recovery Considerations
7.9
Restricting the Realm of Certificate Publication
7.10
Replacing the CA and Deinstalling OracleAS Certificate Authority
8
End-User Interface of the Oracle Application Server Certificate Authority
8.1
Accessing the User Interface
8.2
End-User Tabs and Processes
8.2.1
User Certificates Tab
8.2.1.1
Single Sign-on Authentication (SSO)
8.2.1.2
Configuring Your Browser to Trust OracleAS Certificate Authority
8.2.1.3
Secure Sockets Layer (SSL) Authentication
8.2.1.4
Manual Authentication
8.2.2
Certificate Retrieval, Renewal, and Revocation
8.2.2.1
Certificate Retrieval
8.2.2.2
Certificate Renewal
8.2.2.3
Certificate Revocation
8.2.3
Server/SubCA Certificates Tab
8.2.4
Subordinate CA Certificates
8.3
Installing a CA Certificate
8.4
Handling Certificate Revocation Lists (CRLs)
8.4.1
Installing a CRL into Your Browser
8.4.1.1
Installing the CRL In Netscape 7.x and Mozilla Firefox
8.4.1.2
Installing the CRL In Internet Explorer (IE)
8.4.2
Saving the Binary or BASE64 CRL to Disk
8.5
Importing a Newly Issued Certificate to Your Browser
8.6
Exporting (Backing up) Your Wallet from Your Browser
8.7
Importing a Certificate from Your File System
A
Command-Line Administration
A.1
Command-Line Tool
A.2
Converting a CA SSL Server Wallet into SSO Form
A.3
Starting the Oracle Certificate Authority Server
A.4
Stopping the Oracle Application Server Certificate Authority Server
A.5
Finding the Status of the Oracle Certificate Authority Services
A.6
Changing Privileged Passwords
A.7
Regenerating the Root Certificate Authority's Certificate
A.8
Regenerating the Certificate Authority's SSL Certificate and Wallet
A.9
Revoking a Root CA Certificate
A.10
Generating a Sub CA Signing Wallet from OracleAS Certificate Authority
A.11
Installing/Importing a Sub CA Signing Wallet
A.12
Generating a CA SSL Wallet for a Sub CA
A.13
Clearing Log or Trace Storage
A.14
Updating OracleAS Certificate Authority Repository Connection Information
A.15
Setting SSO Authentication (linksso, unlinksso commands)
A.16
Setting Log/Trace Options
B
Setting up a CA Hierarchy
B.1
Generating a Sub CA Signing Wallet
B.2
Installing and Using the New Sub CA Signing Wallet
B.2.1
Configuring an OracleAS Certificate Authority Instance to Be a Subordinate CA of Another CA
B.2.2
Generating CA SSL and CA SMIME Wallets for a Sub CA
C
Troubleshooting OracleAS Certificate Authority
C.1
Problems and Solutions
C.1.1
Prerequisite Issues and Warnings
C.1.1.1
Key Pair Generation Fails during Certificate Requests on Windows
C.1.1.2
Cannot Log in as Administrator after Logging in as Normal User
C.1.1.3
Changing Passwords Requires OracleAS Certificate Authority's Command-line Tool ocactl
C.1.1.4
Remembering and Restoring the Metadata Repository Password
C.1.1.5
Using ocactl raises "Error:Password store missing" message
C.1.2
Browser Issues
C.1.2.1
Browser issues a warning if the CA SSL Server's CN does not match the machine name
C.1.2.2
Certificate list shows all users as "Users"
C.1.2.3
Netscape/Mozilla Issues
C.1.2.4
Internet Explorer (IE) Issues
C.1.3
Network Issues
C.1.3.1
Error message when logging on to OracleAS Certificate Authority using SSO username/password
C.1.3.2
"Network Error" message
C.1.3.3
OracleAS Certificate Authority Stops Working, or Network/Server Messages Appear
C.1.4
Certificate Issues
C.1.4.1
Installing user certificate does not install CA certificate on Netscape/Mozilla
C.1.4.2
Inability to Access or Use the Certificate Management Tab
C.1.4.3
Administrator Needs to Work from a Different Machine
C.1.5
Single Sign-on Issues
C.1.5.1
Name shown on an SSO certificate appears only as "User"
C.1.5.2
VBScript Error Message While Generating Keys
C.1.5.3
"Page can not be displayed" Message in Internet Explorer
C.1.5.4
Going to SSO login page in IE can get a security warning dialog
C.1.5.5
Certificate Acquired with Single Sign-on not Seen for SSL Authentication
C.1.6
Backup Protection Issue
C.1.6.1
Ensuring Recoverability of the OracleAS Certificate Authority Internal Repository
C.1.7
Recovery Issue
C.1.7.1
Clicking on the Certificate Management tab from the OracleAS Certificate Authority Administrative page returns a browser 404 error
C.1.8
General Issues
C.1.8.1
Pages taking too long to load, or hanging
C.1.8.2
No SMIME signing certificate in Outlook Express
C.1.8.3
Browser warning about CA SSL Server's CN
C.2
Need More Help?
D
Extensions
D.1
Certificate Usage
D.1.1
Policy Application to Certificates
E
Enabling SSL and PKI on SSO
E.1
Enabling SSL on SSO
E.2
Enabling PKI on SSO
E.3
Re-registering the Virtual Host with the SSL-Enabled SSO
E.3.1
Example of Re-Registration
F
External Access to Protected OracleAS Certificate Authority
F.1
Enabling OracleAS Certificate Authority to Support Proxy Servers
F.2
Disabling OracleAS Certificate Authority's Support for Proxy Servers
G
S/MIME with OracleAS Certificate Authority
G.1
SMIME Operations
G.1.1
Setup
G.1.1.1
Getting certificates
G.1.1.2
Setting S/MIME parameters
G.1.2
Sending Messages
G.1.2.1
Outlook Mail Client
G.1.2.2
Mozilla/Netscape Mail Client
G.1.3
Receiving Messages
G.1.3.1
Outlook Mail Client
G.1.3.2
Mozilla/Netscape Mail Client
G.1.4
Getting Other People's Encryption Certificates
H
Configuring OracleAS WebCache for OracleAS Certificate Authority
H.1
Install OracleAS WebCache
H.2
Configure OracleAS WebCache for OracleAS Certificate Authority
H.3
Configure OracleAS Certificate Authority Virtual Hosts for OracleAS WebCache
H.4
Enable OracleAS WebCache for OracleAS Certificate Authority
I
The Oracle Application Server Certificate Authority Web Interface
I.1
Windows and Fields in the Administration Interface
I.1.1
Web Administrator Enrollment--Advanced DN
I.1.2
Advanced Screen
I.1.3
Certificate Details
I.1.4
Certificate Request Rejection
I.1.5
Certificate Request Approval - Manual
I.1.6
Requests Page
I.1.7
Adding Custom Policies
I.1.7.1
Related Topics
I.1.8
Edit RenewalRequestConstraint
I.1.8.1
Parameter Details
I.1.8.2
Predicate Details
I.1.8.3
Related Topics
I.1.9
Edit RevocationConstraintRule
I.1.9.1
Parameter Details
I.1.9.2
Predicate Details
I.1.9.3
Related Topics
I.1.10
Edit RSAKeyConstraints
I.1.10.1
Parameter Details
I.1.10.2
Predicate Details
I.1.10.3
Related Topics
I.1.11
Edit TrustPointDNCustomRule
I.1.12
Edit UniqueCertificateConstraints
I.1.13
Edit ValidityRule
I.1.14
Configuration Management -- General
I.1.15
Configuration Management -- Notification
I.1.16
Configuration Management -- Policy
I.1.17
Update Certificate Revocation List
I.1.18
Welcome to the OracleAS Certificate Authority Administration Pages
I.1.19
Web Administrator Enrollment
I.1.20
View Logs
I.2
Windows and Fields in the End-User Interface
I.2.1
Advanced Search Screen
I.2.2
Authentication Page
I.2.3
CA Certificate Details
I.2.4
Save CA Certificate
I.2.5
Certificate Approval--Single Sign-On, SSL
I.2.6
Certificate Details
I.2.7
Certificate Request Form
I.2.8
Certificate Revocation List
I.2.9
Revocation Reason
I.2.10
Certificate Request Form--Advanced
I.2.11
Server/SubCA Certificates
I.2.12
Server/SubCA Certificate Request
I.2.13
Certificate Request Form - SSL Authentication
I.2.14
SSO Certificate Request Form
I.2.15
User Certificates - Manual Authentication
I.2.16
User Certificates - SSL Authentication
I.2.17
User Certificates - SSO Authentication
I.2.18
Welcome to the OracleAS Certificate Authority User Pages
Glossary
Index