Skip Headers
Oracle Workflow Administrator's Guide
Release 2.6.3.5
Part Number B12160-02
|
|
|
|
|
|
|
|
|
Previous |
Next |
|
Contents |
Index |
Glossary |
Step 13 Setting Up for Electronic Signatures
In Oracle Applications, notifications can require that a user's response be signed by a password-based signature or a certificate-based digital signature. Perform the following setup steps to enable users to provide these signatures.
Note: Electronic signatures are currently supported only for the version of Oracle Workflow embedded in Oracle Applications.
See Also
#WF_SIG_POLICY Attribute, Oracle Workflow Developer's Guide
Implementing Password-based Signatures with Single Sign-On
Oracle Workflow supports password-based signatures for notifications based on Oracle Application Object Library (FND) passwords. If you maintain your directory service based on Oracle Application Object Library users and passwords, no additional setup is required. However, if you have implemented single sign-on functionality for your site through Oracle Internet Directory (OID), and you want to use password-based signatures, you must perform the following steps.
1. Set the Applications SSO Login Types profile option to either Local or Both at user level for all users who need to enter password-based signatures.
2. Ensure that these users have valid passwords defined in Oracle Application Object Library. See: Managing Oracle Applications Security, Oracle Applications System Administrator's Guide.
For more information, see: Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On (OracleMetaLink note 261914.1).
Loading Certificates for Digital Signatures
If a notification requires a certificate-based digital signature, the user must sign the response with a valid X.509 certificate issued by a certificate authority. Before users can sign responses with their certificates, you must load these certificates into your Oracle Applications database using the Workflow Certificate Loader.
When you load a certificate, you must also specify the Oracle Applications user to whom that certificate is assigned. Oracle Workflow uses this information to validate that the user attempting to sign with a certain certificate is the same user to whom that certificate is assigned.
A user can have more than one certificate assigned to him or her. However, each certificate can only be assigned to one user. Additionally, after you have loaded a certificate for a user, you cannot delete it from the database or assign it to a different user. If a certificate is incorrectly assigned, the user to whom it belongs must revoke it and obtain a new certificate instead.
You can load several certificates at once by listing the information for all the certificates in a data file for the loader. You can also load a single certificate by specifying the certificate information in the command line for the loader.
Note: If your users access Oracle Applications with Microsoft Internet Explorer, ensure that you also set the Browser Signing DLL Location global preference in the Workflow Configuration page. See: To Set Global Preferences for Oracle Workflow Embedded in Oracle Applications.
To load certificates for digital signatures:
1. For each certificate, obtain the following information:
- The Oracle Applications user name of the user to whom the certificate belongs.
- The personal certificate itself, in the DER encoded binary X.509 format. The certificate should be provided as a file with an extension of .cer.
- The root certificate of the certificate authority that issued the personal certificate, as well as any intermediate certificates required for this type of personal certificate.
- A URL for each root and intermediate certificate, specifying the location from which the corresponding Certificate Revocation List (CRL) can be downloaded.
Note: You only need to load the root certificate for a particular certificate authority, and the intermediate certificates for a particular type of certificate, once. If you already loaded the root and intermediate certificates required for a new personal certificate, you can simply load the personal certificate without reloading the others.
2. If you want to load several certificates at once, create a data file for the Workflow Certificate Loader that specifies the location of the certificates to be loaded and the users to whom they belong. The data file should be a text file containing one entry for each root, intermediate, or personal certificate to be loaded.
All certificate entries in the file must appear in the order of the certification path, beginning with the root certificate for the certificate authority, followed by any intermediate certificates and then by the personal certificate. However, if the root or intermediate certificates required for a particular personal certificate were loaded previously, you do not need to reload them.
Each certificate entry must be a single line. For a root or intermediate certificate, use the following format:
user=CA; domain=CA; filename=<certificate_file>; crl_url=<URL>
where <certificate_file> is the full path and file name specifying the location of the certificate file, and <URL> is the location from which the corresponding Certificate Revocation List (CRL) can be downloaded.
For a personal certificate, use the following format:
user=<user_name>; domain=U; filename=<certificate_file>
where <user_name> is the Oracle Applications user name of the user to whom the certificate belongs, and <certificate_file> is the full path and file name specifying the location of the certificate file.
You can also include comments in the data file. Start each comment line with a number sign (#).
The following example shows a sample data file. Note that although the lines may appear to wrap in this document, each certificate entry is a single line in the data file.
#Root certificate for certificate authority myCA
user=CA; domain=CA; filename=/certs/myCA.cer; crl_url=http://myCA.com/myCA.crl
#
#Personal certificate for user BLEWIS
user=BLEWIS; domain=U; filename=/certs/blewis.cer
3. To load several certificates at once using a data file, run the Workflow Certificate Loader with the following command:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader [-v] <user_name> <password> <connect_string> <data_file>
You can optionally specify the -v option to run the Workflow Certificate Loader in verbose mode, displaying additional diagnostic information in the output.
Replace the variables with your parameters as follows:
- <user_name> - The user name of your Oracle Applications database account.
- <password> - The password for your Oracle Applications database account.
- <connect_string> - The connect string for the database, including the host name, TNS port number, and database system identifier (SID) in the following format: <host_name>:<port_number>:<database_SID>
- <data_file> - The full path and file name specifying the location of the data file you created in the previous step.
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader -v apps apps myserv:4105:mySID myCertData.txt
4. To load a single certificate without using a data file, run the Workflow Certificate Loader specifying the certificate information in the command line. For a root or intermediate certificate, use the following command:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader [-v] -s <user_name> <password> <connect_string> user=CA domain=CA filename=<certificate_file> crl_url=<URL>
For a personal certificate, use the following command:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader [-v] -s <user_name> <password> <connect_string> user=<user_name> domain=U filename=<certificate_file>
You can optionally specify the -v option to run the Workflow Certificate Loader in verbose mode, displaying additional diagnostic information in the output.
Replace the variables with your parameters as follows:
- <user_name> - The user name of your Oracle Applications database account.
- <password> - The password for your Oracle Applications database account.
- <connect_string> - The connect string for the database, including the host name, TNS port number, and database system identifier (SID) in the following format: <host_name>:<port_number>:<database_SID>
- <user_name> - The Oracle Applications user name of the user to whom the personal certificate belongs.
- <certificate_file> - The full path and file name specifying the location of the certificate file.
- <URL> - The location from which the corresponding Certificate Revocation List (CRL) for the root or intermediate certificate can be downloaded.
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader -s apps apps myserv:4105:mySID user=BLEWIS domain=U filename=/certs/blewis.cer
Note: You can display a help message describing the usage of the Workflow Certificate Loader by specify the -h option with the following command:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader -h
Troubleshooting the Workflow Certificate Loader
The following list shows Workflow Certificate Loader error messages and suggested steps to resolve them.
- No parent certificate found for certificate - The loader could not locate the root or intermediate certificate that should precede the current certificate in the certificate path. Ensure that either the parent certificate is already loaded to the database, or a valid entry for the parent certificate appears before the entry for the current certificate in the data file.
- Unable to create certificate object from file - The data in the certificate file may be corrupted. Check that the certificate is valid by double-clicking the certificate file and viewing its status. Also, ensure that the certificate is stored in the DER encoded binary X.509 format.
- FND USER does not exist - The user name specified in a certificate entry in the data file is not defined as an Oracle Applications user. Ensure that the user name is specified as either CA for a certificate authority or a valid Oracle Applications user name for an individual user.
- Certificate already associated with another user - The certificate has already been loaded to the database and assigned to a different user. If a certificate is incorrectly assigned, the user to whom it belongs must revoke it and obtain a new certificate instead.
- Certdatafile not in proper format - The data file for the loader does not follow the required format. Ensure that the data file contains only certificate entries and comments, each certificate entry is a single line containing the appropriate arguments, and each comment line begins with a number sign (#).
- The Network Adapter could not establish the connection - The loader was unable to connect to the database using the specified parameters. Ensure that you specify the correct database user name, password, and connect string when you run the loader.
- Illegal Argument Exception - The loader could not process the parameters provided in the run command. Ensure that you specify the loader parameters in the required format.
Copyright © 2003, 2004, Oracle. All rights reserved.