Contents
- Intended Audience
- Documentation Accessibility
- Oracle Identity Management
- Structure
- Related Documentation
- Conventions
- 1.1 What Is a PKI?
- 1.1.1 Key Pairs
- 1.1.2 Certification Authority (CA) and Digital Certificates
- 1.1.2.1 CA Signing
- 1.1.2.2 Levels of Trust
- 1.1.2.3 Contents and Uses of a Digital Certificate
- 1.1.2.4 Containers for PKI Credentials
- 1.1.3 Registration Authority (RA)
- 1.2 Benefits of a PKI
- 1.3 Introduction to the OracleAS PKI
- 1.3.1 Earlier Costs and Difficulties
- 1.3.2 Benefits of the OracleAS PKI
- 1.3.3 Components of the OracleAS PKI
- 1.3.3.1 Containers, Oracle Wallets, and Oracle Wallet Manager (OWM)
- 1.3.3.2 Secure Sockets Layer (SSL)
- 1.3.3.3 Oracle Internet Directory and Single Sign-on (SSO)
- 1.3.3.4 Oracle Application Server Certificate Authority
- 2.1 Identity Management Components and Architecture
- 2.1.1 Oracle Identity Management
- 2.1.2 Leveraging Oracle Identity Management in the Enterprise
- 2.1.3 Role of Oracle Identity Management in the Oracle Security Architecture
- 2.1.4 Role of OracleAS Certificate Authority in Oracle Identity Management
- 2.1.5 Simplified Provisioning through SSO Integration
- 2.2 Key Features of Oracle Application Server Certificate Authority
- 2.2.1 Support for Open Standards
- 2.2.2 Flexible Policy
- 2.2.3 Ease of Use for Administrators and End Users
- 2.2.4 National Language Support (NLS) for OCA Screens
- 2.2.5 Scalability, Performance, and High Availability
- 2.3 Automatic or Conventional Provisioning
- 2.3.1 Oracle Single Sign-on Authentication
- 2.3.2 Certificate-based Authentication Using Secure Socket Layer (SSL)
- 2.3.3 Manual Approval
- 2.4 Hierarchical Certificate Authority Support
- 2.5 Deployments and Installations
- 3.1 Starting and Stopping Oracle Application Server Certificate Authority
- 3.2 Requesting the Administrator Certificate
- 3.3 Replacing the Administrator Certificate
- 3.4 Overview of the OracleAS Certificate Authority Administration Interface
- 3.4.1 Certificate Management Tab
- 3.5 Managing Certificates
- 3.5.1 Approving or Rejecting Certificate Requests
- 3.5.1.1 To Approve a Certificate Request
- 3.5.1.2 To Reject a Certificate Request
- 3.5.2 Viewing Details of Certificates
- 3.5.3 Revoking Certificates
- 3.5.4 Renewing Certificates
- 3.5.5 Listing a Single Certificate Request or Issued Certificate
- 3.5.6 Using Advanced Search
- 3.5.6.1 Search Certificate Requests using Request Status
- 3.5.6.2 Search Using DN (Distinguished Name)
- 3.5.6.3 Search Using Advanced DN
- 3.5.6.4 Search Using Serial Number Range
- 3.5.6.5 Search Using Certificate Status
- 3.6 Updating the Certificate Revocation List (CRL)
- 3.7 Single Sign-on (SSO) and OracleAS Certificate Authority (OCA)
- 3.7.1 Broadcasting the OCA Certificate Request URL to SSO-Authenticated Users
- 3.7.2 Bringing SSO-Authenticated Users to the OCA Certificate Request URL
- 3.7.3 User Certificates and SSO Usage
- 3.8 Default Install Values for OracleAS Certificate Authority
- 3.8.1 Enabling PKI Authentication with SSO and OCA
- 4.1 Structure of the Administration Interface
- 4.2 Configuration Management Tab
- 4.2.1 Summary of Configuration Tasks
- 4.2.2 Notification Sub-tab
- 4.2.2.1 Mail Details
- 4.2.2.2 Alerts
- 4.2.2.3 Scheduled Jobs
- 4.2.3 Email Templates
- 4.2.3.1 Values for the tokens
- 4.2.4 General Sub-tab
- 4.2.4.1 Certificate Publishing
- 4.2.4.2 SSL and SSO Authentication
- 4.2.4.3 Logging and Tracing
- 4.2.4.4 Default Base DN Components
- 4.2.4.5 Database Settings
- 4.2.4.6 Directory Settings
- 4.3 View Logs Tab
- 4.4 Creating and Updating Your Certification Practice Statement
- 5.1 Definitions
- 5.2 Overview of Policy Management
- 5.3 Oracle Application Server Certificate Authority Policies
- 5.3.1 RSAKeyConstraints
- 5.3.2 ValidityRule
- 5.3.3 UniqueCertificateConstraint
- 5.3.4 RevocationConstraints
- 5.3.5 RenewalRequestConstraint
- 5.4 Policy Sub-tab of Oracle Application Server Certificate Authority
- 5.4.1 Certificate Request Policies as Shipped
- 5.4.2 Certificate Revocation Policy as Shipped
- 5.4.3 Certificate Renewal Policy as Shipped
- 5.4.4 Policy Actions
- 5.4.4.1 Edit
- 5.4.4.2 Enable or Disable
- 5.4.4.3 Delete
- 5.4.4.4 Reordering Policies
- 5.4.4.5 Adding Policies
- 5.5 Predicates in Policy Rules
- 5.5.1 Multiple Predicate Evaluation
- 5.5.1.1 Evaluation Example for Multiple Predicates
- 5.5.1.2 One Further Example of Evaluating Multiple Predicates
- 5.5.1.3 Reordering Predicates
- 5.5.1.4 Adding Predicates
- 5.6 Developing a Custom Policy Plug-in
- 5.6.1 What Processing Does a Policy Do?
- 5.6.2 Steps in Creating a New Policy Plug-in
- 5.6.3 An Example of a Custom Policy Plug-in
- 5.6.4 Generic Error Messages
- 6.1 Wallet Operations for OracleAS Certificate Authority
- 6.1.1 Regenerating the CA Signing Wallet
- 6.1.2 Regenerating the CA SSL and CA SMIME Wallets
- 6.1.2.1 The CA SMIME Wallet
- 6.1.3 Renewing Critical Wallets
- 6.1.4 Changing Passwords
- 6.2 Configuration Operations for OracleAS Certificate Authority
- 6.2.1 Configuring Oracle HTTP Server to Use a Third Party SSL Wallet
- 6.2.2 Revoking a Certificate Authority Certificate
- 6.2.3 Revoking the OCA Web Administrator's Certificate
- 6.2.4 Configuring (NLS) for OCA Screens
- 6.3 Customization Support
- 6.4 Log or Trace OCA Actions for Oracle Application Server Certificate Authority
- 6.4.1 Clearing Log or Trace Information for OracleAS Certificate Authority
- 6.5 Changing the Infrastructure Services That OCA Uses
- 6.5.1 Changing Identity Management (IM) Services (SSO/OID) Used by OCA
- 6.5.2 Changing Metadata Repository (MR) Services Used by OCA
- 6.5.3 Where OCA Connection Information Is Stored and Displayed
- 6.6 OracleAS Certificate Authority and High-Availability Features
- 6.6.1 OracleAS Certificate Authority Deployment Using Cold Failover
- 6.6.2 OracleAS Certificate Authority Deployment Using Real Application Clusters
- 6.7 OracleAS Certificate Authority Backup and Recovery Considerations
- 6.8 Restricting the Realm of Certificate Publication
- 6.9 Replacing the CA and Deinstalling OracleAS Certificate Authority
- 7.1 Accessing the User Interface
- 7.2 End-User Tabs and Processes
- 7.2.1 User Certificates Tab
- 7.2.1.1 Single Sign-on Authentication (SSO)
- 7.2.1.2 Configuring Your Browser to Trust OracleAS Certificate Authority
- 7.2.1.3 Secure Sockets Layer (SSL) Authentication
- 7.2.1.4 Manual Authentication
- 7.2.2 Certificate Retrieval, Renewal, and Revocation
- 7.2.2.1 Certificate Retrieval
- 7.2.2.2 Certificate Renewal
- 7.2.2.3 Certificate Revocation
- 7.2.3 Server/SubCA Certificates Tab
- 7.2.4 Subordinate CA Certificates
- 7.3 Downloading a CA Certificate
- 7.4 Importing the Certificate Revocation List (CRL) into Your Browser
- 7.4.1 In Netscape
- 7.4.2 In Internet Explorer (IE)
- 7.5 Downloading Certificate Revocation Lists into Your File System
- 7.6 Importing a Newly Issued Certificate to Your Browser
- 7.7 Exporting (Backing up) Your Wallet from Your Browser
- 7.8 Importing a Certificate from Your File System
- A.1 Command-Line Tool
- A.1.1 "Convertwallet" Explained with Examples
- A.2 Starting the Oracle Certificate Authority Server
- A.3 Stopping the Oracle Application Server Certificate Authority Server
- A.4 Finding the Status of the Oracle Certificate Authority Services
- A.5 Changing Privileged Passwords
- A.6 Regenerating the Root Certificate Authority's Certificate
- A.7 Regenerating the Certificate Authority's SSL Certificate and Wallet
- A.8 Revoking a Root CA Certificate
- A.9 Converting a CA SSL Server Wallet into SSO Form
- A.10 Generating a Sub CA Wallet from Oracle Application Server Certificate Authority
- A.11 Installing/Importing a Sub CA Wallet
- A.12 Generating a CA SSL Wallet for a Sub CA
- A.13 Clearing Log or Trace Storage
- A.14 Updating OCA Repository Connection Information
- A.15 Setting SSO Authentication (linksso, unlinksso commands)
- A.16 Setting Log/Trace Options
- B.1 Generating a Sub CA Wallet
- B.2 Installing and Using the New Sub CA Wallet
- B.2.1 Configuring an OCA Instance to Be a Subordinate CA of Another CA
- B.2.2 Generating CA SSL and CA SMIME Wallets for a Sub CA
- C.1 1. Prerequisite Issues and Warnings
- C.1.1 a. Issue: Failure of Key Pair Generation during Certificate Requests on Windows.
- C.1.2 b. Issue: Cannot Log in as Administrator after Logging in as Normal User
- C.1.3 c. Issue: Changing Passwords Must Use OCA's Commandline Tool ocactl
- C.2 2. Browser Issues
- C.2.1 a. Issue: Browser issues a warning if the CA SSL Server's CN is not identical to the machine name.
- C.2.2 b. Issue: Browsers use only the first (rightmost) CN component
- C.2.3 c. Netscape Issues
- C.2.3.1 i. Issue: Only one certificate appears in the popup window, though multiple certificates are available.
- C.2.3.2 ii. Issue: Browser continues to ask if CA certificate is trusted.
- C.2.3.3 iii. Issue: "Certificate is expired" warning appears.
- C.2.3.4 iv. Issue: SubCA and CA SSL client certificates are listed.
- C.2.4 d. Internet Explorer (IE) Issues
- C.2.4.1 i. Issue: "Page can not be displayed" Message
- C.2.4.2 ii. Issue: Failure to import CRL to Browser
- C.2.4.3 iii. Issue: Message that a page contains both secure and non-secure information
- C.2.4.4 iv. Issue: Opening online Help can generate a security alert.
- C.3 3. Network Issues
- C.3.1 a. Issue: Error message when logging on to OCA using SSO username/password
- C.3.2 b. Issue: "Network Error" message.
- C.3.3 c. Issue: OCA Stops Working, or Network/Server Messages Appear
- C.4 4. Certificate Issues
- C.4.1 a. Issue: Importing user certificate does not import CA certificate on Netscape
- C.4.2 b. Issue: Inability to Access or Use the Certificate Management Tab
- C.4.3 c. Issue: Administrator Needs to Work from a Different Machine
- C.5 5. Single Sign-on (SSO) Issues
- C.5.1 a. Issue: Name shown on an SSO certificate appears only as "User"
- C.5.2 b. Issue: VBScript Error Message While Generating Keys
- C.5.3 c. Issue: "Page can not be displayed" Message in Internet Explorer
- C.5.4 d. Issue: Going to the SSO login page in Internet Explorer can get a security warning dialog
- C.6 6. Search Issues
- C.6.1 a. Issue: Pressing "Enter" in search screens produces "Internal Error".
- C.7 7. Backup Protection Issues
- C.7.1 a. Issue: Ensuring Recoverability of the OCA Internal Repository
- C.8 8. General Issues
- C.8.1 a. Issue: Pages taking too long to load, or hanging
- C.8.2 b. Issue: JAZN error when enrolling a new web administrator
- C.8.3 c. Issue: No SMIME signing certificate in Outlook Express
- C.8.4 d. Issue: Browser warning about CA SSL Server's CN
- E.1 Enabling SSL on SSO
- E.2 Enabling PKI on SSO
- E.3 Re-registering OCA's Virtual Host with the SSL-Enabled SSO
- E.3.1 Example of Re-Registration OCA
