|
Oracle® Application Server Certificate Authority Administrator's Guide
10g (9.0.4) Part No. B10663-02 |
|
|
|
|
Oracle® Application Server Certificate Authority Administrator's Guide
10g (9.0.4) Part No. B10663-02 |
|
|
|
|
The Oracle Application Server Certificate Authority administrative web interface covers the following three broad areas, each accessible from a tab on the home page:
Certificate issues, regarding issued certificates; requests for certificate issuance, revocation, or renewal: and certificate revocation lists (CRLs)
Configuration issues, regarding parameters for Oracle Application Server Certificate Authority actions and for implementation of certificate security policies
Viewing logs of Oracle Application Server Certificate Authority activity
This chapter describes the second and third of those areas: configuration management and viewing logs, as well as describing the content you should provide in your certification practice statement.
It contains the following sections:
The home page of the graphical user interface (GUI) for Oracle Application Server Certificate Authority presents three additional tabs, as the following figure shows:
These three subtabs enable you to address specific tasks in managing certificates or the Certificate Authority configuration:
Certificate Management Tab, described in Chapter 3, particularly in the section entitled Managing Certificates
Configuration Management Tab, described in this chapter
View Logs Tab, described in this chapter
The Configuration management tab is one of the four choices available when you first enter the Oracle Application Server Certificate Authority web environment. Clicking the Configuration Management tab on the home page displays the first of the three subtabs, each representing a grouping of the Oracle Application Server Certificate Authority configuration management facilities.
The content and use of those subtabs are explained in the following sections:
The Policy Sub-tab of Oracle Application Server Certificate Authority and Policy Actions are discussed in Chapter 5, "Managing Policies in Oracle Application Server Certificate Authority"
, , and list the tasks encompassed by the Notification, General, and Policy sub-tabs of Configuration Management and provide links to discussions of those tasks.
Table 4-1 Notification Sub-tab Tasks and Discussions in Configuration Management
| Notification Sub-tab Tasks and Data | Links to Task Discussions |
|---|---|
| Specify server name and email contacts for alerts and notifications.
Specify desired types of alerts. Specify the interval between generating CRLs, the interval between validating CRLs, and the interval between directory synchronizations |
|
Table 4-2 General Sub-tab Tasks and Discussions in Configuration Management
| General Sub-tab Tasks and Data | Links to Task Discussions |
|---|---|
| Specify that certificate publishing uses SSL or non-SSL communication channel with Oracle Internet Directory. |
|
| Specify that end-users can use SSL and SSO authentication for certificate management. |
|
| Specify logging, tracing, both, or neither. |
|
| Specify default values for DN components shown in enrollment. |
|
| See configuration parameters for the database and directory. |
Table 4-3 Policy Sub-tab Tasks and Discussions in Configuration Management
| Policy Sub-tab of Oracle Application Server Certificate Authority Tasks and Data (in Chapter 5) | Links to Task Discussions |
|---|---|
| See the policies applicable to available operations, such as certificate requests, revocations, or renewals.
Edit, enable, disable, delete, add, or reorder policies. |
|
Notification parameters control what events trigger notification emails to the administrator, how those emails are generated, and how often checking is done to reveal such events.
Changes you make to Notification configuration parameters will take effect only after Oracle Application Server Certificate Authority is restarted.
Mail parameters enable email notifications to be sent, encrypted or clear, to the email address you specify for the administrator and to the OCA users when appropriate, using your specified server, sender, and template. You specify your choices in the following portion of the Notification subtab screen:
Note that the hint below Enable Template will, after installation, display the exact path to the template directory. For example, if $Oracle_Home is defined during installation as /private/sitename/username, then this hint will display as "Templates stored at /private/sitename/username/oca/email."
Alerts parameters enable you to specify whether you are to receive alerts in the following circumstances:
When the number of pending certificate requests exceeds the queue threshold you specify here, to be checked on the schedule you specify here
Whenever automatic generation of the CRL fails. Such failure could occur, for example, if the database or Oracle Internet Directory were temporarily unavailable. Other rare possibilities include unpredictable runtime or configuration errors related to memory, input/output, or connectivity issues.
You specify your choices in the following portion of the Notification subtab screen:
Scheduled Jobs parameters enable you to make the following choices about automatic jobs:
Whether a CRL is to be generated automatically, and how often. This feature establishes a reliable, timely, and regular process supporting applications that depend on the CRL to detect revoked or expired certificates.
Whether directories are to be synchronized, and how often. This feature ensures timely, regular updates to the certificate information in the Oracle Internet Directory. Even certificates issued (or revoked or expired) during any temporary directory downtime will be published (or removed) during synchronization.
You specify your choices in the following portion of the Notification subtab screen:
As the administrator, you can enable templates by checking that box in the Mail Details section of the Notification sub-tab. You can then specify and customize the body of e-mail alerts and notifications as templates, which are stored in the following directory:
$ORACLE_HOME/oca/templates/email
You can use the tokens described below to format the e-mail to provide specific information. These tokens are replaced before the e-mail is sent. lists the notifications, filenames for e-mail format and the supported tokens.
Table 4-4 Notifications, Templates, and Tokens Supported for E-mail Customization
| Notifications | Template File Name | Supported Tokens |
|---|---|---|
| CertificateRequestNotify | reqacc.txt | #NAME#, #REQUESTID#, #SUBJECTDN#, #PHONE#, #EMAIL# |
| RequestApprovalNotify | reqapp.txt | #NAME#, #REQUESTID#, #SUBJECTDN#, #SERIALNUM#, #OCAURL#, #PHONE#, #EMAIL#, #VALIDITY# |
| RequestRejectionNotify | reqrej.txt | #NAME#, #REQUESTID#, #SUBJECTDN#, #PHONE#, #EMAIL# |
| PendingRequestsAlert | pendreq.txt | #NAME#, #NUMBERREQUESTS# |
| CRLAutoGenFailureAlert | crlfail.txt | #NAME# |
|
Note: If you do not check the box for Use Template in Configuration Management in the Notification screen, then templates are not used. All alerts and notifications would be predefined text that cannot be changed. |
describes the values that will replace each of the listed tokens before the alert or notification is sent:
Table 4-5 Token Values Supported for Customization in Notifications and Templates
| Notifications and Template File Names | Supported Tokens and the Data to Replace Them |
|---|---|
| CertificateRequestNotifyTemplate = reqacc.txt | #NAME#: Replace with the contact data Name specified in the certificate request.
#REQUESTID#: Replace with the request ID issued by OCA to this request. #SUBJECTDN#: Replace with the DN in the certificate request. #PHONE#: Replace with the contact data phone number in the certificate request. #EMAIL#: Replace with the contact data email address in the certificate request. |
| RequestApprovalNotifyTemplate = reqapp.txt | #NAME#: Replace with the contact data Name specified in the certificate request.
#REQUESTID#: Replace with the request ID issued by OCA to this request. #SUBJECTDN#: Replace with the DN in the certificate request. #SERIALNUM#: Replace with the serial number of the certificate #OCAURL#: Replace with the URL of the user home page #PHONE#: Replace with the contact data phone number in the certificate request. #EMAIL#: Replace with the contact data email address in the certificate request. #VALIDITY#: Replace with the validity period for which the certificate request is approved by the administrator. |
| RequestRejectionNotifyTemplate = reqrej.txt | #NAME#: Replace with the contact data Name in the certificate request.#REQUESTID#: Replace with the request ID issued by OCA to this request.#SUBJECTDN#: Replace with the DN in the certificate request#PHONE#: Replace with the contact data phone number in the certificate request.#EMAIL#: Replace with the contact data email address in the certificate request. |
| PendingRequestsAlertTemplate = pendreq.txt | #NAME#: Replace with the value specified in the OracleAS Certificate Authority Administrator field under Configuration Management in the Notification screen.
#NUMBERREQUESTS#: Replace with the number of pending requests in the OCA repository |
| CRLAutoGenFailureAlertTemplate = crlfail.txt | #NAME#: Replace with the value specified in the OracleAS Certificate Authority Administrator field under Configuration Management in the Notification screen. |
|
Note: The language in which you edit these templates is used in the final results, so it is best to use the language of the server, because the message body is encoded in the language of the server locale. If you do not use templates, then all alerts and notifications will appear in the language of the server locale. |
This sub-tab enables you to set parameters controlling the following tasks:
Changes you make to General configuration parameters will take effect only after Oracle Application Server Certificate Authority is restarted.
The choices in this section enable you to publish certificates to the directory. Since OCA always connects to Oracle Internet Directory by using the SSL port, the second checkbox shown here is no longer needed ("Protect publication using SSL mode"). The direct Diffie Hellman SSL connection does not require authentication, and OCA then authenticates itself to the directory server by sending its username/password over the now-secured SSL connection.
The choices in this section let you specify that SSL or SSO users can be recognized automatically, meaning that their existing certificates (or SSO authentication) are accepted as authenticating their identities. Enabled by default, such acceptance means Oracle Application Server Certificate Authority will issue them a new certificate without administrator intervention.
The choices in this section let you specify whether to create a log file of all user activities, a tracing file of all details for every error, or both.
Logs are stored in the OCA repository; you can view them from the View Logs tab. Trace is stored on the file system, in the file at $ORACLE_HOME/oca/logs/oca.trc.
The values you fill in here will be used to pre-fill some of the Distinguished Name elements on the manual enrollment request form used to submit certificate requests.
This facility is simply for the users' convenience, supplying common fields. The values you fill in here can be overridden as needed.
The settings shown here simply tell you the database connect string that is being used to connect to the Oracle Application Server Certificate Authority repository.
These settings only change if OracleAS Certificate Authority's repository moves to a new location or if a change is made to the connection string. Examples include changing the nodes or the port used for connection. In these cases, you can use the ocactl updateconnection command to update the repository connection settings, and then restart OCA to use the new connection information.
|
See Also: updateconnection in Table A-2 of Appendix A, "Operations and Parameters of the OracleAS Certificate Authority (OCA) ocactl Tool". |
The settings shown here simply tell you the host, agent, and port being used to connect with Oracle Internet Directory. If a change is made to the connection string, you can use the ocactl updateconnection command to update the repository connection settings, and then restart OCA to use the new connection information.
This configuration management page enables you to view logs that record messages regarding transactions or errors occurring during use of Oracle Application Server Certificate Authority. Such a screen would look like this:
Each line of such a log contains six elements, beginning with a log id number, the IP address that initiated the client activity, and the date of the action. Each line also includes the log entry type, the component of Oracle Application Server Certificate Authority generating the entry, and the component's message about the activity.
A certification practice statement describes the policies and procedures your site and certification authority follow, and thus often contains the following information:
Legal notices, obligations, and liability
Warnings or cautionary notes about using certificates
Public Key Infrastructure knowledge requirements
Standards or protocols used
Certificate-specific data:
life cycle details
limitations
key strengths and related security consequences
Hierarchy of certificate authorities at a site
Services provided
How to acquire, revoke, or renew a certificate
Contact information
You can add or alter your certification practice statement (CPS) by editing the $ORACLE_HOME/oca/help/Help/oca_cps.html file.
After Oracle Application Server Certificate Authority is restarted, your changes will appear on the Practice page when any user clicks the Practice Statement icon appearing on every page.
|
Note: The Certificate Practice Statement created by the OCA administrator using the above procedure is not internationalization (i18n) compliant. This fact means that clients in a language different from the OCA server language will see the practice statement only in the server's language. |
Certificate Practice Statements described by the OCA administrator using the above procedure is not internationalization (i18n) compliant. That means, the clients in a different language than the OCA server language will see the practise statement in server's language only.
