As Published In
Oracle Magazine
July/August 2006

TECHNOLOGY: Inside OCP


Managing Certificates

By Aradhana Puri

Questions and answers on managing and using certificates and wallets

Oracle Application Server Certificate Authority (OCA) and Oracle Wallet Manager (OWM) are important components of Oracle Application Server Public Key Infrastructure (PKI). You can use OCA to administer and manage the entire PKI certificate lifecycle. This lifecycle includes recording and processing requests for new certificates; verifying user credentials; and issuing, renewing, or revoking these certificates.

Security credentials, consisting of a public/private key pair, a certificate, and a trusted certificate, are stored in and accessed through a logical container called a wallet. OWM facilitates acquiring, using, and storing certificates. It also provides a graphical user interface that standardizes the normal operations performed with or on certificates and wallets. Using OWM, you can create certificate requests that can be used to request certificates from OCA as well as a trusted third party.

This article focuses on aspects of OCA and OWM. It presents sample questions from the Oracle Application Server 10g: Administration I exam (Exam#1Z1-311). By successfully completing the Oracle Application Server 10g: Administration I exam, you can earn the Oracle Certified Associate level of certification. Note that the sample question format has been adjusted for presentation in this column.

Oracle Application Server Certificate Authority

A certificate authority (CA) is a trusted third party that vouches for the public-key owner's identity. Oracle Application Server Certificate Authority 10g provides an easy-to-use Web-based administration interface (Figure 1) and a user interface (Figure 2).

 

figures 1
Figure 1: Oracle Application Server Certificate Authority administration interface


 

figures 2
Figure 2: Oracle Application Server Certificate Authority user interface


An OCA administrator can use the administration interface to perform certificate administration and management. End users can use the user interface to request, renew, and revoke certificates. Note that the term "end user" here includes persons and also server entities that acquire certificates to facilitate authentication among servers and applications. Administrators can access the home page for the administration interface by going to https://<Oracle HTTP host>:<SSL port>/oca/admin, where "Oracle HTTP host" is the host on which OCA is installed and "SSL port" is listed in the $ORACLE_HOME/install/portlist.ini file. Similarly, end users can access the home page for the user interface by going to https://<Oracle HTTP host>:<SSL port>/oca/user.

Which two statements are correct regarding OCA?

A. OCA can be used for obtaining user certificates only, not server certificates.
B. OCA is started and stopped by using the ocactl command-line tool.
C. When you access the OCA administration interface for the first time, you must acquire and install your Web administrator certificate to be able to perform administrative tasks.
D. OCA does not support user authentication on the basis of a preissued Secure Sockets Layer (SSL) certificate.

The correct answers are B and C. For security reasons, you can start and stop OCA only by using the ocactl command-line tool, which requires the administrator's password. This tool uses the OCA configuration file located in $ORACLE_HOME/oca/conf/oca.xml. You must have the administrator certificate before you can use any of the OCA administrative options and controls in the Web interface. To request the administrator certificate for your authentication, fill in and submit a brief form that appears after OCA is started for the first time. Note that you must access OCA from the computer you plan to use as the administrator. Answer A is incorrect because users can use OCA for obtaining User as well as Server/SubCA certificates (see Figure 2). Answer D is incorrect because OCA supports user authentication on the basis of a preissued SSL certificate.

You need to change the OCA administrator password. You would change it by using      .

A. The ocactl command-line tool
B. The OCA administration interface
C. Oracle Application Server Control
D. Oracle Enterprise Security Manager

The correct answer is A. You can use the ocactl setpasswd -type CA command to change the OCA administrator password. OCA must be stopped before you change the password. Answers B, C, and D are incorrect because you cannot use the OCA administration interface, Oracle Application Server Control, or Oracle Enterprise Security Manager to change the OCA administrator password.

Smith is an OCA administrator. He used computer Comp1 while authenticating himself as an OCA administrator for the first time. His Web administrator certificate is contained in the browser of Comp1. Smith also needs to perform certification management tasks from another computer, Comp2. What should he do?

A. Stop OCA by using the ocactl utility on Comp1, and restart OCA on Comp2 by using the ocactl utility.
B. Stop OCA by using the ocactl utility on Comp1, make changes to the http.conf file on Comp1, and restart OCA on Comp2 by using the ocactl utility.
C. Request another administrator certificate by using Comp2.
D. Export the OCA administrator certificate from the browser of Comp1, and copy and import it into the browser of Comp2.

The correct answer is D. OCA administrators may want to perform certificate management tasks from any of multiple computers. However, their Web administrator certificates are contained in the browser of the computer they used when originally authenticating themselves as the OCA Web administrators. To switch from one computer to another and maintain the ability to perform certificate management tasks, you need to export the certificate from the previous browser and import it into the new browser. Answers A, B, and C are incorrect because these actions do not enable the OCA administrator to perform administrative tasks from another computer.

Oracle Wallet Manager 

Next Steps


LEARN more about the Oracle Certification Program, and download a free exam guide
oracle.com/education/certification

 READ "Inside OCP" columns 

OWM is a standalone Java application that manages server certificates used with Oracle Application Server. Wallet owners use this program to manage and edit security credentials in their Oracle wallets. You can use OWM for generating a public/private key pair and creating a certificate request for submission to a CA, for installing a certificate, and for configuring trusted certificates. You can also use OWM for creating and opening a wallet to enable access to PKI-based services and for uploading a wallet to or downloading it from a Lightweight Directory Access Protocol (LDAP) directory. OWM uses two kinds of certificates: trusted certificates and user certificates. Oracle Wallet comes with some common trusted certificates, and you can also add some. User certificates are used by end entities—such as an end user, a database, a client, or a server—to authenticate themselves. You must install a trusted certificate from a CA before you can install a user certificate issued by that authority.

Which task must you perform before submitting a Server/SubCA certificate request to OCA?

A. Create a PKCS#10 request
B. Obtain a user certificate from OCA by using Secure Sockets Layer (SSL) authentication
C. Obtain a user certificate from OCA by using single-sign-on (SSO) authentication
D. Obtain read/write permissions on the $ORACLE_HOME/oca/conf/oca.xml file

The correct answer is A. To get a Server/SubCA certificate from OCA, you need to create a PKCS#10 certificate request by using OWM. After OWM generates the completed request, the administrator can save it to the file system or copy it for pasting into OCA's Server/SubCA form for requesting a certificate from OCA. Answers B, C, and D are incorrect because you don't need a user certificate from OCA or read/write permissions on the $ORACLE_HOME/oca/conf/oca.xml file before submitting a Server/SubCA certificate request to OCA.

Conclusion

This column has focused on aspects of OCA and OWM. OCA completes the Oracle PKI solution, by providing a certificate authority and registration authority combined with an easy-to-use, comprehensive Web interface. Security administrators use OWM to manage public-key security credentials on both client and server systems. 


Aradhana Puri (ocpexam_ww@oracle.com) is a principal Oracle certification exam developer at Oracle. She has been with the company since 2000.

Send us your comments