TECHNOLOGY: Inside OCP
By Aradhana Puri
Questions and answers on managing and using certificates and wallets
Oracle Application Server Certificate Authority (OCA) and Oracle Wallet Manager (OWM) are important components of Oracle Application Server Public Key Infrastructure (PKI). You can use OCA to administer and manage the entire PKI certificate lifecycle. This lifecycle includes recording and processing requests for new certificates; verifying user credentials; and issuing, renewing, or revoking these certificates.
Security credentials, consisting of a public/private key pair, a certificate, and a trusted certificate, are stored in and accessed through a logical container called a wallet. OWM facilitates acquiring, using, and storing certificates. It also provides a graphical user interface that standardizes the normal operations performed with or on certificates and wallets. Using OWM, you can create certificate requests that can be used to request certificates from OCA as well as a trusted third party.
This article focuses on aspects of OCA and OWM. It presents sample questions from the Oracle Application Server 10g: Administration I exam (Exam#1Z1-311). By successfully completing the Oracle Application Server 10g: Administration I exam, you can earn the Oracle Certified Associate level of certification. Note that the sample question format has been adjusted for presentation in this column.
Oracle Application Server Certificate Authority
A certificate authority (CA) is a trusted third party that vouches for the public-key owner's identity. Oracle Application Server Certificate Authority 10g provides an easy-to-use Web-based administration interface (Figure 1) and a user interface (Figure 2).
An OCA administrator can use the administration interface to perform certificate administration and management. End users can use the user interface to request, renew, and revoke certificates. Note that the term "end user" here includes persons and also server entities that acquire certificates to facilitate authentication among servers and applications. Administrators can access the home page for the administration interface by going to https://<Oracle HTTP host>:<SSL port>/oca/admin, where "Oracle HTTP host" is the host on which OCA is installed and "SSL port" is listed in the $ORACLE_HOME/install/portlist.ini file. Similarly, end users can access the home page for the user interface by going to https://<Oracle HTTP host>:<SSL port>/oca/user.
Which two statements are correct regarding OCA?
A. OCA can be used for obtaining user certificates only, not server certificates.
The correct answers are B and C. For security reasons, you can start and stop OCA only by using the ocactl command-line tool, which requires the administrator's password. This tool uses the OCA configuration file located in $ORACLE_HOME/oca/conf/oca.xml. You must have the administrator certificate before you can use any of the OCA administrative options and controls in the Web interface. To request the administrator certificate for your authentication, fill in and submit a brief form that appears after OCA is started for the first time. Note that you must access OCA from the computer you plan to use as the administrator. Answer A is incorrect because users can use OCA for obtaining User as well as Server/SubCA certificates (see Figure 2). Answer D is incorrect because OCA supports user authentication on the basis of a preissued SSL certificate.
You need to change the OCA administrator password. You would change it by using .
A. The ocactl command-line tool
The correct answer is A. You can use the ocactl setpasswd -type CA command to change the OCA administrator password. OCA must be stopped before you change the password. Answers B, C, and D are incorrect because you cannot use the OCA administration interface, Oracle Application Server Control, or Oracle Enterprise Security Manager to change the OCA administrator password.
Smith is an OCA administrator. He used computer Comp1 while authenticating himself as an OCA administrator for the first time. His Web administrator certificate is contained in the browser of Comp1. Smith also needs to perform certification management tasks from another computer, Comp2. What should he do?
A. Stop OCA by using the ocactl utility on Comp1, and restart OCA on Comp2 by using the ocactl utility.
The correct answer is D. OCA administrators may want to perform certificate management tasks from any of multiple computers. However, their Web administrator certificates are contained in the browser of the computer they used when originally authenticating themselves as the OCA Web administrators. To switch from one computer to another and maintain the ability to perform certificate management tasks, you need to export the certificate from the previous browser and import it into the new browser. Answers A, B, and C are incorrect because these actions do not enable the OCA administrator to perform administrative tasks from another computer.
Oracle Wallet Manager
Which task must you perform before submitting a Server/SubCA certificate request to OCA?
A. Create a PKCS#10 request
The correct answer is A. To get a Server/SubCA certificate from OCA, you need to create a PKCS#10 certificate request by using OWM. After OWM generates the completed request, the administrator can save it to the file system or copy it for pasting into OCA's Server/SubCA form for requesting a certificate from OCA. Answers B, C, and D are incorrect because you don't need a user certificate from OCA or read/write permissions on the $ORACLE_HOME/oca/conf/oca.xml file before submitting a Server/SubCA certificate request to OCA.
This column has focused on aspects of OCA and OWM. OCA completes the Oracle PKI solution, by providing a certificate authority and registration authority combined with an easy-to-use, comprehensive Web interface. Security administrators use OWM to manage public-key security credentials on both client and server systems.
Aradhana Puri (firstname.lastname@example.org) is a principal Oracle certification exam developer at Oracle. She has been with the company since 2000.