This lesson provides instructions in how to configure OracleAS
Certificate Authority (OCA) to manage certificates. To perform administrative
tasks you require a valid administrator certificate. This lesson has steps,
which show how to request an administrator certificate. You also see how users
can request for a certificate and check the status of the request.
Place the cursor on this icon to display all screenshots.
You can also place the cursor on each icon to see only the screenshot associated
with it.
Overview
OracleAS Certificate Authority (OCA) comes bundled with
Oracle Application Server 10g. You can use the Web interface of OCA as
a user or as an administrator. As a user you can request for a certificate and
monitor the status of your request. As an administrator, you can check the requests
and approve them or reject them. You can also revoke existing certificates. OCA
uses Oracle Internet Directory (OID) as storage repository for certificates. This
enables centralized certificate management. OCA's integration with OracleAS Single
Sign-On Server and OID provides seamless certificate provisioning mechanisms for
applications relying on them. With OCA, a few clicks generate, submit, and store
a certificate. As a result credential verification and authentication is simple
and fast.
You can start and stop the OC4J supporting process either
using command line or from the Oracle Enterprise Manager 10g Application
Server Control. The steps here show how to start/stop the OC4J supporting
process using Oracle Enterprise Manager 10g Application Server Control.
1.
Open a browser and navigate to the following URL: http://<hostname>.<domain>:1810/
Note: 1810 is the default port assigned while
installing Application Server. However, if another instance is already
running on 1810, then the next port may be assigned during installation.
Login as ias_admin/<admin password you specified during install> and click OK.
You will see the Application Server Home page.
2.
Scroll down and click on the infrastructure instance.
3.
You will see the Infrastructure Home Page
4.
Scroll down to see the components of the infrastructure.
Click on the link oca.
If any of these components are down, it will be indicated
with a red arrow pointing downwards in the Status column. To start
these components select the checkbox under the Select column and
click the Start button. Currently the status of the oca component
is unknown.
5.
You can either stop or restart the component.
Starting the OCA Server Process
The OCA server process can only be started from command line.
1.
Change directory to <ORACLE_HOME>/infra/oca/bin
by issuing the following command:
cd <ORACLE_HOME>/infra/oca/bin Check the contents of the folder. You should see ocactl listed
as shown in the screenshot.
2.
Issue the following command to start the OCA server
process:
$ocactl start You are prompted to enter the administrative password.
For certificate management, the administrator must enroll
by filling a form upon first entry and then import his certificate.
The default port for OCA server is 4400 for secure HTTPS and 4401 for no authentication.
If you are not sure what port number OCA is listening on, you can find out by
looking at the "portlist.ini" file located in the $ORACLE_HOME/infra/install
directory.
1.
Open a browser and navigate to the following URL: https://<hostname>.<domain>:4400/oca/admin
Note: The URL is using HTTPS and not HTTP.
2.
If you see the error message as shown below, then you
have not successfully started the OCA server. Please start the OCA server
by following the steps mentioned here.
3.
If the OCA server is already started, you will see the
welcome page.
4.
To enroll as an administrator, click the link Click
here.
You will see the enrollment form.
5.
Enter the necessary details.
6.
Scroll down and provide a password. Remember the password
you have entered. Depending on the browser you will see different Certificate
Key Stores or Certificate Key Sizes. The Certificate Key Store is the
choice of providers for cryptography services. It is recommended to use
Microsoft Enhanced Cryptographic Provider. Change the validity period
if you wish to and click the Submit button.
7.
You will see the following dialog. Click Yes
to continue.
8.
The certificate will be approved and the details are
displayed.
9.
Import this certificate to your browser. Your browser
can then supply this certificate when needed for authentication to an
application or another server. Scroll down and click Import to Browser.
10.
Check the certificate, which you have imported to your
browser. Click the Tools menu and select Internet Options.
Select the Content tab.
Note: If
you are using mozilla browser or Netscape, navigate to Edit --> Preferences
--> Privacy & Security --> Certificates.
11.
Click the Certificates button.
12.
You will see the certificate listed. Click the View
button to see the details of the certificate which you have imported.
13.
Check the details of the certificate and click
OK.
14.
The next time you navigate to https://<hostname>.<domain>:4400/oca/admin
you will see a different screen from what is shown in step 3 because there
is already an administrator for OCA now and your browser has a certificate.
You have successfully enrolled as an administrator.
Users can access the OCA Web interface for requesting, checking,
and renewing a certificate. The user certificates can be requested and issued
based on Single Sign-on (SSO), Secure Socket Layer (SSL), or manual authentication
by the OCA administrator. If the user already has an SSO account, the certificate
is automatically generated and issued to the user. However, the manual request
needs the intervention of the OCA administrator. The administrator checks the
user credentials and decides whether to issue a certificate or not.
1.
Navigate to the OCA user page at https://<hostname>.<domain>:4400/oca/user
Note: The URL is using HTTPS and not HTTP.
2.
Click the User Certificates tab.
3.
Observe that there are three ways in which you can request
for a certificate. The default is SSO authentication. Click the Submit
button.
4.
You will see the login page.
5.
Enter User Name and Password and click
Login.
6.
Currently there are no certificates. To request for
a certificate click the Get Certificate button.
7.
Note that the DN information already exists because
you have logged in with the SSO password. Select appropriate certificate
information.
8.
Click the Submit button.
9.
You will see the approved certificate information. Since you are using
SSO authentication to request for a certificate, the certificate is automatically
generated and issued immediately.
10.
Click the Import to Browser button to import the certificate.
OCA supports certificate-based authentication. If a user has
an unrevoked and valid certificate, he can use the same certificate to authenticate
to OCA over HTTPS. Having authenticated the user, OCA allows the user to use
an existing certificate or issues a new certificate without delay.
1.
Navigate to the OCA user page at https://<hostname>.<domain>:4400/oca/user.
Click the User Certificates tab. Select Use your existing certificate.
2.
Click the Submit button.
3.
Select one of the existing certificates and click the
View Details button.
Scroll down and click the Import to Browser button
to import the certificate.
The manual authentication process requires the user to provide
personal information such as name, email, location, and so on. The user requests
for a certificate by providing necessary details. The user can also check the
status of the request. The OCA Administrator will examine the user credentials
and decide if the certificate has to be issued or rejected.
1.
Navigate to the OCA user page at https://<hostname>.<domain>:4400/oca/user.
Click the User Certificates tab. Select Use manual approval / authentication
and click the Submit button.
2.
Click the Request a Certificate button.
3.
Provide necessary details.
4.
Select appropriate certificate information.
5.
Click the Submit button.
6.
You will see the confirmation message for your request.
7.
Click OK.
8.
You can use the Search fields to check the status of your certificate.
The OCA Web interface gives the administrator the ability
to approve or reject certificate requests. The administrator can also revoke
issued certificates for various reasons.
1.
Navigate to the OCA admin page at https://<hostname>.<domain>:4400/oca/admin
Click the Certificate Management link.
2.
You will see the list of certificates, which were requested
by users. Observe that the status of the certificate which you requested
is Pending.
3.
Click the View Details button.
4.
You will see the certificate details.
5.
Click the Approve button to approve the certificate.
6.
You will see the confirmation message.
7.
Click OK.
8.
Observe that there are no pending certificates.
Place the cursor on this icon
to hide all screenshots
Bookmark
