Digital certificates are essential to securing an enterprise infrastructure deployment. Oracle Application Server Certificate Authority generates and publishes X.509 v3 PKI certificates to support uses such as securing network connections, digital signatures, and strong user authentication methods. Key features of Oracle Application Server Certificate Authority include its easy, out-of-the-box deployment and a web-based, self service interface for certificate provisioning.
Requesting the web administrator certificate
For OCA, there is a web administrator which can manage and also approve the certificate requested by other users. Users can request either a server certificate of user certificate. Server certificate is required when a user want to enable SSL for his application deployed on server. User certificate is required for user to install the same in his browser. This user certificate can be used a an option for authentication when a user wants to login a SSL enabled application which is also a SSO enabled.
Before we get the administrator account for OCA (Oracle Certificate Authority), we need to first get the OCA certificate and install the same in out browser.
Follow below steps to get the certificate for you AS10g OCA installation.
1) Login to OCA self-service URL using https://(hostname):(port)/oca/admin
Example in my case https://ap101fam.us.oracle.com:6602/oca/admin
Remember here that port you will be using is “Oracle Certificate Authority SSL Server Authentication port” present in ORACLE_HOME/install/portlist.ini file of your infra tier. Click on “Click Here” link.
2) Enrollment form will appear next. Fill in the details as shown in example below.
Click on “Submit” button.
3) Once you submit the certificate will be issued immediately.
This is the certificate for web administrator of OCA. This will be issued by OCA to the web administrator which is going to administer the OCA in future. This is issued only once.
Usage:Client Authentication, Signing, Encryption
Not Valid Before:Saturday, May 3, 2008 5:23:41 AM PDT
Not Valid After:Sunday, May 3, 2009 5:23:41 AM PDT
Once you get this information click on “Install in Browser”.
Once you install in browser you can check if the certificate has been installed correctly or not using
Tools -> Options -> Advanced Tab -> Encryption -> View Certificate
if you are using Mozilla fire fox browser. For other browsers, use the browser specific path.
Requesting Server Certificate
Once we get the OCA administrator certificate and we became the administrator, then any user who is needs the server certificate or user certificate will have to go through our approval for the same. The request for the certificate will come to us for approval and once we approve, user can download and implement SSL using that certificate. Lets see the process of requesting the certificate and approving the same.
1) Create a certificate request in OWM
- If you are opening the wallet for the first time, it will ask you to create a new wallet and create a default directory for the same.
- Also you need to set password for your wallet
- Once this is done it will ask you if you want to create a new certificate request. Click on Yes.
- A new window will open asking for the details as shown below.
Enter all the relevant information in the above screen and click on OK.
Once a certificate is created, you can export the same or you can copy the content to notepad.
2) Submitting the request to OCA
- go to https://(hostname):(port)/oca/user. Example : https://ap101fam.us.oracle.com:6602/oca/user
- Click on “Request a Certificate”
- Enter the certificate request you created in OWM and other details as shown below.
Click on submit. You will see the confirmation window as shown below.
3) Once you request for certificate, now you as an administrator can approve the certificate. Usually in production you have to request the certificate to some legeal certifying authority which will approve your certificate after a period of time and you will get your certificate. Here we being administrator for OCA, we can approve the certificate.
- For this just go to https://(hostname):(port)/oca/admin Example : https://ap101fam.us.oracle.com:6602/oca/user
- “Certificate Management” tab
- You can see that the certificate request is pendng for your approval. If you dont see any request, you can search using the search textbox on the top using the request ID you got when you requested the certificate.
- You can click on View Details and at the bottom, there will be button called “Approve”. Click on Approve.
- You will get the confirmation window as given below.
4) Now you need to download this certificate and import into your wallet.
- For this again go to https://(hostname):(port)/oca/user. Example : https://ap101fam.us.oracle.com:6603/oca/user
- Server / SubCA Certificates tab and search for certificate with certificate number that is issued. Note that we have requested a certificate with a request number 4, but the issued certificate number is 5. So you have to search for certiifcate # 5.
- Once you get it click on “View Details”
- You should be able to see the certificate. Go down to the bottom of the page and click on “Save Certificate”.
- There are 2 certificates in this. One is the CA certificate and one is the actual server certificate. The first one if the actual server certificate that you requested for and second one is the CA certificate.
5) You now have to import both server certificate and CA certificate.
- For this go to OWM again and click on Operations -> Import User Certificate. It will give you 2 options 1) Paste the content 2) Upload as file.
- In my case I am pasting the certificate as shown below.
- When we click on OK, it might give following error
“User certificate import has failed because CA certificate does not exits. DO you want to import CA certificate?“
- Click on Yes and then paste CA certificate in new Textarea.
- In the bottom of OWM window you will see a success message “Your certificate has been successfully imported“.
This is how we can import the certificate that can be used for SSL configuration for your application (like EBS).
Hope this helps !!