Oracle Certificate Authority OCA and SSL Immlementation

Similar Messages

• SSL certificates and/ or Oracle Certificate Authority

  Our Oracle infrastructure is as follows:
  1.Database server
  (a)Oracle 9i R2 database
  (b) Oracle ApEx 2.2
  2. Infrastructure server
  (a) Oracle 10g (9.0.4.x.x) Infrastructure
  (b) OID - configured as external authentication to Microsoft 2003 Active Directory LDAP version 3
  (c) SSO - configured as Windows Native authentication
  3. Application server
  (a)Oracle 10g (9.0.4.x.x) Forms and reports server
  Network traffic currently is not encrypted. All we need is to ensure that network traffic is encrypted between the the end-user PC and all servers (database or app server)
  I was reading through Oracle Certificate Authority and Secure Sockets Layer.
  1. Is there a difference between the two products?
  2. Which product would be best to ensure the encryption (authentication is provided through MS LDAP)
  Thanks,
  Mayura

  Certificate authority and SSL are two completely different concepts. They can be related but are by no means similar.
  SSL is a service or a feature, not a product. SSL is used to encrypt the traffic. Part of SSL is the use of certificates for authentication. A server or user would pass a certificate as part of an SSL transmission.
  The certificates used for enrypted transmission(SSL), can be obtained from the Oracle Certificate Authority(OCA), or by a third party certificate authority. OCA is not required to use SSL.
  To achieve a fully encrypted envrinment, you would need to use SSL at several layers. This would be done with or without the use of the Oracle certificate authority.
  1. From the web browser to the middle tier
  2. End user to database
  3. from the middle tier to OID
  4. from the middle tier to the database
  5. From OID to active directory

• How move Oracle Certificate Authority on other server

  Hello!!!
  I am planning move Oracle Certificate Authority
  to another host with certificates and so on.
  Can you help me, I cannot find any documentation.

  Hi,
  You can start with some value say 40% of your physical memory allocate to SGA (SGA_TARGET) and see your database performance. Then monitor the use of SGA and then can decide on the add or reduce it. There is no direct rule for sizing it purely depends on your application behavior and amount of data and many other factors.
  This will be continuous process, you need to start with some reasonable value.
  Cheers,
  Dilipkumar Patel.

• Certificate Based Authentication and SSL

  To whom it may concern,
  I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
  Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
  Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
  I am running my Messenger express (http) like this :
  http://testing.xyz.com:8100
  (I am using port 8100 for http access to mails). After restarting the mail server, I tried :
  https://testing.xyz.com:8100 also,
  http://testing.xyz.com:443 also,
  https://testing.xyz.com:443 also,
  but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
  And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
  Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
  Thanking you,
  Farhan Ahmed,
  System Engineer
  Dubai, UAE.

  Dear jay,
  I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
  [29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
  i got this line from the http log:
  [29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
  Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
  Thanking you,
  Farhan Ahmed,
  System Engineer,
  Dubai Internet City, Dubai, UAE.

• Certificate Authority - pkiEnrollmentService and cerdat.inc missmatch

  Hello,
  This question has never been answered directly.
  Q: Do the pkiEnrollmentService object field 'dNSHostName' and the value for 'sServerConfig' set in the certdat.inc file located in %windir%\system32\certsrv\ have to match all the time, or are there instance where they shouldn't match for good reason?
  Example correct values as I understand them:
  pkiEnrollmentService object field 'dNSHostName':    CAhostname.domain.com (The FQDN of the CA server)
  'sServerConfig' value in certdat.inc:    CAhostname.domain.com\MyEvilCA (FQDN of the CA server \ The name of the CA as viewed in the Certificate Authority snap-in.)
  Thanks,
  Alex

  If the now extinct CA had been uninstalled gracefully, the related Enrollment Services Object would have been deleted.
  So if you are absolutely sure that this old CA will never come to live again you can delete its object under Enrollment Services. I would do this with pkiview.msc, Manage AD Containers though. adsiedit.msc typically does not break anything but pkiview is
  the supported method.
  But you must not delete the pkiEnrollment object for the new CA!
  Every CA has its own Enrollment Services object so the productive CA should have another, distinct, Enrollment Services Object... and this one should show a dnsHostName that is equal to the host name in certdat.inc.
  So how many Enrollment objects do you see now?
  The only confusion that may arise that I can think of is: The CNs of pkiEnrollment objects are equal to the CN in the CA certificate. So if you
  installed a new CA that has the same subject CN as the old one and it could not overwrite the existing object due to whatever reason then the only existing object shows the wrong dnsHostName. In this case I would test editing
  dnsHostName but chances are there are still issues with permissions as this a peculiar object re speical permissions.
  If enrollment does not work I would 1) backup the new CA (Databases, key, registry), 2) uninstall the new CA, 3) delete the "orphaned" pkiEnrollment object and 4) Restore the new CA. This will also re-create the pkiEnrollmen object properly.
  Elke

• OCA oracle Certificate Authority

  Hi there
  When I try to start ocactl than I am getting error, which is:
  $./ocactl start
  Error: OCA Service not started. Web server down
  Please let me know the solution as soon as possible.
  Thanks
  Munir

  $./ocactl start
  Error: OCA Service not started. Web server downMunir, have you checked if your oracle http server(ohs) is up?
  $ORACLE_HOME/opmn/bin/opmnctl status -l
  $ORACLE_HOME/opmn/bin/opmnctl startproc type=ohs

• Heartbleed: Remove Certificate Authority from iOS device

  Hi,
  I am in the process of changing SSL certificates after the Heartbleed bug. As I wasn't able to find a reliable cross platform way to revoke my internal certificates (e.g. Chrome doesn't check CRLs), I'm planning to reissue new certificates based on a new internal certificate authority (CA) and to remove the old CA from all systems. This should render all previous certificates as untrusted.
  This is easy for Linux, Windows and OS X, but how can I do this for iOS 7 devices? I believe the CA certificate was originally deployed to the iOS devices through a configuration profile. However, when I go to Settings > General > Profiles, there is no such profile listed. The iOS Safari shows my internal HTTPs pages without certificate warnings, thus the device must somehow have remembered that CA as trustworthy.
  Here are my questions:
  How can I view and/or modify the trust settings of CAs on iOS 7 devices?
  Where did the configuration profile with the CA go (I know that's a little weird to ask here) and why is the CA still active?
  Why are internal Https pages still trusted even if there is no configuration profile for that?
  This absolutely puzzles me! I always thought that for a custom CA to be active on a iOS device a configuration profile was required to be present. But that does not seem to be the case.
  Thanks for your help!

  The workaround seems to be the following:
  Go to the iPhone Configuration Utility
  Install the profile (again)
  Go to your iPhone and deinstall the profile that was just installed in Settings > General > Profiles
  Certificates signed by that authority are not trusted anymore.
  I consider this to be a major security problem in iOS if there is a way that profiles enable CAs and then get lost sometime later (maybe through an iOS upgrade?).

• Certificate Authority - Custom Temp not showing up. W2k8R2ent

  Hi Guys,
  Couldn't see a forum for CA so I had to post it here. Hopefully its the right place.
  (Server is test domain 1 single ad no replication. Running Win 2k8 r2 enterprise)
  So here's the issue I am trying to create and export certificate for other users (eobo).
  It works fine. But I want to do this throught certreq and in order to do that i have to creat custom cert which i did by duplicating User template.
  The new template CopyOfUser i changed(of confirmed) following settings:-
  General Tab = Publish Cert in Active Directory
  Request Handling = Allow private key to be exported & Enroll subject without req any input
  Security : I am logging as domain administrator and it has  Read/Write/Enroll
  Issurance Req: This number of authorized signature = 1
  & Application Policy & Client Authentication.
  Subject Name : Build from AD (Fully Distinguished name)
  Selected boxes : Include email name / Email name / UPN
  Now problem is i cannot see the custom template on Enable Certificate Templates.
  I am very new to CA so I am sure i am missing something or doing something wrong.
  Would love some help.

  Hi,
  I’d suggest if the steps below doesn’t help to remove the CA. Make sure you are using Enterprise Edition (no upgrade from 2K3 or 2K9 standart) of windows
  and install it again as Enterprise Root CA. Check and see if you still have the issue before tweaking the CA further:
  Open ADUC and check navigate to [Buildin > users > properties > members] and make sure the fallowing security groups are present.
    - Authenticated users
   - Domain Users
   - Interactive
  Open ADSI Edit and navigate to
  [Domain Naming context > DC=<DomainNAme>, DC=<DomainNAme> > CN=Users > CN=Cert Publishers > properties > security ]
   and give [Read] and [write]
  permissions to [Authenticated users] group
  Restart the CA.
  Check permissions on the CA:
  Open the [Certificate Authority] console and right click on [properties > Security] and add the fallowing permissions:
  [Authenticated Users]
  [V] Request Certificates
  [Domain Admins]
  [V] Read
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Enterprise Admins]
  [V] Issue and Manager Certificates
  [V] Manage CA
  [Administrators]
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Domain Controllers]
  [V] Read
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Domain Computers]
  [V] Read
  [V] Request Certificates
  Will appreciate if you give feedback if this has helped you. If yes please select “Mark
  as answer”.
  Best Regards,
  Spas Kaloferov
  MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 
  NetShell Services & Solutions | “Design the future with simplicity and elegance”
  Visit me at:
  www.spaskaloferov.com
  |
  www: www.netshell-solutions.com

• Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

  We have a Certificate Authority (Version: 5.2.3790.3959) configured on  Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
  Currently i am only able to generate SSL cert with md5RSA.

  Hi,
  Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
  Therefore, you need to build a new CA to use a new algorithm.
  More information for you:
  Is it possible to change the hash algorithm when I renew the Root CA
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
  Changing public key algorithm of a CA certificate
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
  modify CA configuration after Migration
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
  Best Regards,
  Amy Wang

• Re: Mail for Exchange and SSL certificate

  I think this is what you need to do
  1. go to the page from where you have to install certificate
  2.You will see lock symbol at the right hand side of the page, click on it and save it on your desktop PC by going to details page
  3. Open Nokia PC Suite --> FileManager and trasnfer the certificate from your PC to FileManager
  4. Click on the certificate inside FileManager and install it, while installing allow it to choose its place automatically
  Then try synchronising your mail, you ill receive it for the first time when you connect then it wont ask you for that again till you connect next time.
  Hope this helps

  Here's how I got my Nokia to accept the certificate as trusted. It may not work for everybody but it worked for me and after the past week of messing about I am truly grateful for that...
  Basically, I uninstalled then reinstalled Certificate Services through add/remove programs. I then followed the advice on this site (below), but only as far as requesting a cert through IIS Manager.
  http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
  I followed the advice until this section (mainly because it wouldn't allow me to request a cert through IE on the server...)..
  "Getting the Pending Request accepted by our Certificate Authority"
  I then opened "certification authority" on the server (through administrative tools) and right clicked the cert authority which will have the same name as the cert you had just requested and selected properties. In my case, something like mail.mydomain.co.uk...
  Under the General Tab I highlighted "certificate#0" in the CA Certificates box and clicked "view certificates".
  This opens the cert and I then clicked the "details" tab and saved the cert to a location using the "copy to file" button.
  Using the wizard I selected the first option "DER encoded binary x509(.cer) gave it a friendly name, saved it somewhere handy and closed the wizard.
  I then copied the file onto a pc with the Nokia PC Suite installed and copied it to the documents folder (although any one will do). I guess you could bluetooth or email the cert as well..
  I then browsed to it on the phone, clicked on it and it let me save it automatically into the certs folder. I restarted the phone, checked SSL was on and bingo the certificate was trusted and remains working today... You might have to delete an existing cert if you already have one installed as it won't let you overwrite it..
  As I say, I can't say this will work for anybody else as I have probably fiddled around with the server so much it has gone west in some respects, but it works for me and that'll do for now...
  dc

• SSL Certificate Authority TÜRKTRUST

  I see listed under preferences - advanced - certificates:
  TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
  Begins On 13/05/2005
  Expires On 22/03/2015
  What is this SSL Certificate Authority?
  What does it do?

  Hi ,
  1)     Login to the visual administrator using admin userid and pwd
  2)     Goto server >services>keystore
  3)     Select the service_ssl and create new entry with name ssl_credentials
  Click on create button and generated one new entry with name:  ssl_credentilas
  4)     After generating  new entry ssl_credentials(private key) and ssl_credentials.cert (ecertificate) will be created.
  now select the new entry and click on generate CSR request button and send the c
  ertificate to verisgn. they will send u response to ur CSR request.Now save this in .crt ext and goto VA and sekect the new entry again and click on import CSR .
  5)     Select the Trusted CAs and click on import from other button
  6)     Select the service_ssl from the Select view option and select the ssl_credentials (privatekey) which is created in step 3. and click on Ok
  7)     ssl-credentials will be added into the Trusted CAs
  8)Goto SSL provider and  select the  dispatcher
  9)Select the new sockets radio button and select server identity tab and click on Add button.
  10)     Select the (new entry created just now)  ssl-credential and click on ok.
  11)     Add the same for Active sockets and reboot the sun 128 displatcher.
  Result:  Https is working for sun 128 server .

• UCS Manager and using Microsoft Certificate Authority

  Has anybody gone through the process of setting up UCS Manager with a certificate issued from a Microsoft Certificate Authority?  If so I would appreciate some assistance.  I was able to successfully create a request and have generated the certificate, but I see no way of being able to put the request and the certificate chain back into UCS Manager.

  First you have to create a trusted point (under the Admin Tab -> Key Management). In the new trusted point, paste the public cert in base64 format of your root certificate authority. If you have a subordinate CA that's issuing then add that CA's cert too. If you have a whole tree of CAs, then you need to create a trusted point with all the CAs in the chain from the issueing CA up to the root. Paste one cert after the other, in order, up the chain, all in the same trusted point. If they're not in the right order or if you're missing the root, then the TP won't accept the cert.
  Once you have a trusted point you can accept the certificate you generated. In the KeyRing you used to generate the request, choose the new Trusted Point, and paste the new certificate in Base64 format into the Certificate field.
  Once that's done, you can go to Communication Management -> Communication Services, and for the HTTPS protocol, choose the new Key Ring. It might not take effect immediately, but after a few minutes your UCSM web site should start responding with the new certificate.
  I hope that helps.
  Note: There's a bug in UCS currently issue number CSCth62582. If your fabric interconnects fail over, the SSL cert will revert to the default self signed cert. You have to go back into Communication services and set it to default, save, then set it back to the new Key Ring.  

• Windows Server 2008 R2 Standard "Certificate Authority Service" / Exchange Server 2010 EMC not starting and no AD connectivity for authentication.

  Hello,
  I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
  Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
  Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
  * Note. No back ups to work with aside from whats mentioned below.
  DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up. 
  The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
  "No Exchange servers are available in any Active Directory sites. You can’t connect to remote
  Powershell on a computer that only has the Management Tools role installed."
  Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc  per instructions only to discover I couldnt relaunch it because there was
  no way how. So I copied another msc file that happened to be on the DC Server 1  back to Exchange Server 2 and got it to launch again. 
  Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
  it is using the Certificate Authority Service.
  I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
  "The Trust Relationship between this workstation and primary domain failed."
  I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
  I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started. 
  I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
  https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
  and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
  Marty

  I recommend that you open a ticket with Microsoft Support before you break things more.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• How to create certificate authority and configure it for IIS

  Hi
  I Install ADCS role in Server 2012 and configure it. but when i go to IIS and want to create domain certification , the select button is grey .i think i couldn't configure certificate authority correctly. how can fix this problem.
  Whenever you see a helpful reply, click on Vote As Helpful & click on
  Mark As Answer if a post answers your question.
  LinkedIn:
    Facebook:

  Thanks my problem was solved.
  But there is a problem after install IIS and ADCS , i restarted both server but didn't work ,but now(6 hours after restart) it work fine.
  another Question is after i select appropriate certificate authority ,when i click on finish it gives me the following error 
  "the certificate request was submitted to the online authority but was not issued the request was denied"
  Whenever you see a helpful reply, click on Vote As Helpful & click on
  Mark As Answer if a post answers your question.
  LinkedIn:
  Facebook:

• Certificate Authority Windows 2008 to 2012 R2 - Clean up and Migration

  Hello,
      I'm currently dealing with the following scenario:
  1. I've inherited the current infrastructure setup and the plan is to clean things up and setup a new certificate infrastructure using Windows 2012 R2.
  2. The current setup:
      a. Domain Controller, Windows 2008 R2, is/was a Certificate Authority.  It hasn't issued any new certificates (based on the information in Certificate Effective Date) for quite some time.  It also has an expired certificate for
  itself - issued by the domain's issuing CA - and attempts to renew it via MMC give a "Server execution failed" and STATUS: Failed when looking in Certificate enrollment for Domain Controller.  We'll call the server, DC1.
      b. Certificate Authority Server, we'll call it CERT1.  When booting up the machine and/or attempting to restart certificate services on the server, the following errors are in the event log:
  EVENT 7024: Description: The Active Directory Certificate Services service terminated with service-specific error %%-2146885613.
  EVENT 100: Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  Domainlocal Issuing CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013
  (-2146885613).
  EVENT 48: Description: Revocation status for a certificate in the chain for CA certificate 0 for Domain.local Issuing CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because
  the revocation server was offline. 0x80092013 (-2146885613).
  Note:  The server's computer certificate has expired and it was issued by the Domain Controller mentioned in point A.  Attempts to renew it fail.
  (The issue on CERT1 is like the one mentioned in this article: https://support.microsoft.com/kb/825061?wa=wsignin1.0  however an upgrade wasn't done and it's not old versions of Windows.)
  c. There is a certificate authority machine - part of what was created for a PKI infrastructure - that was kept shutdown.  I've powered it up and the machine is not part of the domain.
  Any thoughts or feedback on easily repairing the current situation so that I can upgrade everything to a new Windows 2012 R2 Certificate infrastructure would be appreciated.
  Thanks!

  Hi Vadims,
      Basically using certificates in the following manner:
  1. User / Computer enrollment in the AD domain.
  2. Any hardware / web services (internal) that need a certificates.  This is usually hardware that has some form of GUI that is accessed via URL, printers accessed via URL and/or that communicate via LDAP to AD, internal UC (Lync is an example), that
  sort of thing.
      A number of machines currently show certificate errors (ie.. certificate has expired) however that hasn't stopped things from working just functioning differently.  I'm going already on the assumption that if I remove the entire CA
  infrastructure and re-install a new one and have everything point to that new CA server that I should be ok but I'm not 100% certain hence why I asked on this forum.
  Also, you're correct is that there is one more CA.  That CA was the server that was turned off/offline that I powered on.  It is not part of the AD domain that the domain controller and the other CA belong to.  (It is standalone.)  I'm
  currently patching the standalone CA since it's been off for what looks like almost 1.5 years.