As the OracleAS Certificate Authority administrator, you use the command line tool named ocactl to specify the parameters needed to perform the various OracleAS Certificate Authority operations. (You may need to add oca/bin to your path.) Each time this tool is invoked it requests your OracleAS Certificate Authority Administrator
Table 8–3 Links to Commands and Configuration Operations
General Topic Links to Specific Subtopics
Basic Administration: Commands and Operations
■ Command-Line Tool
■ Starting the Oracle Certificate Authority Server
■ Stopping the Oracle Application Server Certificate Authority Server ■ Finding the Status of the Oracle Certificate Authority Services ■ Changing Privileged Passwords
■ Updating OracleAS Certificate Authority Repository Connection
Information
Root Certificate Operations ■ Regenerating the Root Certificate Authority's Certificate ■ Revoking a Root CA Certificate
SSL/OracleAS Single Sign-On Operations
■ Converting a CA SSL Server Wallet into SSO Form
■ Regenerating the Certificate Authority's SSL Certificate and Wallet ■ Setting SSO Authentication (linksso, unlinksso commands)
Sub-CA Operations ■ Generating a Sub CA Signing Wallet from OracleAS Certificate Authority ■ Installing/Importing a Sub CA Signing Wallet
■ Generating a CA SSL Wallet for a Sub CA
Log/Trace Operations ■ Setting Log/Trace Options ■ Clearing Log or Trace Storage
Command-Line Tool
password, which is always the same as the CA signing password. (If you use a slow telnet/rlogin session and backspace while entering the password, some portions of it are echoed.)+
The general form for using this command is:
ocactl operation -type related-parameters, if any
For example, to start OracleAS Certificate Authority, you would enter
ocactl start
As another example, to generate a certificate and wallet for CASSL operations in publishing certificates with mutual authentication between OracleAS Certificate Authority and Oracle Internet Directory, you would enter
ocactl generatewallet -type CASSL
Notice that not all commands have parameters. Those that do not use parameters also do not use the keyword "-type".
Those that do need parameters must use the keyword -type preceding the parameter. The only exception is the "convertwallet" command, which has a special syntax explained after Table 8–4.
Table 8–4 shows the main operations (in alphabetical order) and their related
parameters. After the table, additional parameters for the convertwallet command are explained.
The following operation-names are links directly into that table:
changesecurity, clear, generatewallet, help, importwallet, linksso, renewcert,
revokecert, set, setpasswd, start, stop, unlinksso, updateconnection
Table 8–4 Operations and Parameters of the OracleAS Certificate Authority (OCA) ocactl Tool
Operation Parameters Meaning
changesecurity -server_auth_port port Changes the Identity Management services (Oracle Internet Directory/OracleAS Single Sign-On Server) used by OracleAS Certificate Authority to the new Oracle Internet Directory and OracleAS Single Sign-On.
Updates oca.conf with the new IM machine and port number, and uses the specified port while registering OracleAS Certificate Authority with the new OracleAS Single Sign-On server.
clear LOG, TRACE
OracleAS Certificate Authority or ADMIN
Clears the storage location specified in a prior set command, either a file or a database table, for the type of log or trace data chosen, either OracleAS Certificate Authority or ADMIN. (If OracleAS Certificate Authority is not running, all such data is cleared.)
Examples of each command appear in Chapter 7, "OracleAS Certificate Authority Administration: Advanced Topics" at Log or Trace OracleAS Certificate Authority Actions.
convertwallet See next column See later discussion after this table: "Converting a CA SSL Server Wallet into SSO Form".
Command-Line Tool
generatewallet CA, CASSL, or
CASMIME
Generates a certificate and wallet for the type specified: certificate authority signing certificate, or certificate authority SSL certificate.
A sample "generatewallet" command will thus look like this:
ocactl generatewallet -type CASSL
Wallets of the following type are stored in the indicated place:
■ CA OracleAS Certificate Authority repository
■ CASSL $ORACLE_HOME/oca/wallet/ssl ■ CASMIME OracleAS Certificate Authority repository For the CA, key size choices are 512, 1024, 2048, and 4096. Default is 2048.
For CASSL and CASMIME, key size choices are 512, 768, 1024, and 2048, with 1024 the default.
help command name Shows the syntax for the command specified by name.
A sample "help" command will thus look like the following:
ocactl help setconfig
importwallet SUBCA After prompting for the directory where the wallet should be stored, and the administrator's password, this command installs a wallet named ewallet.p12 as a subordinate CA server wallet. A sample importwallet command will thus look like this:
ocactl importwallet -type SUBCA
Note: Before importing a wallet, ensure it is corruption-free and contains one or more self-signed certificates. You can verify a wallet with the orapki wallet display command.
linksso none Registers OracleAS Certificate Authority with OracleAS Single
Sign-On to display OracleAS Certificate Authority certificate enrollment form to OracleAS Single Sign-On users who lack a certificate, so they can request one.
(This command does not require OracleAS Certificate Authority service to be shut down, but it won't take effect until the OracleAS Single Sign-On server is restarted.)
renewcert CA,
CASSL, CASMIME
When OracleAS Certificate Authority is not running, the administrator can use this command to renew the specified certificate, with a prompt for a new validity period, in days. A sample "renewcert" command will thus look like this:
ocactl renewcert -type CA
revokecert (Revoking CA makes your OracleAS Certificate Authority installation inoperable.) CA WEBADMIN
(Be very careful and certain before taking this action.)
Usable only when OracleAS Certificate Authority is not operating. Revokes the root CA certificate. See "Revoking a Root CA Certificate" for additional reasons specifiable with the CA parameter.
A sample "revokecert" command will thus look like this:
ocactl revokecert -type CA -reason SUPERSEDED
Please refer to Table 8–7 for details on revocation reasons.
Table 8–4 (Cont.) Operations and Parameters of the OracleAS Certificate Authority (OCA) ocactl Tool
Command-Line Tool
set LOG or TRACE,
ON or OFF
OracleAS Certificate Authority or ADMIN
Sets the OracleAS Certificate Authority configuration to use the additional parameters for state (ON or OFF) or mode (OracleAS Certificate Authority or ADMIN) specified after LOG or TRACE, as follows:
Examples of each command appear in Chapter 7, "OracleAS Certificate Authority Administration: Advanced Topics" at "Log or Trace OracleAS Certificate Authority Actions".
The discussion in this Appendix is at "Setting Log/Trace Options". setpasswd CA, DB, CASSL, or CASMIME
Requests and resets the password for the specified role: administrator, database administrator, certificate authority SSL server, or email encryption. OracleAS Certificate Authority must be stopped before changing passwords. See text for detailed description of the use, setting, and storage of passwords relating to certificate generation and usage. A sample setpasswd command will thus look like this:
ocactl setpasswd -type DB
start no parameters Starts the OracleAS Certificate Authorityservice.(OC4J, OHS, and the database must already be in operation for OracleAS Certificate Authority to start. You control OC4J and OHS with the command-line tool opmn.)
A sample "start" command will thus look like the following:
ocactl start
status no parameters Displays the status of the OracleAS Certificate Authority services.
A sample "status" command will thus look like this:
ocactl status
Table 8–4 (Cont.) Operations and Parameters of the OracleAS Certificate Authority (OCA) ocactl Tool