Thursday, May 26, 2005

Enterprise Security VI: Bolts and Nuts

The Oracle Certificate Authority is one of the things I will need for Single Sign On; in Oracle, this means having a certificate in your electronic wallet, signed by a trusted autority, to ensure you are who you claim to be.
That means, I have to request a certificate with an authority (that would be... me!). Let's see how things look; there are two entries; a user, and an administrative one.
The user OCA site shows the option to install the server certificate to be installed in my browser:

This is an Authority Certificate, a base, that will be used to verify that other certificates from this site are genuine.
Now let's take a look at the administrative side; it looks asif we need to generate yet another certificate:

Not much I can do, than to go ahead with it, so click on Click here:

Okay - that was not difficult - install the certificate, and we're done.

If I now go back to the /oca/admin page, I can query the certificates, issued by this authority:

As you can see, the first one is the one generated during the installation, and it's a certificate that can be used to sign other certificates, or CRL's (Certificate Revokation Lists).
The second certificate is the server certificate, and it's meant to identifiy the server ( The third is similar, but for the client (which happens to reside on the same machine...).
The fourth certificate is the one I just created as part of the OCA setup, and will identify me as administrator of this Authority. To prove that, I went back to the user part of OCA, and used the second option (use your certificate) to authenticate. In stead of 'server did not accept certificate' I now get this presented:

Four - nill for me, I'd say... At least, that part of the deal works: I can now request and authorize (sign) digital certificates. And I will need that ability to sign certificate requests from ... me. Eehrm - make that 'any of my employees', working here, at CarrotSoft, Inc.

Getting a Server Certificate.

OK - time for configurations. First of all, I need to make it possible for the server to validate against a wallet. In order to do that, I need to create a wallet, and need a server DN certificate. Let's pull up the OCA screen, and display the details of certificate #1, the trusted Van Bortel Certificate authority. Also fire up the Oracle Wallet Manager, using the own command in a vnc window. Open a new Wallet, provide a password, but do not request a certificate yet.
From your web browser, copy all of the letter garbage under the header Base-64 Encoded Certificate with CA certificate chain, including the '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----'.
Switch to the Wallet Manager, from the menu, select Operations, Import Trusted Certificate, Paste the certificate:

It is all about the certificate authority; the Van Bortel Certificate Authority should be added:

Of course, in real life situations you should get your certificates with a genuine authority, but for internal, or test use, why should you? This step was only necessary, because I do my own signing, and I trust myself to know me to voutch for me that I am me.
Now, let's request a certificate; still using the Wallet manager on the server, choose Operations, Add Certificate Request. I use the Advanced CN, and filled in CN=o10gR1, CN=OracleContext, DC=nl, DC=cs. The Certificate property will change from Empty to Requested.
Highlight the Certificate entry, and the right hand panel will show a similar letter gobblygook as before: it is the server's encrypted request. Copy the request, again: from, and including the first hyphen, upto and including the last hyphen.

In the OCA web browser window, that is still open, press the OK button. Press the 'Request a Certificate' button in the upper right corner. Paste the certificate request in the PKCS#10 field, fill in the contact information, and press the submit button.
Nothing is going to happen with the contact information - it is just information the human administrator can use if questions arise about the request - no part of it will be incorporated into the certificate.
You will see something like:
Your certificate request is accepted. Administrator will contact you for certificate issuance.
  1. Your request ID is "4".
  2. Please use this request ID for future reference.
Open a web browser page to the admin pages: https://csdb01:4400/oca/admin. The request with number 4 appears - click on details, and approved the request.

Youwill see:
Certificate Request is approved.
  1. The serial number of the issued certificate is "5".
  2. Requestor Name:frank.van.bortel
  3. Requestor E-Mail
Show the details of certificate #5, copy the encrypted data, and in the Wallet manager, paste it, using the Operation, Import User Certificate, Paste the Certificate.
In the Wallet manager, the Certificate status should change from Requested to Ready.

No comments: