A Comprehensive Website for Oracle Learning

How to manage SSL Certificates in OID Oracle Identity Management Infrastructure

First you should not forget the following important notes since OCA operational steps are dependent on the Web browser set up.

In order to force the browser prompt before accepting any certificates, you should make sure that your browser prompts you for any requested certificate.
- Depending on what type of browser you have, open your browser and set up your browser configuration to ask every time that a new certificate is needed. Otherwise, the browser provides the certificate automatically, which may cause unexpected problems.
- For example if you have Mozilla browser, open it, and select Edit >Preferences. Then in the Category pane, expand the Privacy and Security node and select Certificates. In the right pane, the Certificate related information is displayed. In the Client Certificate Selection section, select the Ask Every Time option button. This enables you to select the client certificate as required for a particular operation.

To view the status of the OCA server and how to start or stop it:

Go to your server that you had installed your Oracle infrastructure. Make sue that ORACLE_HOME and ORACLE_SID environment variables are appropriately set. Assuming that you have a Unix OS do the following.

$ echo $ORACLE_HOME
$ echo $ORACLE_SID

In case these variables are not set, do the following.
$ export ORACLE_HOME=/u01/oracle/myapp
$ export ORACLE_SID=your-instance-name

Change your directory to the $ORACLE_HOME/oca/bin folder.

To check the status of the OCA server do the following command:
$ ocactl status
You should be prompted to enter your OracleAS Certificate Authority administrator password.

To start the OCA server do the following command:
$ ocactl start
You should be prompted to enter your OracleAS Certificate Authority administrator password.

To start the OCA server do the following command:
$ ocactl start
You should be prompted to enter your OracleAS Certificate Authority administrator password.

To display all the commands;
$ ocactl help

To display help for a specific command:
$ ocactl help setpasswd

After you started your OCA server, you should be able to access the OCA administration page, and enroll for a certificate.

To access the OCA administration page, and enroll for a certificate do the following:

To request an admin certificates from OCA server, you should open your browser, and type your URL:
For example:
https://<host.domain>:<port>/oca/admin (default port is 4400)
To find the port, view the portlist.ini file in the $ORACL_HOME/install directory:

As you notice we are using https (secure socket). Therefore, the OCA server downloads a certificate. You should click OK to accept the certificate and in the �Certicate Authority� page enroll for a certificate by entering the detail information for certificate. Make sure that you enter the OCA administrator password, and then click Submit. Also, make your Certificate Key Size large enough with a reasonable Validity Period.

Once you received the Approved Certificate Information page, click on the �Import to Browser� icon to import the certificate to the browser. From now on, you may want to use this certificate when you connect to the OCA administration page.

After you import the certificate, click on the �Administration Home� icon next to the �Import to Browser� icon to display the OCA administration pages.

In the �User Identification Request� page, you get a message that your server requested that you identify yourself with a certificate. Select the certificate just you imported to the browser, and then click OK.