Desarrollo humano: perspectiva sociológica

As the OCA administrator, you use the command line tool named ocactl to specify the parameters needed to perform the various Oracle Application Server Certificate Authority operations. (You may need to add oca/bin to your path.) Each time this tool is invoked it requests your OCA Administrator password, which is always the

Table A–1 Links to Commands and Configuration Operations

Link to General Topic Links to Specific Subtopics

Basic Administration: Commands and Operations

■ Command-Line Tool

■ Starting the Oracle Certificate Authority Server

■ Stopping the Oracle Application Server Certificate Authority Server ■ Finding the Status of the Oracle Certificate Authority Services ■ Changing Privileged Passwords

■ Updating OCA Repository Connection Information Root Certificate Operations ■ Regenerating the Root Certificate Authority’s Certificate

■ Revoking a Root CA Certificate

SSL/SSO Operations ■ Converting a CA SSL Server Wallet into SSO Form

■ Regenerating the Certificate Authority’s SSL Certificate and Wallet ■ Setting SSO Authentication (linksso, unlinksso commands)

Sub-CA Operations ■ Generating a Sub CA Wallet from Oracle Application Server Certificate Authority

■ Installing/Importing a Sub CA Wallet ■ Generating a CA SSL Wallet for a Sub CA Log/Trace Operations ■ Setting Log/Trace Options

same as the CA signing password. (If you use a slow telnet/rlogin session and backspace while entering the password, some portions of it are echoed.)+ The general form for using this command is

ocactl <operation> -type <related-parameters, if any>

For example, to start Oracle Application Server Certificate Authority, you would enter

ocactl start

As another example, to generate a certificate and wallet for CASSL operations in publishing certificates with mutual authentication between Oracle Application Server Certificate Authority and Oracle Internet Directory, you would enter

ocactl generatewallet -type CASSL

Notice that not all commands have parameters. Those that do not use parameters also do not use the keyword "-type".

Those that do need parameters must use the keyword -type preceding the parameter. The only exception is the "convertwallet" command, which has a special syntax explained after Table.

Table shows the main operations (in alphabetical order) and their related parameters. After the table, additional parameters for the convertwallet command are

explained.

The following operation-names are links directly into that table:

changeschema, changesecurity, clear, generatewallet, help, importwallet, linksso,

renewcert, revokecert, set, setpasswd, start, stop, unlinksso, updateconnection Table A–2 Operations and Parameters of the OracleAS Certificate Authority (OCA) ocactl Tool

Operation Parameters Meaning

changeschema -host hostname -service service

Used when the entire database is changed to a different one and the data is migrated to the new database.

hostname is the name of the new machine;

service is the name of the service on that machine.

changesecurity -server_auth_port port Changes the Identity Management services (OID/SSO) used by OCA to the new OID and SSO server.

Updates oca.conf with the new IM machine and port number, and uses the specified port while registering OCA with the new SSO.

clear LOG, TRACE

OCA or ADMIN

Clears the storage location specified in a prior set command, either a file or a database table, for the type of log or trace data chosen, either OCA or ADMIN. (If OCA is not running, all such data is cleared.)

Examples of each command appear in Chapter 6, "OracleAS Certificate Authority Administration: Advanced Topics" at Log or Trace OCA Actions for Oracle Application Server Certificate Authority.

Command-Line Tool

generatewallet CA, CASSL, or

CASMIME

Generates a certificate and wallet for the type specified: certificate authority signing certificate, or certificate authority SSL certificate.

A sample "generatewallet" command will thus look like this: ocactl generatewallet -type CASSL

Wallets of the type named below are store in the indicated place: CA Oracle Application Server Certificate Authority repository

CASSL $ORACLE_HOME/oca/wallet/ssl

CASMIME Oracle Application Server Certificate Authority repository

help <command name> Shows the syntax for the command specified by name. A sample "help" command will thus look like the following: ocactl help setconfig

importwallet SUBCA After prompting for the directory where the wallet should be stored, and the administrator’s password, this command installs a wallet named ewallet.p12: a subordinate CA server wallet. A sample "importwallet" command will thus look like this: ocactl importwallet -type SUBCA

linksso <none> Registers OCA with SSO to display OCA certificate enrollment form to SSO users who lack a certificate, so they can request one. (This command does not require OCA service to be shut down, but it won’t take effect until the SSO server is restarted.)

renewcert CA,

CASSL, CASMIME

When OCA is not running, the administrator can use this command to renew the specified certificate, with a prompt for a new validity period, in days.

A sample "renewcert" command will thus look like this: ocactl renewcert -type CA

revokecert (Revoking CA makes your OCA installation inoperable.)

CA

WEBADMIN (Be very careful and certain before taking this action.)

Usable only when OCA is not operating. Revokes the root CA certificate. See "Revoking a Root CA Certificate" for additional reasons specifiable with the CA parameter.

A sample "revokecert" command will thus look like this: ocactl revokecert -type CA -reason SUPERSEDED Please refer to Table for details on revocation reasons.

set LOG or TRACE,

ON or OFF OCA or ADMIN

Sets the OCA configuration to use the additional parameters for state (ON or OFF) or mode (OCA or ADMIN) specified after LOG or TRACE, as follows:

Examples of each command appear in Chapter 6, "OracleAS Certificate Authority Administration: Advanced Topics" at Log or Trace OCA Actions for Oracle Application Server Certificate Authority. setpasswd CA, DB, CASSL, or CASMIME

Requests and resets the password for the specified role: administrator, database administrator, directory, OCA user, or certificate authority SSL server.See text for detailed description of the use, setting, and storage of passwords relating to certificate generation and usage.

A sample "setpasswd" command will thus look like this: ocactl setpasswd -type DB

Table A–2 (Cont.) Operations and Parameters of the OracleAS Certificate Authority (OCA) ocactl Tool

"Convertwallet" Explained with Examples

Table shows samples for most of the commands you can issue using ocactl. However, the convertwallet command uses a different syntax, which this section explains with examples.

start <no parameters> Starts the Oracle Application Server Certificate Authority service.(OC4J, OHS, and the database must already be in operation for OCA to start. You control OC4J and OHS by the command-line tool opmn.)

A sample "start" command will thus look like the following: ocactl start

status <no parameters> Displays the status of the Oracle Application Server Certificate Authority services.

A sample "status" command will thus look like this: ocactl status

stop <no parameters> Stops the Oracle Application Server Certificate Authority service. (

Does not stop database, web server, or OracleAS.

Relinquishes database connection pool; closes logger, tracer, and configuration data files.)

A sample "stop" command will thus look like the following: ocactl stop

unlinksso <none> De-registers OCA from SSO, so the screens for welcome and enrollment form will not be shown.

(This command does not require OCA service to be shut down, but it won’t take effect until the SSO server is restarted.) updateconnection <no parameters> Writes the connection information stored in Oracle Internet

Directory (OID) into the OCA configuration file

$ORACLE_HOME/oca/conf/oca.conf. These strings are used to connect to the OCA repository and

connect to the directory (used for publishing certificates). (This connection information is displayed under Settings in the General subtab of the Oracle Application Server Certificate Authority web interface for the administrator.)

OCA connection information is originally written to OID when OracleAS is installed; this data is then also fetched from OID and written into oca.conf. This information changes if OCA is moved to another database or if any configuration information changes. Examples include altering nodes or ports in the connection strings, such as adding or removing RAC nodes in a

RAC-enabled database. (No data needs to be migrated. If you are initiating a port change, use the proper steps as described in "Changing Infrastructure Ports" in Oracle Application Server 10g Administrator’s Guide.)

Note: You must run ocactl updateconnection after any such change to configuration settings, and after using this command, you must restart OCA by issuing the following commands: $ORACLE_HOME/oca/bin/ocactl stop

$ORACLE_HOME/oca/bin/ocactl start

Table A–2 (Cont.) Operations and Parameters of the OracleAS Certificate Authority (OCA) ocactl Tool