ETAPA 1 Determinar y analizar el área de interés

Certificate revocation status is checked against CRLs, which are located in file system directories, Oracle Internet Directory, or downloaded from the location specified in the

CRL Distribution Point (CRL DP) extension on the certificate. Typically, CRL definitions are valid for a few days. If you store your CRLs on the local file system or in the directory, then you must update them regularly. If you use CRL DPs then CRLs are downloaded each time a certificate is used, so there is no need to regularly refresh the CRLs.

The server searches for CRLs in the following locations in the order listed. When the system finds a CRL that matches the certificate CA's DN, it stops searching.

1. Local file system

The system checks the sqlnet.ora file for the SSL_CRL_FILE parameter first, followed by the SSL_CRL_PATH parameter. If these two parameters are not specified, then the system checks the wallet location for any CRLs.

2. Oracle Internet Directory

If the server cannot locate the CRL on the local file system and directory

connection information has been configured in an ldap.ora file, then the server searches in the directory. It searches the CRL subtree by using the CA's

distinguished name (DN) and the DN of the CRL subtree.

The server must have a properly configured ldap.ora file to search for CRLs in the directory. It cannot use the Domain Name System (DNS) discovery feature of Oracle Internet Directory. Also note that if you store CRLs in the directory, then you must use the orapki utility to periodically update them. For details, refer to

"Uploading CRLs to Oracle Internet Directory" on page 8-28

3. CRL DP

If the CA specifies a location in the CRL DP X.509, version 3, certificate extension when the certificate is issued, then the appropriate CRL that contains revocation information for that certificate is downloaded. Currently, Oracle Advanced Security supports downloading CRLs over HTTP and LDAP.

Note: Note: if you store CRLs on your local file system, then you must use the orapki utility to periodically update them. Fro more information, refer to "Renaming CRLs with a Hash Value for Certificate Validation" on page 8-27

Certificate Validation with Certificate Revocation Lists

Configuring Secure Sockets Layer Authentication 8-25

Configuring Certificate Validation with Certificate Revocation Lists

The SSL_CERT_REVOCATION parameter must be set to REQUIRED or REQUESTED in the sqlnet.ora file to enable certificate revocation status checking. By default this parameter is set to NONE indicating that certificate revocation status checking is turned off.

To enable certificate revocation status checking for the client or the server:

Figure 8–7 Oracle Advanced Security SSL Window with Certificate Revocation Checking Selected

Following steps describe how to configure Certificate Validation with Certificate revocation Lists:

1. Select one of the following options from the Revocation Check list (refer to,

Figure 8–7):

■ REQUIRED

Note:

■ For performance reasons, only user certificates are checked. ■ Oracle recommends that you store CRLs in the directory rather

than the local file system.

Note: If you want to store CRLs on your local file system or in Oracle Internet Directory, then you must use the command line utility, orapki, to rename CRLs in your file system or upload them to the directory. Refer to, "Certificate Revocation List Management"

Certificate Validation with Certificate Revocation Lists

8-26 Oracle Database Advanced Security Administrator's Guide

Requires certificate revocation status checking. The SSL connection is rejected if a certificate is revoked or no CRL is found. SSL connections are accepted only if it can be verified that the certificate has not been revoked.

■ REQUESTED

Performs certificate revocation status checking if a CRL is available. The SSL connection is rejected if a certificate is revoked. SSL connections are accepted if no CRL is found or if the certificate has not been revoked.

1. (Optional) If CRLs are stored on your local file system, then set one or both of the following fields that specify where they are stored. These fields are available only when Revocation Check is set to REQUIRED or REQUESTED.

■ Certificate Revocation Lists Path:

Enter the path to the directory where CRLs are stored or click Browse to find it by searching the file system. Specifying this path sets the SSL_CRL_PATH

parameter in the sqlnet.ora file. If a path is not specified for this parameter, then the default is the wallet directory. Both DER-encoded (binary format) and

PEM-encoded (BASE64) CRLs are supported.

■ Certificate Revocation Lists File:

Enter the path to a comprehensive CRL file (where PEM-encoded (BASE64) CRLs are concatenated in order of preference in one file) or click Browse to find it by searching the file system. Specifying this file sets the SSL_CRL_FILE

parameter in the sqlnet.ora file. If this parameter is set, then the file must be present in the specified location, or else the application will error out during startup.

1. (Optional) If CRLs are fetched from Oracle Internet Directory, then directory server and port information must be specified in an ldap.ora file.

1. Select File, Save Network Configuration. The sqlnet.ora file is updated. To disable certificate revocation status checking:

1. Select NONE from the Revocation Check list.

Note: For performance reasons, only user certificates are checked for revocation.

Note: If you want to store CRLs in a local file system directory by setting the Certificate Revocation Lists Path, then you must use the orapki utility to rename them so the system can locate them. Refer to, "Renaming CRLs with a Hash Value for Certificate Validation" on page 8-27

Note: When configuring your ldap.ora file, you should specify only a non-SSL port for the directory. CRL download is done as part of the SSL protocol, and making an SSL connection within an SSL connection is not supported.

Oracle Advanced Security CRL functionality will not work if the Oracle Internet Directory non-SSL port is disabled.

Certificate Validation with Certificate Revocation Lists

Configuring Secure Sockets Layer Authentication 8-27 2. Select File, Save Network Configuration. The sqlnet.ora file is updated with

the following entry:

SSL_CERT_REVOCATION=NONE