changed independently with the ocactl setPassword –type DB command and the ocactl setPassword –type CA command. As mentioned earlier, if this password is changed outside of OracleAS Certificate Authority (that is, not using the ocactl tool), then OracleAS Certificate Authority will not start up. This circumstance also prevents you from resetting the repository password with ocactl. To resolve this, you must log in to the database as any DBA, such as SYS or SYSTEM, and change the password back to its original value.
For additional information about this password, see "Remembering and Restoring the Metadata Repository Password".
OracleAS Certificate Authority’s Administrator Password
The administrator password cannot be changed outside OracleAS Certificate Authority.
OracleAS Certificate Authority’s SSL Password
The OracleAS Certificate Authority SSL password (the password for the SSL wallet, which is in oca/wallet/ssl) should only be changed using ocactl. Changing this password with Oracle Wallet Manager will disable OracleAS Certificate Authority because the changed password is no longer reflected in the OracleAS Certificate Authority password store. However, you can recover from this situation by using
ocactl setpasswd CASSL to reset the SSL password. OracleAS Certificate Authority’s S/MIME Password
The OracleAS Certificate Authority S/MIME password (the password for the SMIME wallet, which is stored in the database, not on the file system) cannot be changed using Oracle Wallet Manager. You can only change it through ocactl.
OracleAS Certificate Authority’s Oracle Internet Directory Password
This is a randomly generated password. It cannot be changed through ocactl. But if it is altered using the Oracle Internet Directory administration tool, OracleAS Certificate Authority will not be able to talk to Oracle Internet Directory as it does not know the new password.
Remembering and Restoring the Metadata Repository Password
ProblemComplex sites with separate administrators for different functions, components, or organizations can sometimes encounter conflicts. For example, a database
administrator can change the password for the OracleAS Certificate Authority
metadata repository (schema) without realizing that this should only be done through OracleAS Certificate Authority itself. This change prevents OracleAS Certificate Authority from working.
Solution
Understanding the following scenarios can aid in preventing or resolving such a conflict:
1. If the DB password in the password store has never been changed from the default (which happens to be OCA-admin-password as established during
WARNING: Generally speaking (subject to the rules mentioned in the preceding discussion), always use ocactl to change any password related to OracleAS Certificate Authority. Never use any other tool; OracleAS Certificate Authority will stop working.
Problems and Solutions
installation), then regaining access to the database (after someone changed the password originally recognized by the repository) can be accomplished by this command:
alter user OracleAS Certificate Authority identified by OCA-admin-password
This resetting of the repository password to the OCA-admin-password causes it to match what is in the password store as the repository password.
2. If the DB password in the password store has been changed and the OracleAS Certificate Authority administrator does know what it is (for example, new_DB_ pswd_in_store, then if the repository password is changed (by a database administrator, perhaps), the OracleAS Certificate Authority administrator can restore database accessibility by using the command:
alter user OracleAS Certificate Authority identified by new_DB_pswd_in_store 3. If the DB password in the password store has been changed and the OracleAS
Certificate Authority administrator does not know (or remember) what it is, changing the repository password will prevent OracleAS Certificate Authority operations. Here's why: database access will not be granted unless the password offered by OracleAS Certificate Authority for the password store matches the current repository password. If the repository password is changed, then either that password or the DB password in the password store must be changed so that they again match. Since the DB password in the password store is unknown, the administrator cannot supply it in an "alter user" command. Nor can she change the DB password in the password store, because ocactl requires the current DB password before allowing it to be changed. So no recovery is possible. The unknown DB password remains unchangeable.
These resolutions all rely on the OracleAS Certificate Authority administrator retaining the privileges necessary to invoke alter user oca.
Using ocactl raises "Error:Password store missing" message
ProblemWhen Oracle Application Server 10g was originally installed, the option to install OracleAS Certificate Authority was not selected. Consequently no password file was created, and it cannot be created after the fact in the original Oracle home. The majority of OracleAS Certificate Authority files do get installed, but OracleAS Certificate Authority is unusable since it was not installed and configured during the original Oracle Application Server 10g installation.
Solution
Install a new instance of OracleAS Certificate Authority in a new Oracle home. It can be installed:
■ on the same computer as the OracleAS Infrastructure ■ on a different computer
■ with its own OracleAS Metadata Repository ■ against an existing OracleAS Metadata Repository.
As explained in the following discussion, practical considerations determine how these options are combined.
Problems and Solutions
In this case, OracleAS Certificate Authority will share the previously installed
OracleAS Metadata Repository. If you are installing OracleAS Certificate Authority on the same computer as the OracleAS Infrastructure instance, sharing the repository is preferable for performance reasons.
Installing OracleAS Certificate Authority with its own OracleAS Metadata Repository If you are installing OracleAS Certificate Authority with its own repository, it is preferable to install it on a separate computer from the OracleAS Infrastructure; otherwise you would need to run two databases on the same computer, which could degrade performance.
References
■ Oracle Application Server Installation Guide, Section 6.23, "Installing Identity
Management Components Only (Excluding Oracle Internet Directory)"
■ Oracle Application Server Installation Guide, Section 15.6, "OracleAS Certificate
Authority Topology"