How to Create a Database Server Distinguished Name Certificate

*** This article is being delivered in Draft form and may contain errors. Please use the MetaLink "Feedback" button to advise Oracle of any issues related to this article. *** PURPOSE ------- This note provides a generic example of creating a Database Distinguished Name Certificate for use with a client server TCPS connection or Enterprise User Security. SCOPE & APPLICATION ------------------- Distinguished Name Certificates can be required for both server certificates in TCPS connections and for each database used in an enterprise security realm. This note assumes the reader is familiar with how to sign a certificate request with their select certificate authority and therefore provides no instruction on how to sign the server certificate. Oracle Wallet Manager creates certificate requests in BASE64 format and only imports User and Trusted certificates encoded in BASE64. Step by step instructions on creating a database server distinguished name certificate ------------------------------------------------------------------------------------- Step 1: Create a new wallet and certificate request from Oracle Wallet Manager. 1. Open Oracle Wallet Manager, OWM, and select Wallet->New 2. Enter a new wallet password which conforms to the conditions stated on the screen and select OK 3. Select YES to create a certificate request 4. On the next screen choose the desired Key Size and select Advanced - there is no need to complete any other fields 5. Replace any text in the DN field with your required distinguished name. Note: The general form of a database distinguished name is cn=DB_NAME, cn=OracleContext, dc=DOMIAN_COMPONENT_N, .. ,dc=DOMIAN COMPONENT_2, dc=DOMIAN COMPONENT_1 When a database is registered in OID via DBCA an rdbms_server_dn is added to the pfile or spfile. It is recommended that the value of this parameter is copied directly into the DN field in the Advanced Certificate Request form. e.g. cn=sales,cn=OracleContext,dc=oracle,dc=com If the certificate is used by the OID server for SSL authentication then the DN is not as significant but convention may either be to use the database repository distinguished name or the OID server name. 6. Select ok to complete the certificate request creation process. A Certificate [Requested] entry should appear in the Wallet Manager main window 7. Save the wallet, File->Save 8. Save the certificate request, re-select the certificate request in the Main Window and then go to Operation->Export Certificate Request. Save to a suitable file name, e.g. sales.csr Step 2: Sign the certificate. The export file created by OWM in the previous step will be a BASE64 format X509 certificate request. This certificate request can be signed by most commercial certificate authorities or self signed. Oracle provides it's own certificate authority, OCA, with 10g iAS. For test purposes it is also possible to use OpenSSL which is supplied with many Linux installations. Step 3: Import the trusted CA root certificate and signed certificate into OWM Wallet manager will only import a signed certificate if the complete signing trusted certificate chain exists in the wallet. The trusted certificates for a commercial CA are generally available from their web site. If you have used your own certificate authority then you will need to locate the BASE64 files which were used to sign your certficate. For the purpose of this note it is assumed that both the CA trusted certificate(s) and the signed user certficate have been copied to the server which is running OWM. 1. Import the root certificate from the select CA into OWM, Operations->Import Trusted Certificate 2. Select the option to "Select a file that contains the certificate. 3. Browse to the file and select OK, the Common Name of you CA should now appear in the main window under Trusted Certificate 4. Import the signed certificate from the CA into OWM, Operations->Import User Certificate 5. Select the option to "Select a file that contains the certificate. 6. Browse to the file containing your signed certicate and select OK, the requested Certificate should now have a status of Ready Save your wallet. Step 4: Enable the wallet for database access When the database accesses the wallet it does not provide a password, instead it reads an open instantiation of the wallet file, ewallet.p12. The open wallet file is names cwallet.sso. To enable the wallet for unattended login tick the box next to File->Auto Login. Save the wallet again. REFERENCES ---------- Oracle's primary reference for SSL is the Oracle Advanced Security Administrator's Guide. This guide describes Oracle's SSL solution and configuration in greater detail, see Configuring Secure Sockets Layer Authentication. The guide is available on the documentation CD and at: http://download-west.oracle.com/docs/cd/B10501_01/network.920/a96573/asossl.htm#1004601 Note:189260.1: An Example on How to Configure TCPS Using a DN Certificate from Signed by Thwate Note.262394.1: A Simple Example of a TCPS Loopback Connection Using OpenSSL