Manualshelf

Corporation Network Router User Manual

ManualsBrandsOracle ManualsNetwork RouterOracle Database B10772-01
201202203204205206207208209210
Certificate Validation with Certificate Revocation Lists
7-36 Oracle Database Advanced Security Administrator's Guide
How CRL Checking Works
Certificate revocation status is checked against CRLs which are located in file
system directories, Oracle Internet Directory, or downloaded from the location
specified in the CRL Distribution Point (CRL DP) extension on the certificate.
Typically, CRL definitions are valid for a few days. If you store your CRLs on the
local file system or in the directory, then you must update them regularly. If you use
CRL DPs then CRLs are downloaded each time a certificate is used so there is no
need to regularly refresh the CRLs.
The server searches for CRLs in the following locations in the order listed. When the
system finds a CRL that matches the certificate CA's DN, it stops searching.
1. Local file system
The systemchecks the sqlnet.ora file forthe SSL_CRL_FILE parameter first,
followed by the SSL_CRL_PATH parameter. If these two parameters are not
specified, then the system checks the wallet location for any CRLs.
Note: if you store CRLs on your local file system, then you must use the
orapki utility to periodically update them. See "Renaming CRLs with a Hash
Value for Certificate Validation" on page 7-41
2. Oracle Internet Directory
If the server cannot locate the CRL on the local file system and directory
connection information has been configured in an ldap.ora file, then the
server searches in the directory. It searches the CRL subtree by using the CA's
distinguished name (DN) and the DN of the CRL subtree.
See "To create an ldap.ora file for your Oracle home:" on page 12-7 (The server
must have a properly configured ldap.ora file to search for CRLs in the
directory. It cannot use the Domain Name System (DNS) discovery feature of
Oracle Internet Directory.) Also note that if you store CRLs in the directory,
then you must use the orapki utility to periodically update them. See
"Uploading CRLs to Oracle Internet Directory" on page 7-42
3. CRL DP
If the CA specifies a location in the CRL DP X.509, version 3, certificate
extension when the certificate is issued, then the appropriate CRL that contains
revocation information for that certificate is downloaded. Currently, Oracle
Advanced Security supports downloading CRLs over HTTP and LDAP.