6-36 Oracle Fusion Middleware Administrators Guide To create a CRL: orapki crl create [-crl [url|filename]] [-wallet [cawallet]] [-nextupdate [days]] [-pwd password] For example: orapki crl create -crl nzcrl.txt -wallet rootwlt -nextupdate 3650 -pwd password Certificate Revocation Revoking a certificate adds the certificates serial number to the CRL. To revoke a certificate: orapki crl revoke [-crl [url|filename]] [-wallet [cawallet]] [-cert [revokecert]] [-pwd password] For example: orapki crl revoke -crl nzcrl.txt -wallet rootwlt -cert cert.txt -pwd password

6.7.2.3 Test a Component Configured for CRL Validation

To test that a component is correctly configured for CRL validation, take these steps: 1. Set up a wallet with a certificate to be used in your component. 2. Generate a CRL with this certificate in the revoked certificates list. Follow the steps outlined in Section 6.7.2.2, Manage CRLs on the File System. 3. Configure your component to use this CRL. Follow the steps outlined in Section 6.7.2.1, Configuring CRL Validation for a Component. 4. The SSL handshake should fail when this revoked certificate is used.

6.7.3 Oracle Fusion Middleware FIPS 140-2 Settings

This section describes how to configure Oracle Fusion Middleware components to comply with the FIPS 140-2 advanced security standard. Topics include: ■ FIPS-Configurable Products ■ Setting the SSLFIPS_140 Parameter ■ Selecting Cipher Suites ■ Other Configuration Parameters

6.7.3.1 FIPS-Configurable Products

Any product using the Oracle SSL SDK can be configured to run in the FIPS mode. Specifically, you can configure the following Oracle Fusion Middleware components: ■ Oracle HTTP Server ■ Oracle Web Cache ■ Oracle Internet Directory See Also: For more information about this standard, refer to the Cryptographic Modules Validation Program Web site at: http:csrc.nist.govgroupsSTMindex.html Configuring SSL in Oracle Fusion Middleware 6-37

6.7.3.2 Setting the SSLFIPS_140 Parameter

You can configure these components to run in the FIPS mode by setting the SSLFIPS_140 parameter to TRUE in the fips.ora file: SSLFIPS_140=TRUE This file does not exist out-of-the-box and has to be created. Locate fips.ora either in the ORACLE_HOMEldapadmin directory, or in the directory pointed to by the FIPS_HOME environment variable. The SSLFIPS_140 parameter is set to FALSE by default. You must set it to TRUE for FIPS mode operation.

6.7.3.3 Selecting Cipher Suites

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth. Only the following cipher suites are approved for use in FIPS mode: SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA Any other ciphers should not be used while running in FIPS mode. You can configure one or more of these ciphers using comma-separated values. These should be specified in the SSL properties file for the key Ciphers in the WLST configureSSL command. See Section 6.9.28, Properties Files for SSL for details about specifying the SSL properties file with the configureSSL command.

6.7.3.4 Other Configuration Parameters

The minimum key size for enabling FIPS mode is 1024 bits. Ensure that the keys used in FIPS mode are at least 1024 bits. You can only use wallets created using Oracle tools like SSLConfig, Oracle Wallet Manager, or orapki. Third-party PKCS12 wallet files cannot be used in FIPS mode.

6.8 Best Practices for SSL

This section outlines some best practices for Oracle Fusion Middleware component administrators and application developers. It contains these topics: ■ Best Practices for Administrators ■ Best Practices for Application Developers

6.8.1 Best Practices for Administrators

Best practices for system administrators include the following: ■ Use self-signed wallets only in test environment. You should obtain a CA signed certificate in the wallet before moving to production environment. For details, see Chapter 8, Managing Keystores, Wallets, and Certificates.