Configuring SSL in Oracle Fusion Middleware 6-35 ■ Use the second format if you are specifying a directory path that contains multiple CRL files in hashed form. See Section 6.7.2.2, Manage CRLs on the File System on how to create CRLs in hashed form. In this example, the properties file specifies a single CRL file: SSLEnabled=true AuthenticationType=Server CertValidation=crl KeyStore=ohs1 CertValidationPath=file:tmpfile.crl In this example, the properties file specifies a directory path to multiple CRL files: SSLEnabled=true AuthenticationType=Server KeyStore=ohs1 CertValidation=crl CertValidationPath=dir:tmp

6.7.2.2 Manage CRLs on the File System

You use the orapki command-line tool to manage CRLs on the file system. For details on this topic, see Section H.2.5, Managing Certificate Revocation Lists CRLs with orapki Utility. CRL Renaming to Hashed Form If specifying a fleshiest directory, the CRL must be renamed. This enables CRLs to be loaded in an efficient manner at runtime. This operation creates a symbolic link to the actual CRL file. On Windows, the CRL is copied to a file with a new name. To rename a CRL: orapki crl hash [-crl [url|filename]] [-wallet wallet] [-symlink directory] [-copy directory] [-summary] [-pwd password] For example: orapki crl hash -crl nzcrl.txt -symlink wltdir -pwd password If the CRL file name is specified at runtime, multiple CRLs can be concatenated in that file. The CRL created in this example is in Base64 format, and you can use a text editor to concatenate the CRLs. CRL Creation Note: LDAP-based CRLs or CRL distribution points are not supported. Note: CRL creation and Certificate Revocation are for test purposes and only used in conjunction with self-signed certificates. For production use, obtain production certificates from well-known CAs and obtain the CRLs from those authorities. 6-36 Oracle Fusion Middleware Administrators Guide To create a CRL: orapki crl create [-crl [url|filename]] [-wallet [cawallet]] [-nextupdate [days]] [-pwd password] For example: orapki crl create -crl nzcrl.txt -wallet rootwlt -nextupdate 3650 -pwd password Certificate Revocation Revoking a certificate adds the certificates serial number to the CRL. To revoke a certificate: orapki crl revoke [-crl [url|filename]] [-wallet [cawallet]] [-cert [revokecert]] [-pwd password] For example: orapki crl revoke -crl nzcrl.txt -wallet rootwlt -cert cert.txt -pwd password

6.7.2.3 Test a Component Configured for CRL Validation

To test that a component is correctly configured for CRL validation, take these steps: 1. Set up a wallet with a certificate to be used in your component. 2. Generate a CRL with this certificate in the revoked certificates list. Follow the steps outlined in Section 6.7.2.2, Manage CRLs on the File System. 3. Configure your component to use this CRL. Follow the steps outlined in Section 6.7.2.1, Configuring CRL Validation for a Component. 4. The SSL handshake should fail when this revoked certificate is used.

6.7.3 Oracle Fusion Middleware FIPS 140-2 Settings

This section describes how to configure Oracle Fusion Middleware components to comply with the FIPS 140-2 advanced security standard. Topics include: ■ FIPS-Configurable Products ■ Setting the SSLFIPS_140 Parameter ■ Selecting Cipher Suites ■ Other Configuration Parameters

6.7.3.1 FIPS-Configurable Products

Any product using the Oracle SSL SDK can be configured to run in the FIPS mode. Specifically, you can configure the following Oracle Fusion Middleware components: ■ Oracle HTTP Server ■ Oracle Web Cache ■ Oracle Internet Directory See Also: For more information about this standard, refer to the Cryptographic Modules Validation Program Web site at: http:csrc.nist.govgroupsSTMindex.html