Automated And Manual Certificate Provisioning Mode; Oracle Wallet - Oracle Secure Backup Installation And Configuration Manual

Automated and Manual Certificate Provisioning Mode

Oracle Secure Backup provides automated and manual modes for initializing the
security credentials for a
mode is easy to use, but it has potential security vulnerabilities. The manual mode is
harder to use, but it is less vulnerable to tampering.
In automated certificate provisioning
domain is transparent. The host generates a
sends a
Authority
host along with any certificates required to establish a chain of trust to the CA.
The communication between the two hosts is over a secure but non-authenticated
Secure Sockets Layer (SSL)
itself into the network between the CA and the host, thereby masquerading as the
legitimate host and illegally entering the domain.
In
manual certificate provisioning
certificate responses to the host. You must transfer the certificate as follows:
Use the obcm utility to export a signed certificate from the CA.
1.
Use a secure mechanism such as a floppy disk or USB key chain drive to transfer a
2.
copy of the signed identity certificate from the CA to the host.
Use obcm on the host to import the transferred certificate into the host's wallet.
3.
The obcm utility verifies that the certificate request in the wallet matches the
signed identity certificate.
You must balance security and usability to determine which certificate provisioning
mode is best for your

Oracle Wallet

Oracle Secure Backup stores every
represented on the operating system as a password-protected, encrypted file. Each
host in the
certificate,
not share its wallets with other Oracle products.
Besides maintaining its password-protected wallet, each host in the domain maintains
an obfuscated
obfuscated wallet, which is scrambled but not encrypted, enables the Oracle Secure
Backup software to run without requiring a password during system startup.
The password for the password-protected wallet is generated by Oracle Secure Backup
and not made available to the user. The password-protected wallet is not usually used
after the security credentials for the host have been established, because the Oracle
Secure Backup
Figure 6–4
in the domain.
client host that wants to join the domain. The automated
certificate request, which includes the public key, to the
(CA). The CA issues the host an
connection. It is conceivable that a rogue host could insert
administrative
administrative domain
private key, and at least one
wallet. This version of the wallet does not require a password. The
To reduce risk of unauthorized access to obfuscated wallets,
Note:
Oracle Secure Backup does not back them up. The obfuscated version
of a wallet is named cwallet.sso. By default, the wallet is located in
/usr/etc/ob/wallet on Linux and UNIX and C:\Program
Files\Oracle\Backup\db\wallet on Windows.
daemons use the obfuscated wallet.
illustrates the relationship between the certificate authority and other hosts
Host Authentication and Communication
mode, which is the default, adding a host to the
public key/private key
identity certificate, which it sends to the
mode, the CA does not automatically transmit
domain.
certificate in an Oracle wallet. The wallet is
has its own wallet in which it stores its
trusted certificate. Oracle Secure Backup does
Managing Security for Backup Networks 6-11
pair and then
Certification
identity