Implementing Password-based Signatures with Single Sign-On:Notifications can require that a user's response be signed by a password-based signature or a certificate-based digital signature. Perform the following setup steps to enable users to provide these signatures.
For more information, see: #WF_SIG_POLICY Attribute and Reviewing Electronic Signature Details.
Implementing Password-based Signatures with Single Sign-On:Oracle Workflow supports password-based signatures for notifications based on Oracle Application Object Library (FND) passwords. If you maintain your directory service based on Oracle Application Object Library users and passwords, no additional setup is required. However, if you have implemented single sign-on functionality for your site through Oracle Directory Services, and you want to use password-based signatures, you must perform the following steps.
Set the Applications SSO Login Types profile option to either Local or Both at user level for all users who need to enter password-based signatures.
Ensure that these users have valid passwords defined in Oracle Application Object Library. See: Users Window.
For more information, see: Overview of Single Sign-On Integration, Oracle E-Business Suite Security Guide.
Loading Certificates for Digital Signatures:If a notification requires a certificate-based digital signature, the user must sign the response with a valid X.509 certificate issued by a certificate authority. Before users can sign responses with their certificates, you must load these certificates into your Oracle E-Business Suite database using the Workflow Certificate Loader.
When you load a certificate, you must also specify the Oracle E-Business Suite user to whom that certificate is assigned. Oracle Workflow uses this information to validate that the user attempting to sign with a certain certificate is the same user to whom that certificate is assigned.
A user can have more than one certificate assigned to him or her. However, each certificate can only be assigned to one user. Additionally, after you have loaded a certificate for a user, you cannot delete it from the database or assign it to a different user. If a certificate is incorrectly assigned, the user to whom it belongs must revoke it and obtain a new certificate instead.
You can load several certificates at once by listing the information for all the certificates in a data file for the loader. You can also load a single certificate by specifying the certificate information in the command line for the loader.
Note: If your users access Oracle E-Business Suite with Microsoft Internet Explorer, ensure that you also set the Browser Signing DLL Location global preference in the Workflow Configuration page. See: To Set Global Preferences for Oracle Workflow.
For each certificate, obtain the following information:
The Oracle E-Business Suite user name of the user to whom the certificate belongs.
The personal certificate itself, in the DER encoded binary X.509 format. The certificate should be provided as a file with an extension of .cer.
The root certificate of the certificate authority that issued the personal certificate, as well as any intermediate certificates required for this type of personal certificate.
A URL for each root and intermediate certificate, specifying the location from which the corresponding Certificate Revocation List (CRL) can be downloaded.
Note: You only need to load the root certificate for a particular certificate authority, and the intermediate certificates for a particular type of certificate, once. If you already loaded the root and intermediate certificates required for a new personal certificate, you can simply load the personal certificate without reloading the others.
If you want to load several certificates at once, create a data file for the Workflow Certificate Loader that specifies the location of the certificates to be loaded and the users to whom they belong. The data file should be a text file containing one entry for each root, intermediate, or personal certificate to be loaded.
All certificate entries in the file must appear in the order of the certification path, beginning with the root certificate for the certificate authority, followed by any intermediate certificates and then by the personal certificate. However, if the root or intermediate certificates required for a particular personal certificate were loaded previously, you do not need to reload them.
Each certificate entry must be a single line. For a root or intermediate certificate, use the following format:
user=CA; domain=CA; filename=<certificate_file>; crl_url=<URL>
where <certificate_file> is the full path and file name specifying the location of the certificate file, and <URL> is the location from which the corresponding Certificate Revocation List (CRL) can be downloaded.
For a personal certificate, use the following format:
user=<user_name>; domain=U; filename=<certificate_file>
where <user_name> is the Oracle E-Business Suite user name of the user to whom the certificate belongs, and <certificate_file> is the full path and file name specifying the location of the certificate file.
You can also include comments in the data file. Start each comment line with a number sign (#).
The following example shows a sample data file. Note that although the lines may appear to wrap in this document, each certificate entry is a single line in the data file.
#Root certificate for certificate authority myCA user=CA; domain=CA; filename=/certs/myCA.cer; crl_url=http://example.com/myCA.crl # #Personal certificate for user BLEWIS user=BLEWIS; domain=U; filename=/certs/blewis.cer
To load several certificates at once using a data file, run the Workflow Certificate Loader with the following command:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader [-v] <user_name> <password> <connect_string> <data_file>
You can optionally specify the -v option to run the Workflow Certificate Loader in verbose mode, displaying additional diagnostic information in the output.
Replace the variables with your parameters as follows:
<user_name> - The user name of your Oracle E-Business Suite database account.
<password> - The password for your Oracle E-Business Suite database account.
<connect_string> - The connect string for the database, including the host name, TNS port number, and database system identifier (SID) in the following format:
<host_name>:<port_number>:<database_SID>
<data_file> - The full path and file name specifying the location of the data file you created in the previous step.
For example:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader -v apps <password> myserv:4105:mySID myCertData.txt
To load a single certificate without using a data file, run the Workflow Certificate Loader specifying the certificate information in the command line. For a root or intermediate certificate, use the following command:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader [-v] -s <user_name> <password> <connect_string> user=CA domain=CA filename=<certificate_file> crl_url=<URL>
For a personal certificate, use the following command:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader [-v] -s <user_name> <password> <connect_string> user=<user_name> domain=U filename=<certificate_file>
You can optionally specify the -v option to run the Workflow Certificate Loader in verbose mode, displaying additional diagnostic information in the output.
Replace the variables with your parameters as follows:
<user_name> - The user name of your Oracle E-Business Suite database account.
<password> - The password for your Oracle E-Business Suite database account.
<connect_string> - The connect string for the database, including the host name, TNS port number, and database system identifier (SID) in the following format:
<host_name>:<port_number>:<database_SID>
<user_name> - The Oracle E-Business Suite user name of the user to whom the personal certificate belongs.
<certificate_file> - The full path and file name specifying the location of the certificate file.
<URL> - The location from which the corresponding Certificate Revocation List (CRL) for the root or intermediate certificate can be downloaded.
For example:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader -s apps <password> myserv:4105:mySID user=BLEWIS domain=U filename=/certs/blewis.cer
Note: You can display a help message describing the usage of the Workflow Certificate Loader by specifying the -h option with the following command:
java oracle.apps.fnd.wf.DigitalSignature.loader.CertificateLoader -h
Troubleshooting the Workflow Certificate Loader
The following list shows Workflow Certificate Loader error messages and suggested steps to resolve them.
No parent certificate found for certificate - The loader could not locate the root or intermediate certificate that should precede the current certificate in the certificate path. Ensure that either the parent certificate is already loaded to the database, or a valid entry for the parent certificate appears before the entry for the current certificate in the data file.
Unable to create certificate object from file - The data in the certificate file may be corrupted. Check that the certificate is valid by double-clicking the certificate file and viewing its status. Also, ensure that the certificate is stored in the DER encoded binary X.509 format.
FND USER does not exist - The user name specified in a certificate entry in the data file is not defined as an Oracle E-Business Suite user. Ensure that the user name is specified as either CA for a certificate authority or a valid Oracle E-Business Suite user name for an individual user.
Certificate already associated with another user - The certificate has already been loaded to the database and assigned to a different user. If a certificate is incorrectly assigned, the user to whom it belongs must revoke it and obtain a new certificate instead.
Certdatafile not in proper format - The data file for the loader does not follow the required format. Ensure that the data file contains only certificate entries and comments, each certificate entry is a single line containing the appropriate arguments, and each comment line begins with a number sign (#).
The Network Adapter could not establish the connection - The loader was unable to connect to the database using the specified parameters. Ensure that you specify the correct database user name, password, and connect string when you run the loader.
Illegal Argument Exception - The loader could not process the parameters provided in the run command. Ensure that you specify the loader parameters in the required format.