Oracle® Secure Backup Reference Release 10.1 Part Number B14236-03 |
|
|
View PDF |
Purpose
Use the obcm
tool to export and import identity certificates. These steps are required if you do not accept the default Oracle Secure Backup security behavior, which is for the Certification Authority to issue signed certificates to new hosts over the network.
The observiced
daemon on the administrative server acts as the Certification Authority. The CA has two responsibilities with respect to certificates: it accepts certificate signing requests from hosts within the administrative domain as part of the mkhost
process, and sends signed certificates back to the requesting host.
In manual certificate provisioning mode, you run obcm export
--certificate
on the administrative server to export a signed certificate for the newly configured host. You must manually transfer this signed certificate to the newly configured host.
After manually transferring the certificate to the new host, run obcm import
on the newly configured host to import the signed certificate into the host's wallet. In this case, obcm
directly accesses the wallet of the host. After it has made changes to the local wallet, obcm
notifies the local observiced
so that the local observiced
can re-create the obfuscated wallet.
Prerequisites
You must have write permissions in the wallet directory, which by default is /usr/etc/ob/wallet
on Linux and UNIX and C:\Program Files\Oracle\Backup\db\wallet
on Windows. Note that obcm
always accesses the wallet in this location. You cannot override the default location.
Syntax
/etc/obcm [ export --certificate --file certificate_file --host hostname ] [ import --file signed_certificate_file ]
Semantics
Exports a signed identity certificate for the specified host to the specified text file.
Imports a signed identity certificate from the specified text file.
Examples
Example 5-6 exports a certificate for host new_client
to the file new_client_cert.f
. The utility is run on the administrative server.
Example 5-6 Exporting a Signed Certificate
obcm export --certificate --file /tmp/new_client_cert.f --host new_client
Example 5-7 imports a signed identity certificate from the file client_cert.f
. The utility is run on the host being added to the administrative domain.