jct-ocsp-nonce-generation-enable
jct-ocsp-nonce-generation-enable = {yes|no}Description
Determines whether WebSEAL generates a nonce as part of the OCSP request. Enabling this option can improve security by preventing replay attacks on WebSEAL but may cause an excessive load on an OCSP Responder appliance as the responder cannot use cached responses and must sign each response.
Options
yes WebSEAL generates a nonce as part of the OCSP request.
no WebSEAL does not generate a nonce as part of the OCSP request.
Usage:
This stanza entry is optional.
Default: no
Example:
jct-ocsp-nonce-generation-enable = no