Enable OCSP checking in native interceptors of Advanced Message Security
Online Certificate Status Protocol (OCSP) checking in Advanced Message Security is enabled by default, based on information in the certificates being used.
Procedure
Add the following options to the keystore configuration file: Note: All the OCSP stanza are optional and can be specified independently.Option | Description |
---|---|
ocsp.enable=off | Enable the OCSP checking if the certificate being checked has an Authority
Info Access (AIA) Extension with an PKIX_AD_OCSP access method containing a URI of where the OCSP
Responder is located.
Possible values: on or off. |
ocsp.url=responder_URL | The URL address of OCSP responder. If this option is omitted then non-AIA OCSP checking is disabled. |
ocsp.http.proxy.host=OCSP_proxy | The URL address of the OCSP proxy server. If this option is omitted then a proxy is not used for non-AIA online certificate checks. |
ocsp.http.proxy.port=port_number | The OCSP proxy server's port number. If this option is omitted then the default port of 8080 is used. |
ocsp.nonce.generation=on/off | Generate nonce when querying OCSP.
The default value is off. |
ocsp.nonce.check=on/off | Check nonce after receiving a response from OCSP.
The default value is off. |
ocsp.nonce.size=8 | Nonce size in bytes. |
ocsp.http.get=on/off | Specify HTTP GET as your request method. If this option is set to off, HTTP POST is used. The default value is off. |
ocsp.max_response_size=20480 | Maximum size of response from the OCSP responder provided in bytes. |
ocsp.cache_size=100 | Enable internal OCSP response caching and set the limit for the number of cache entries. |
ocsp.timeout=30 | Waiting time for a server response, in seconds, after which Advanced Message Security times-out. |
ocsp.unknown=ACCEPT | Defines the behavior when an OCSP server cannot be reached within a timeout
period. Possible values:
|