Enable OCSP checking in native interceptors of Advanced Message Security

Online Certificate Status Protocol (OCSP) checking in Advanced Message Security is enabled by default, based on information in the certificates being used.


Procedure

Add the following options to the keystore configuration file: Note: All the OCSP stanza are optional and can be specified independently.

Option Description
ocsp.enable=off Enable the OCSP checking if the certificate being checked has an Authority Info Access (AIA) Extension with an PKIX_AD_OCSP access method containing a URI of where the OCSP Responder is located.

Possible values: on or off.

ocsp.url=responder_URL The URL address of OCSP responder. If this option is omitted then non-AIA OCSP checking is disabled.
ocsp.http.proxy.host=OCSP_proxy The URL address of the OCSP proxy server. If this option is omitted then a proxy is not used for non-AIA online certificate checks.
ocsp.http.proxy.port=port_number The OCSP proxy server's port number. If this option is omitted then the default port of 8080 is used.
ocsp.nonce.generation=on/off Generate nonce when querying OCSP.

The default value is off.

ocsp.nonce.check=on/off Check nonce after receiving a response from OCSP.

The default value is off.

ocsp.nonce.size=8 Nonce size in bytes.
ocsp.http.get=on/off Specify HTTP GET as your request method. If this option is set to off, HTTP POST is used. The default value is off.
ocsp.max_response_size=20480 Maximum size of response from the OCSP responder provided in bytes.
ocsp.cache_size=100 Enable internal OCSP response caching and set the limit for the number of cache entries.
ocsp.timeout=30 Waiting time for a server response, in seconds, after which Advanced Message Security times-out.
ocsp.unknown=ACCEPT Defines the behavior when an OCSP server cannot be reached within a timeout period. Possible values:

  • ACCEPT Allows the certificate
  • WARN Allows the certificate and logs a warning
  • REJECT Prevents the certificate from being used and logs an error