jct-ocsp-nonce-check-enable

jct-ocsp-nonce-check-enable = {yes|no}

Description

Determines whether WebSEAL checks the nonce in the OCSP response. Enabling this option improves security but can cause OCSP Response validation to fail if there is a caching proxy between WebSEAL and the OCSP Responder. Note that enabling this option automatically enables the jct-ocsp-nonce-generation-enable option.

Options

yes	WebSEAL checks the nonce in the OCSP response to verify that it matches the nonce from the request.

no	WebSEAL does not check the nonce in the OCSP response.

Usage: Optional

Default: no

Example:

jct-ocsp-nonce-check-enable = no

Parent topic: [junction] stanza