The Online Certificate Status Protocol (OCSP) helps maintain security across your environment by verifying whether user certificates are valid. OCSP uses OCSP responders to determine the revocation status of an X.509 client certificate. The OCSP responder does its verification in real time by aggregating certificate validation data and responding to an OCSP request for a particular certificate.
One benefit of OCSP is that you do not have to keep downloading a CRL at the client side to maintain up-to-date certificate status information. Additionally, CRLs can be large.
To implement OCSP checking, the Policy Server uses a text-based configuration file named SMocsp.conf file. This file is located in the directory policy_server_home/config, and it must exist to use the CA SiteMinder® OCSP feature.
The SMocsp.conf file contains settings that define the operation of one or more OCSP responders. When verifying if a user certificate is valid, the Policy Server looks for an Issuer DN in the SMocsp.conf file. If it finds the Issuer DN, a certificate status check is made using the specified OCSP responder that is associated with the Issuer DN. The Policy Server only performs OCSP checking and considers the certificate valid if the Policy Server finds the issue DN. A certificate is considered valid in the absence of an Issuer DN to satisfy cases where OCSP validation is not required.
You can sign an OCSP request; however, signing requests is an optional feature.
When the OCSP responder returns a response to the Policy Server, the Policy Server default behavior is to validate the signed response. Several settings in the SMocsp.conf file require configuration to enable response verification.
Note: If CRL checking is enabled in the Administrative UI, the Policy Server uses CRL checking by default, regardless of whether an SMocsp.conf file is present. OCSP takes precedence over CRL checking only if you enable failover and you set OCSP as the primary validation method. Failover is configured in the OCSP configuration file.
Set up the following components to use OCSP for certificate validation:
You obtain these certificates in a communication that is separate from an OCSP transaction.
To store the trusted certificate or collection of certificates, configure the LDAP directory in the User Directory section of the Administrative UI. The presence of the user directory enables the Policy Server to connect to it and locate the certificate or collection of certificates to verify the response signature. If you are storing a collection of certificates, be sure to use a multi–valued binary attribute for the directory entry to store all the certificates.
The OCSP responder can include the signature verification certificate with the response. In this case, the Policy Server validates the certificate and the response signature with the trusted certificate in the LDAP directory.
If the signature verification certificate is not in the response, the Policy Server verifies the signature of the response with the certificate or collection of certificates in the LDAP directory.
When you configure OCSP, specify the location of the certificate or the collection of certificates in the ResponderCertEP setting of the SMocsp.conf file.
The Policy Server can work with any OCSP response that is signed using SHA-1 and the SHA-2 family of algorithms (SHA224, SHA256, SHA384, SHA512).
For UNIX operating platforms, the file name must maintain the case-sensitivity.
The Policy Server uses a file that is named SMocsp.conf to implement OCSP checking. This file is an ASCII file with one or more OCSPResponder records.
The SMocsp.conf file must reside in the directory siteminder_home/config. For ease of configuration, a sample file (SMocsp.Sample.conf) is installed with the Policy Server in the config folder. To configure OCSP for your environment, copy the sample file and rename it SMocsp.conf.
Note: For UNIX platforms, maintain the case–sensitivity of the file name.
The following excerpt is an example of an SMocsp.conf file with a single OCSPResponder entry.
Note: The sample file shows all available settings. Not all settings are required.
[ OCSPResponder IssuerDN C=US,ST=Massachusetts,L=Boston,O=,OU=QA,CN=Issuer,E=user@domain.com AlternateIssuerDN C=US,ST=New York,L=Islandia,O=,OU=QA,CN=Issuer,E=user@domain.com CACertDir 10.1.22.2:389 CACertEP uid=caroot,dc=systest,dc=com ResponderCertDir 10.2.11.1:389 ResponderCertEP cn=OCSP,ou=PKI,ou=Engineering,o=ExampleInc,c=US ResponderCertAttr cacertificate ResponderLocation http://10.12.2.4:389 AIAExtension NO HttpProxyEnabled YES HttpProxyLocation http://10.11.2.5:80 HttpProxyUserName proxyuser1 HttpProxyPassword letmein SignRequestEnabled YES SignDigest SHA256 Alias defaultenterpriseprivatekey IgnoreNonceExtension NO PrimaryValidationMethod OCSP EnableFailover YES ResponderCertAlias cert1 ResponderGracePeriod 0 ]
Guidelines for modifying the SMocsp.conf file are as follows:
The settings in the file are as follows:
Required. Indicates that the entry is an OCSP responder record. Each OCSP Responder record must start with the name OCSPResponder.
Required. Specifies the DN of the certificate issuer. This value labels each OCSP Responder record in the file.
Entry: The Issuer DN value in the certificate.
Optional. Specifies a secondary IssuerDN or reversed DN.
Required. Specifies the name of the CA certificate directory that holds the CA certificate that issues the user certificate.
Be sure to configure this directory as a CA SiteMinder® user directory in the Administrative UI so the Policy Server can connect to it.
Enter a valid IP address and port number of the user directory.
Required. Specifies the entry point in the CA certificate directory where the CA certificate resides.
Enter a string representing an entry point in the certificate directory.
Required. Specifies the LDAP directory where the responder certificates is stored.
Be sure to configure this directory as a CA SiteMinder® user directory in the Administrative UI so the Policy Server can connect to it.
Enter a valid IP address and port number of the directory.
Required. Specifies the entry point in the LDAP directory where the responder certificate resides. The responder certificate directory is specified in the ResponderCertDir setting.
The signature verification certificate is the certificate that directly verifies the response signature or the collection of intermediate certificates.
The OCSP responder can include the signature verification certificate with the response. In this case, the Policy Server verifies the response signature and the certificate using the trusted certificate in the LDAP directory. If the signature verification certificate is not in the response, the Policy Server verifies only the response signature with the certificate or collection of certificates in the LDAP directory.
Enter a string representing an entry point in the directory where the certificate or the collection of certificates resides.
Required. Indicates the LDAP directory attribute that the Policy Server uses to look up the responder certificate in the responder certificate directory, which is specified in the ResponderCertDir setting.
Optional. Indicates the location of the OCSP responder server.
You can use the ResponderLocation setting or the AIAExtension setting, but note the following conditions:
If you enter a location, enter the value in the form responder_server_url:port_number.
Enter a URL and port number of the responder server.
Optional. Specifies whether the Policy Server uses the Authority Information Access extension (AIA) in the certificate to locate validation information.
You can use the AIAExtension or ResponderLocation settings, but note the following items:
Enter YES or NO.
Default: NO
Optional. Tells the Policy Server to send the OCSP request to the proxy server, not to the web server.
Enter YES or NO.
Default: NO
Optional. Specifies the URL of the proxy server. This value is only required if HttpProxyEnabled is set to YES.
Enter a URL beginning with http://.
Note: Do not enter a URL beginning with https://.
Optional. Specifies the user name for the login credentials to the proxy server. This user name must be the name of a valid user of the proxy server. This value is only required if HttpProxyEnabled is set to YES.
Enter an alphanumeric string.
Optional. Specifies the password for the proxy server user name. This value is displayed in clear text. This value is only required if HttpProxyEnabled is set to YES.
Enter an alphanumeric string.
Optional. Instructs the Policy Server to sign the generated OCSP request. Set this value to Yes to use the signing feature.
This value is independent of any user certificate signatures and is only relevant for the OCSP request.
Note: This setting is required only if the OCSP responder requires signed requests.
Enter YES or NO.
Default: NO
Optional. Designates the algorithm the Policy Server uses when signing the OCSP request. This setting is not case-sensitive. This setting is required only if the SignRequestEnabled setting is set to YES.
Enter one of the following options: SHA1, SHA224, SHA256, SHA384, SHA512
Default: SHA1
Optional. Specifies the alias for the key/certificate pair that signs the OCSP request that is sent to an OCSP responder. This key/certificate pair must be in the CA SiteMinder® certificate data store.
Note: The alias is required only if the SignRequestEnabled setting is set to YES.
Enter an alias using lower-case ASCII alphanumeric characters.
Optional. Tells the Policy Server not to include the nonce in the OCSP request. The nonce (number that is used once) is a unique number sometimes included in authentication requests to prevent the reuse of a response. Setting this parameter to Yes instructs the Policy Server not to include the nonce in the OCSP request.
Enter YES or NO.
Default: NO
Optional. Indicates whether OCSP or CRL is the primary method the Policy Server uses to validate certificates. This setting is only required if the EnableFailover setting is set to Yes.
Enter OCSP or CRL.
Default: OCSP
Tells the Policy Server to failover between OCSP and CRL certificate validation methods.
Enter YES or NO.
Default: NO
(Required for federation only). Names the alias of the certificate that verifies the signature of the OCSP response. For the Policy Server to perform response signature verification, specify an alias for this setting. Otherwise, the CA issuer has no available OCSP configuration.
Note: The Policy Server does not use this setting for X.509 certificate authentication.
Enter a string that names the alias.
You can see whether each issuer has an OCSP configuration after the SMocsp.conf file is loaded. The following message is a sample status message:
The SMocsp.conf file was loaded. OCSP configuration was added for the following issuer aliases: ocspcacert ocspcacert1 ocspcacert2
The issuer alias in the status message refers to the alias you specified in the Administrative UI when adding a CA certificate to the data store. If an issuer alias is not in the list, check the SMocsp.conf and the cds.log file. The log file is located in siteminder_home\log.
(Optional) Specifies the period (in days) to delay the invalidation of a certificate after it is revoked. The OCSP grace period gives you time to update certificates so that the configuration does not suddenly stop working. A value of 0 indicates that when a certificate is revoked it becomes invalid immediately.
If you do not specify a value for this field, the Policy Server uses the default revocation grace period setting in the Administrative UI. You can find the default setting by navigating to Infrastructure> X509 Certificate Management > Certificate Management.
Default: 0
Configure OCSP checking so that a user with an invalid client certificate cannot access a protected resource.
Note: Before you enable OCSP checking, set up your environment for certificate authentication.
The Policy Server can work with any OCSP response that is signed using SHA-1 and the SHA-2 family of algorithms (SHA224, SHA256, SHA384, SHA512).
To configure OCSP checking (without failover enabled)
A sample file, named SMocsp.Sample.conf is installed with the Policy Server in the config directory.
For UNIX platforms the file name is case-sensitive; for Windows platforms it is not.
Important! Configure a responder record for each Issuer DN else the Policy Server authenticates users without confirming the validity of the certificate.
The Certificate Mappings dialog opens.
If the issuer of the user certificate matches a certificate mapping and CRL Checking is enabled, the Policy Server uses CRL checking and not OCSP. Enabling failover is an exception to CRL checking taking precedence over OCSP. If you enable failover, the Policy Server uses the configured primary validation method.
OCSP is now enabled. To disable OCSP, change the name of the SMocsp.conf file.
OCSP requests are made over an HTTP connection, requiring an HTTP GET for the request to the OCSP responder for certificate validation.
In many enterprise environments, HTTP traffic goes through an HTTP proxy. For the Policy Server to send an OCSP request through an HTTP proxy, configure the proxy settings in the SMocsp.conf file.
Follow these steps:
Learn how to set each value by reviewing how to create an OCSP configuration file.
The Policy Server can sign OCSP requests when using a CA SiteMinder® certificate authentication scheme. Signing requests is only necessary if an OCSP responder requires signed requests.
Follow these steps:
Before you configure OCSP signing, complete the following prerequisite tasks:
When you add a key/certificate pair, specify an alias. The Policy Server uses the alias to identify the certificate entry in the certificate data store. When you specify an alias, note the following restrictions:
Note: Private keys must be RSA keys.
The Policy Server can sign requests and can verify responses when using a CA SiteMinder® certificate authentication scheme.
Follow these steps:
Instructs the Policy Server to sign an OCSP request.
Limits: Yes or No
Set this value to Yes to use the signing feature.
Accept the default, No, to disable signing.
Default: No. If the SignRequestEnabled entry is not present in a responder record, the Policy Server cannot sign OCSP requests.
Indicates the algorithm to use to sign an OCSP request.
Options:
SignDigest is not case-sensitive.
Default: SHA1
Indicates the alias under which the Policy Server looks to retrieve the signing key/certificate pair. Aliases are restricted to lower-case USA ASCII alphanumeric characters.
Signing of OCSP requests is now enabled.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|