Failover Between OCSP and CRLs

Policy Server Guides › Policy Server Configuration Guide › Certificate Mapping and Validity Checking for X.509 Certificates › Certificate Validity Checking for X.509 Client Certificate Authentication › Failover Between OCSP and CRLs

Failover Between OCSP and CRLs

The Policy Server can use OCSP and CRLs as certificate validation mechanisms. If you configure both mechanisms, you can configure the Policy Server to failover between the two. Enabling failover is preferable to failing the authentication when one of the certificate validation mechanisms is not available.

You implement failover for certificate checking by designating a primary verification method in the OCSP configuration file (SMocsp.conf). If the primary validation method is unavailable, the Policy Server uses the secondary validation to complete the request. For the next request, the Policy Server reverts to the primary method and uses that method unless a failure occurs.

OCSP as the Primary Validation Method

If the primary method is OCSP and an OCSP responder is not available, the Policy Server uses a CRL to perform the certificate validation instead.

Failover does not override OCSP functionality as long as the OCSP responder returns a response indicator of good or revoked. If the response indicator is "unknown," failover to CRL checking occurs.

If you configure OCSP as the primary validation method, the Policy Server behaves as follows:

OCSP Certificate Validation	Failover Disabled	Failover Enabled
Valid	User authenticated	User authentication based on OCSP results only. No CRL checking required.
Revoked	User not authenticated	User is not authenticated. No CRL checking required.
Unknown or No response	User not authenticated	Perform CRL checking

CRL Checking as the Primary Validation Method

If the primary method is CRL checking and the Policy Server cannot retrieve a CRL, the Policy Server fails over to the OCSP responder. In this case, the Policy Server only relies on OCSP when a connection to the CRL directory server is not available. If the CRL returns a valid response, the Policy Server does not use OCSP.

Note: If failover is not enabled and CRL checking and OCSP are both configured, the Policy Server uses only CRL checking for certificate validation.

If you configure CRL as the primary validation method, the Policy Server behaves as follows:

CRL Certificate Validation	Failover Disabled	Failover Enabled
Valid	User authenticated	Checking is based on the first valid CRL results. No further CRL checking required.
Revoked	User not authenticated	No further CRL or OCSP checking required.
No response/retrieval failed	If a CDP extension is available, the Policy Server tries each distribution point in consecutive order until it successfully retrieves a CRL. If the status for the certificate is valid or revoked, refer to the descriptions for those states. If a CRL with all reason codes is not retrieved, the Policy Server defaults to Not Authenticated.	If a CDP extension is available, the Policy Server tries each distribution point in consecutive order until it successfully retrieves a CRL. If the status for a certificate is valid or revoked refer to the descriptions for those states. If a CRL with all reason codes is not retrieved, use OCSP.

CRL Certificate Validation

Failover Disabled

Failover Enabled

Valid

User authenticated

Checking is based on the first valid CRL results. No further CRL checking required.

Revoked

User not authenticated

No further CRL or OCSP checking required.

No response/retrieval failed

If a CDP extension is available, the Policy Server tries each distribution point in consecutive order until it successfully retrieves a CRL. If the status for the certificate is valid or revoked, refer to the descriptions for those states.

If a CRL with all reason codes is not retrieved, the Policy Server defaults to Not Authenticated.

If a CDP extension is available, the Policy Server tries each distribution point in consecutive order until it successfully retrieves a CRL. If the status for a certificate is valid or revoked refer to the descriptions for those states.

If a CRL with all reason codes is not retrieved, use OCSP.

Configure Failover Between OCSP and CRLs

The Policy Server can use OCSP and CRLs as certificate validation mechanisms, enabling failover between the two. Before you enable failover, configure CRL checking in the Administrative UI and configure OCSP by creating the SMocsp.conf file. CRL checking and OCSP checking must be enabled for failover to work.

Follow these steps:

Open the SMocsp.conf file in an editor. This file is in the directory policy_server_home/config.
Add or modify the following entries for each responder record:

EnableFailover

Enables CA SiteMinder® to fail over from the primary validation method to the secondary method.

Set this value to Yes to enable failover.

Accept the default, No, to disable failover. If you do not configure failover and the OCSP responder cannot perform validation, the transaction fails.

Limits: YES or NO

Default: No

PrimaryValidationMethod

Indicates which certificate validation method the Policy Server uses first before trying the other method.

If EnableFailover is set to YES and the value for this setting is OCSP, the Policy Server uses OCSP validation first. If there is no response from the OCSP responder or the response indicator is "unknown," then the Policy Server fails over to a CRL.

If the value for this setting is CRL, the Policy Server ignores OCSP validation, even if it is configured, and uses a CRL. If the Policy Server cannot obtain the CRL or the CRL expires, the Policy Server fails over to OCSP.

Limits: OCSP, CRL

Default: OCSP
Save the changes to the SMocsp.conf file.
Restart the Policy Server.