CA SiteMinder® provides features that require certificate validation for certificates in the certificate data store. In 12.52 SP1, federation features use the certificate data store. These features include protecting the HTTP-Artifact back channel, verifying SAML messages, and encrypting SAML messages.
To check the validity of certificates, the certificate data store can use an OCSP service. OCSP uses an HTTP service that a Certificate Authority (CA) provides to supply certificate validation on demand.
By default, CA SiteMinder® does not check the revocation status of a certificate in the certificate data store. To check the revocation status through an OCSP responder, use the OCSP updater utility (OCSPUpdater). When enabled, the OCSPUpdater checks the revocation status for configured OCSP responders every 5 minutes. This default frequency is configurable.
Configuration of the OCSPUpdater relies on the following components:
The OCSPUpdater uses the SMocsp.conf file for OCSP responder configuration. Each Certificate Authority (CA) that issues certificates has its own OCSP responder. In the SMocsp.conf file, include every OCSP responder for each CA certificate in the certificate data store.
An SMocsp.conf file must exist to use the OCSPUpdater.
Note: The SMocsp.conf file is the same file that the CA SiteMinder® X.509 certificate authentication scheme uses to configure its own OCSP implementation.
XPSConfig lets you customize the behavior of the OCSPUpdater, such as enabling it and setting the frequency of updates. The customization is local to the Policy Server running the OCSPUpdater. Enable an OCSPUpdater on only one Policy Server in a CA SiteMinder® deployment.
The certificate data store supports failover from OCSP to CRL validation. If you configure CRLs and OCSP checking, you can enable failover between the two.
CA SiteMinder® federation features do not support certificate distribution point extensions with failover configured, even if the extensions are in a certificate.
For more information about failover, refer to the certificate validity checking section in the Policy Server Configuration Guide.
OCSP updates are scheduled using XPSConfig.
Important! Enabling OCSP updates is a local Policy Server administration setting. Enable the OCSPUpdater on only one Policy Server in a CA SiteMinder® deployment.
To schedule OCSP updates
OCSP revocation status updates are now scheduled. For updates to initiate, a federated single sign-on transaction must occur. The Policy Server where the OCSPUpdater is enabled must run this first transaction. Other Policy Servers in the deployment can make subsequent transactions.
The OCSPUpdater uses the SMocsp.conf file for responder configuration values. This file is the same file that the X.509 certificate authentication scheme uses to configure its OCSP implementation; however, not all settings for the authentication scheme apply for federation.
The SMocsp.conf file must reside in the directory siteminder_home/config.
Important! An entry for a given CA in the SMocsp.conf file does not mean that OCSP is enabled. You also have to set the EnableOCSPUpdater setting to Yes.
To edit the file
Important! If an Issuer DN is missing a responder record or the configuration is invalid, the Policy Server performs certificate operations without confirming the validity of the certificate.
Important! Only one file can exist on the one Policy Server where OCSP is enabled.
smkeytool -loadOCSPConfigFile
Guidelines for modifying the SMocsp.conf file are as follows:
In the SMocsp.conf file, you can configure the following settings for federation:
Required. Indicates that the entry is an OCSP responder record. Each OCSP Responder record must start with the name OCSPResponder.
Required. Specifies the DN of the certificate issuer. This value labels each OCSP Responder record in the file.
Entry: The Issuer DN value in the certificate.
Optional. Specifies a secondary IssuerDN or reversed DN.
Optional. Indicates the location of the OCSP responder server.
You can use the ResponderLocation setting or the AIAExtension setting, but note the following conditions:
If you enter a location, enter the value in the form responder_server_url:port_number.
Enter a URL and port number of the responder server.
Optional. Specifies whether the Policy Server uses the Authority Information Access extension (AIA) in the certificate to locate validation information.
You can use the AIAExtension or ResponderLocation settings, but note the following caveats:
Enter YES or NO.
Default: NO
Optional. Tells the Policy Server to send the OCSP request to the proxy server, not to the web server.
Enter YES or NO.
Default: NO
Optional. Specifies the URL of the proxy server. This value is only required if HttpProxyEnabled is set to YES.
Enter a URL beginning with http://.
Note: Do not enter a URL beginning with https://.
Optional. Specifies the user name for the login credentials to the proxy server. This user name must be the name of a valid user of the proxy server. This value is only required if HttpProxyEnabled is set to YES.
Enter an alphanumeric string.
Optional. Specifies the password for the proxy server user name. This value is displayed in clear text. This value is only required if HttpProxyEnabled is set to YES.
Enter an alphanumeric string.
Optional. Instructs the Policy Server to sign the generated OCSP request. Set this value to Yes to use the signing feature.
This value is independent of any user certificate signatures and is only relevant for the OCSP request.
Note: This setting is required only if the OCSP responder requires signed requests.
Enter YES or NO.
Default: NO
Optional. Designates the algorithm the Policy Server uses when signing the OCSP request. This setting is not case-sensitive. This setting is required only if the SignRequestEnabled setting is set to YES.
Enter one of the following options: SHA1, SHA224, SHA256, SHA384, SHA512
Default: SHA1
Optional. Specifies the alias for the key/certificate pair that signs the OCSP request that is sent to an OCSP responder. This key/certificate pair must be in the CA SiteMinder® certificate data store.
Note: The alias is required only if the SignRequestEnabled setting is set to YES.
Enter an alias using lower-case ASCII alphanumeric characters.
Optional. Tells the Policy Server not to include the nonce in the OCSP request. The nonce (number that is used once) is a unique number sometimes included in authentication requests to prevent the reuse of a response. Setting this parameter to Yes instructs the Policy Server not to include the nonce in the OCSP request.
Enter YES or NO.
Default: NO
Optional. Indicates whether OCSP or CRL is the primary method the Policy Server uses to validate certificates. This setting is only required if the EnableFailover setting is set to Yes.
Enter OCSP or CRL.
Default: OCSP
Tells the Policy Server to failover between OCSP and CRL certificate validation methods.
Enter YES or NO.
Default: NO
Required for federation only. Names the alias of the certificate that verifies the signature of the OCSP response. For the Policy Server to perform response signature verification, specify an alias for this setting. Otherwise, the CA issuer has no available OCSP configuration.
Note: The Policy Server does not use this setting for X.509 certificate authentication.
Enter a string that names the alias.
You can see whether each issuer has an OCSP configuration after the SMocsp.conf file is loaded. The following message is a sample status message:
The SMocsp.conf file was loaded. OCSP configuration was added for the following issuer aliases: ocspcacert ocspcacert1 ocspcacert2
The issuer alias in the status message refers to the alias you specified in the Administrative UI when adding a CA certificate to the data store. If an issuer alias is not in the list, check the SMocsp.conf and the cds.log file. The log file is located in siteminder_home\log.
Optional–for federation only. Specifies the period (in days) to delay the invalidation of a certificate after it is revoked. The OCSP grace period gives you time to update certificates so that the configuration does not suddenly stop working. A value of 0 indicates that when a certificate is revoked it becomes invalid immediately.
If you do not specify a value for this field, the Policy Server uses the default revocation grace period setting in the Administrative UI. You can find the default setting by navigating to Infrastructure> X509 Certificate Management > Certificate Management.
Default: 0
Disable the OCSP configuration for a specific CA by removing the issuer entry from the SMocsp.conf file. If you disable the OCSPUpdater, remove all entries from the file previously enabled.
Follow these steps:
smkeytool -loadOCSPConfigFile
OCSP for the specific CA issuer is disabled.
If you disable the OCSPUpdater but a given issuer has an entry in the SMocsp.conf file, the Policy Server prevents the addition of a certificate for that same issuer. If you try to add a certificate, the Policy Server logs an error message. The error occurs because OCSP is configured for the issuer, but the OCSPUpdater is not enabled. As a result, the revocation status check cannot be performed. If you try adding a certificate with the same issuer, the addition fails.
To add a CA certificate without causing an error
smkeytool -loadOCSPConfigFile
Copyright © 2014 CA.
All rights reserved.
|
|