Previous Topic: Certificate Revocation List UpdatesNext Topic: Certificate Cache Refresh Period


OCSP Updates

CA SiteMinder® provides features that require certificate validation for certificates in the certificate data store. In 12.52 SP1, federation features use the certificate data store. These features include protecting the HTTP-Artifact back channel, verifying SAML messages, and encrypting SAML messages.

To check the validity of certificates, the certificate data store can use an OCSP service. OCSP uses an HTTP service that a Certificate Authority (CA) provides to supply certificate validation on demand.

By default, CA SiteMinder® does not check the revocation status of a certificate in the certificate data store. To check the revocation status through an OCSP responder, use the OCSP updater utility (OCSPUpdater). When enabled, the OCSPUpdater checks the revocation status for configured OCSP responders every 5 minutes. This default frequency is configurable.

Configuration of the OCSPUpdater relies on the following components:

Failover Between OCSP and CRL Checking

The certificate data store supports failover from OCSP to CRL validation. If you configure CRLs and OCSP checking, you can enable failover between the two.

CA SiteMinder® federation features do not support certificate distribution point extensions with failover configured, even if the extensions are in a certificate.

For more information about failover, refer to the certificate validity checking section in the Policy Server Configuration Guide.

More information:

Certificate Validity Checking for X.509 Client Certificate Authentication

Schedule OCSP Updates

OCSP updates are scheduled using XPSConfig.

Important! Enabling OCSP updates is a local Policy Server administration setting. Enable the OCSPUpdater on only one Policy Server in a CA SiteMinder® deployment.

To schedule OCSP updates

  1. Log in to a Policy Server host system.
  2. Start the XPSConfig utility.
  3. Type CDS and press Enter.
  4. Type the number for EnableOCSPUpdater and press Enter.
  5. Type C and press Enter.
  6. Type yes and press Enter.
  7. Type Q.
  8. Do one of the following tasks:
  9. Restart the Policy Server.

OCSP revocation status updates are now scheduled. For updates to initiate, a federated single sign-on transaction must occur. The Policy Server where the OCSPUpdater is enabled must run this first transaction. Other Policy Servers in the deployment can make subsequent transactions.

Modify the SMocsp.conf file for OCSP Updates

The OCSPUpdater uses the SMocsp.conf file for responder configuration values. This file is the same file that the X.509 certificate authentication scheme uses to configure its OCSP implementation; however, not all settings for the authentication scheme apply for federation.

The SMocsp.conf file must reside in the directory siteminder_home/config.

Important! An entry for a given CA in the SMocsp.conf file does not mean that OCSP is enabled. You also have to set the EnableOCSPUpdater setting to Yes.

To edit the file

  1. Navigate to siteminder_home/config.
  2. Open the file in a text editor.
  3. Do one of the following tasks:
  4. Edit the file settings which can affect updates.

    Important! Only one file can exist on the one Policy Server where OCSP is enabled.

  5. Save the file.
  6. If the OCSPUpdater is already enabled, restart the Policy Server. Otherwise, you can load the edited SMocsp.conf file using following smkeytool command:
    smkeytool -loadOCSPConfigFile
    

More information:

SMocsp.conf Settings Used by Federation

SMocsp.conf Settings Used by Federation

Guidelines for modifying the SMocsp.conf file are as follows:

In the SMocsp.conf file, you can configure the following settings for federation:

OCSPResponder

Required. Indicates that the entry is an OCSP responder record. Each OCSP Responder record must start with the name OCSPResponder.

IssuerDN

Required. Specifies the DN of the certificate issuer. This value labels each OCSP Responder record in the file.

Entry: The Issuer DN value in the certificate.

AlternateIssuerDN

Optional. Specifies a secondary IssuerDN or reversed DN.

ResponderLocation

Optional. Indicates the location of the OCSP responder server.

You can use the ResponderLocation setting or the AIAExtension setting, but note the following conditions:

If you enter a location, enter the value in the form responder_server_url:port_number.

Enter a URL and port number of the responder server.

AIAExtension

Optional. Specifies whether the Policy Server uses the Authority Information Access extension (AIA) in the certificate to locate validation information.

You can use the AIAExtension or ResponderLocation settings, but note the following caveats:

Enter YES or NO.

Default: NO

HttpProxyEnabled

Optional. Tells the Policy Server to send the OCSP request to the proxy server, not to the web server.

Enter YES or NO.

Default: NO

HttpProxyLocation

Optional. Specifies the URL of the proxy server. This value is only required if HttpProxyEnabled is set to YES.

Enter a URL beginning with http://.

Note: Do not enter a URL beginning with https://.

HttpProxyUserName

Optional. Specifies the user name for the login credentials to the proxy server. This user name must be the name of a valid user of the proxy server. This value is only required if HttpProxyEnabled is set to YES.

Enter an alphanumeric string.

HttpProxyPassword

Optional. Specifies the password for the proxy server user name. This value is displayed in clear text. This value is only required if HttpProxyEnabled is set to YES.

Enter an alphanumeric string.

SignRequestEnabled

Optional. Instructs the Policy Server to sign the generated OCSP request. Set this value to Yes to use the signing feature.

This value is independent of any user certificate signatures and is only relevant for the OCSP request.

Note: This setting is required only if the OCSP responder requires signed requests.

Enter YES or NO.

Default: NO

SignDigest

Optional. Designates the algorithm the Policy Server uses when signing the OCSP request. This setting is not case-sensitive. This setting is required only if the SignRequestEnabled setting is set to YES.

Enter one of the following options: SHA1, SHA224, SHA256, SHA384, SHA512

Default: SHA1

Alias

Optional. Specifies the alias for the key/certificate pair that signs the OCSP request that is sent to an OCSP responder. This key/certificate pair must be in the CA SiteMinder® certificate data store.

Note: The alias is required only if the SignRequestEnabled setting is set to YES.

Enter an alias using lower-case ASCII alphanumeric characters.

IgnoreNonceExtension

Optional. Tells the Policy Server not to include the nonce in the OCSP request. The nonce (number that is used once) is a unique number sometimes included in authentication requests to prevent the reuse of a response. Setting this parameter to Yes instructs the Policy Server not to include the nonce in the OCSP request.

Enter YES or NO.

Default: NO

PrimaryValidationMethod

Optional. Indicates whether OCSP or CRL is the primary method the Policy Server uses to validate certificates. This setting is only required if the EnableFailover setting is set to Yes.

Enter OCSP or CRL.

Default: OCSP

EnableFailover

Tells the Policy Server to failover between OCSP and CRL certificate validation methods.

Enter YES or NO.

Default: NO

ResponderCertAlias

Required for federation only. Names the alias of the certificate that verifies the signature of the OCSP response. For the Policy Server to perform response signature verification, specify an alias for this setting. Otherwise, the CA issuer has no available OCSP configuration.

Note: The Policy Server does not use this setting for X.509 certificate authentication.

Enter a string that names the alias.

You can see whether each issuer has an OCSP configuration after the SMocsp.conf file is loaded. The following message is a sample status message:

The SMocsp.conf file was loaded.
OCSP configuration was added for the following issuer aliases:
ocspcacert
ocspcacert1
ocspcacert2

The issuer alias in the status message refers to the alias you specified in the Administrative UI when adding a CA certificate to the data store. If an issuer alias is not in the list, check the SMocsp.conf and the cds.log file. The log file is located in siteminder_home\log.

RevocationGracePeriod

Optional–for federation only. Specifies the period (in days) to delay the invalidation of a certificate after it is revoked. The OCSP grace period gives you time to update certificates so that the configuration does not suddenly stop working. A value of 0 indicates that when a certificate is revoked it becomes invalid immediately.

If you do not specify a value for this field, the Policy Server uses the default revocation grace period setting in the Administrative UI. You can find the default setting by navigating to Infrastructure> X509 Certificate Management > Certificate Management.

Default: 0

Disabling OCSP

Disable the OCSP configuration for a specific CA by removing the issuer entry from the SMocsp.conf file. If you disable the OCSPUpdater, remove all entries from the file previously enabled.

Follow these steps:

  1. Open the SMocsp.conf file in an editor. The SMocsp.conf file resides in the directory siteminder_home/config.
  2. Delete the associated issuer entry from the SMocsp.conf file.
  3. Using the smkeytool utility, enter the following command:
     smkeytool -loadOCSPConfigFile
    

OCSP for the specific CA issuer is disabled.

Adding a CA Certificate When OCSP is Disabled

If you disable the OCSPUpdater but a given issuer has an entry in the SMocsp.conf file, the Policy Server prevents the addition of a certificate for that same issuer. If you try to add a certificate, the Policy Server logs an error message. The error occurs because OCSP is configured for the issuer, but the OCSPUpdater is not enabled. As a result, the revocation status check cannot be performed. If you try adding a certificate with the same issuer, the addition fails.

To add a CA certificate without causing an error

  1. Open the SMocsp.conf file in an editor. The SMocsp.conf file resides in the directory siteminder_home/config.
  2. Remove the configuration for the relevant CA.
  3. Using XPSConfig, set the EnableOCSPUpdater to Yes to reenable OCSP.
  4. Load the SMocsp.conf file by entering the following command at a command line:
     smkeytool -loadOCSPConfigFile
    
  5. Reset the EnableOCSPUpdater parameter to No as you originally intended.