Some features require certificate validation for certificates in the certificate data store. In 12.52 SP1, federation features use the certificate data store. These features include protecting the HTTP-Artifact back channel, verifying SAML messages, and encrypting SAML messages.
To check the validity of certificates, the certificate data store can use an OCSP service. OCSP uses an HTTP service that a Certificate Authority (CA) provides to supply certificate validation on demand.
Note: Federation features implement the use of OCSP differently than X.509 authentication schemes. The authentication schemes use an independent LDAP directory to store OCSP responder certificates. The authentication schemes do not use the certificate data store.
By default, the revocation status of a certificate in the certificate data store is not checked. To check the revocation status through an OCSP responder, use the OCSP updater utility (OCSPUpdater). When enabled, the OCSPUpdater checks the revocation status for configured OCSP responders every 5 minutes. This default frequency is configurable.
Configuration of the OCSPUpdater relies on the following components:
The OCSPUpdater uses the SMocsp.conf file for OCSP responder configuration. Each Certificate Authority (CA) that issues certificates has its own OCSP responder. In the SMocsp.conf file, include every OCSP responder for each CA certificate in the certificate data store.
An SMocsp.conf file must exist to use the OCSPUpdater.
Note: The SMocsp.conf file is the same file that the X.509 certificate authentication scheme uses to configure its own OCSP implementation.
XPSConfig lets you customize the behavior of the OCSPUpdater, such as enabling it and setting the frequency of updates. The customization is local to the Policy Server running the OCSPUpdater. Enable an OCSPUpdater on only one Policy Server in a deployment.
The certificate data store supports failover from OCSP to CRL validation. If you configure CRLs and OCSP checking, you can enable failover between the two.
Federation features do not support certificate distribution point extensions with failover configured, even if the extensions are in a certificate.
Copyright © 2014 CA.
All rights reserved.
|
|