You configure OCSP checking to ensure that a user with an invalid client certificate cannot access a protected resource.
To configure OCSP certificate status checking
siteminder_installation_dir/config
The smocsp.conf file must be an ASCII file containing one or more OCSPResponder records, each with the following format:
[ OCSPResponder IssuerDN <IssuerDN> [AlternateIssuerDN <IssuerDN>] CACertDir <Name of User Dir containing CA cert> CACertEP <Entry point in CACertDir containing CA cert> ResponderCertDir <Name of User Dir containing Responder cert> ResponderCertEP <Entry point in ResponderCertDir containing Responder cert> ResponderCertAttr <Directory attribute of Responder cert> ResponderLocation <Server-name of Responder:port #> AIAExtension<YES|NO>
]
Consider the following when creating the smocsp.conf file:
Note: ResponderLocation should exist or AIAExtension should be YES.
The priority of AIAExtension and ResponderLocation is as follows:
If |
Then |
AIAExtension is YES |
The AIAExtension is used for validations, if it is found in the certificate. Otherwise, the ResponderLocation is used. |
AIAExtension is NO |
The ResponderLocation is used, regardless of the value of AIAExtension in the userCertificate in the request. |
Following is an example of a smocsp.conf file:
[ OCSPResponder IssuerDN C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD CLASS 3 CA-9 CACertDir localhost:389 CACertEP cn=DOD CLASS 3 CA-9,ou=PKI,ou=DoD,o=U.S. Government,c=US ResponderCertDir localhost:389 ResponderCertEP cn=OCSP,ou=PKI,ou=DoD,o=U.S. Government,c=US ResponderCertAttr cacertificate ResponderLocation aristotle.jfcom.mil:80 ]
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |