Previous Topic: Online Certificate Status Protocol Checking

Next Topic: Custom Mapping Expressions

Configure Online Certificate Status Protocol Checking

You configure OCSP checking to ensure that a user with an invalid client certificate cannot access a protected resource.

To configure OCSP certificate status checking

  1. Ensure that CRL checking is not enabled for the certificate mapping.
  2. Create an smocsp.conf file in the Policy Server config directory:

    siteminder_installation_dir/config

The smocsp.conf file must be an ASCII file containing one or more OCSPResponder records, each with the following format:

[
OCSPResponder
IssuerDN <IssuerDN>
[AlternateIssuerDN <IssuerDN>]
CACertDir <Name of User Dir containing CA cert>
CACertEP <Entry point in CACertDir containing CA cert>
ResponderCertDir <Name of User Dir containing Responder cert>
ResponderCertEP <Entry point in ResponderCertDir containing Responder cert>
ResponderCertAttr <Directory attribute of Responder cert>
ResponderLocation <Server-name of Responder:port #>
AIAExtension<YES|NO>
]

Consider the following when creating the smocsp.conf file:

The priority of AIAExtension and ResponderLocation is as follows:

If

Then

AIAExtension is YES

The AIAExtension is used for validations, if it is found in the certificate. Otherwise, the ResponderLocation is used.

AIAExtension is NO

The ResponderLocation is used, regardless of the value of AIAExtension in the userCertificate in the request.

Following is an example of a smocsp.conf file:

[
OCSPResponder IssuerDN C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD CLASS 3 CA-9 
CACertDir localhost:389 
CACertEP cn=DOD CLASS 3 CA-9,ou=PKI,ou=DoD,o=U.S. Government,c=US  ResponderCertDir localhost:389 
ResponderCertEP cn=OCSP,ou=PKI,ou=DoD,o=U.S. Government,c=US ResponderCertAttr cacertificate 
ResponderLocation aristotle.jfcom.mil:80 
]

More information:

Configure Certificate Revocation List Checking


Copyright © 2010 CA. All rights reserved. Email CA about this topic