SiteMinder OCSP and Certificate Revocation List (CRL) functionality now supports the following features:
Signing OCSP Requests with SHA-2 Algorithms
The SiteMinder Policy Server now lets you sign OCSP requests when using certificate-based authentication schemes using the more secure SHA-2 family of hashing algorithms. Signing OCSP requests enables SiteMinder to communicate with OCSP responders that require signed requests.
Validation of OCSP and CRL Responses Created with SHA-2 Hash Algorithms
The SiteMinder Policy Server can now work with any certificate, CRL, and OCSP response that is signed using SHA-2 family of algorithms, including SHA224, SHA256, SHA384, SHA512. Previously, SiteMinder only supported SHA1.
Support for Processing of Certificate Authority Chains with OCSP
The SiteMinder Policy Server now validates the full OCSP response certificate chain. In previous versions of SiteMinder, the OCSP response signature was validated, but the certificate chain was ignored. This change applies to all affected certificate-based authentication schemes in SiteMinder 12.0 SP3.
Failover Between OCSP and CRLs for Certificate Validation
The SiteMinder Policy Server can use OCSP and CRLs as certificate validation mechanisms for X.509 certificate authentication schemes. You can now designate a primary validation mechanism. If the primary method fails, the Policy Server can fail over to the other mechanism. If you configure OCSP as the primary method, the Policy Server can fail over to CRL checking. If CRL checking is the primary method, the Policy Server can fail over to OCSP.
Policy Support for OCSP on Red Hat Linux
The SiteMinder Policy Server now supports OCSP on Red Hat Linux operating platforms. For the specific versions of Red Hat Linux, see the SiteMinder Platform Support Matrix on the CA Technical Support site.
For more information about all these features, see the Policy Server Configuration Guide.
|
Copyright © 2012 CA.
All rights reserved.
|
|