Policy Server Guides › Policy Server Configuration Guide › Certificate Mapping and Validity Checking for X.509 Certificates › Certificate Validity Checking (optional) › Configure a Certificate Mapping › Create an OCSP Configuration File

Create an OCSP Configuration File

The Policy Server uses a file named SMocsp.conf to implement OCSP checking. The SMocsp.conf file is an ASCII file with one or more OCSPResponder records.

The SMocsp.conf file must reside in the directory policy_server_home/config. For ease of configuration, a sample file, named SMocsp.Sample.conf is installed with the Policy Server in the config folder. To configure OCSP for your environment, copy the sample file and rename it SMocsp.conf.

Note: For UNIX platforms, maintain the case-sensitivity of the file name.

The following excerpt is an example of an SMocsp.conf file with a single OCSPResponder entry.

Note: The sample file shows all the available settings; however, not all settings are required.

[
OCSPResponder
IssuerDN C=US,ST=Massachusetts,L=Boston,O=,OU=QA,CN=Issuer,E=user@domain.com
AltIssuerDN C=US,ST=New York,L=Islandia,O=,OU=QA,CN=Issuer,E=user@domain.com
CACertDir 10.1.22.2:389 
CACertEP uid=caroot,dc=systest,dc=com
ResponderCertDir 10.2.11.1:389 
ResponderCertEP cn=OCSP,ou=PKI,ou=Engineering,o=ExampleInc,c=US
ResponderCertAttr cacertificate 
ResponderLocation http://10.12.2.4:389
AIAExtension NO
HttpProxyEnabled YES
HttpProxyLocation http://10.11.2.5:80
HttpProxyUserName proxyuser1
HttpProxyPassword letmein
SignRequestEnabled YES
SignDigest SHA256
Alias defaultenterpriseprivatekey
IgnoreNonceExtension NO
PrimaryValidationMethod OCSP
EnableFailover YES
]

Guidelines for modifying the SMocsp.conf file are as follows:

• Names of settings are not all case-sensitive. Case sensitivity for entries is dependent on the particular setting.
• If there is a setting in the file that is left blank, the Policy Server sends an error message that the entry is invalid and it ignores the setting. Ignore the message if you intended to leave the setting blank.
• Do not put leading white spaces in front of the name of a setting.

The settings in the file are as follows:

OCSPResponder

Required. Indicates that the entry is an OCSP responder record. Each OCSP Responder record must start with the name OCSPResponder.

IssuerDN

Required. Specifies the DN of the certificate issuer. This value labels each OCSP Responder record in the file.

Entry: The Issuer DN value in the certificate.

AltIssuerDN

Optional. Specifies a secondary IssuerDN or reversed DN.

CACertDir

Required. Specifies the name of the CA certificate directory that holds the CA certificate that issues the user certificate.

Be sure to configure this directory as a SiteMinder user directory in the Administrative UI so the Policy Server can connect to it.

Enter a valid IP address and port number of the user directory.

CACertEP

Required. Specifies the entry point in the CA certificate directory where the CA certificate resides.

Enter a string representing an entry point in the certificate directory.

ResponderCertDir

Required. Specifies the LDAP directory where the responder certificates is stored.

Be sure to configure this directory as a SiteMinder user directory in the Administrative UI so the Policy Server can connect to it.

Enter a valid IP address and port number of the directory.

ResponderCertEP

Required. Specifies the entry point in the LDAP directory where the responder certificate resides. The responder certificate directory is specified in the ResponderCertDir setting.

The signature verification certificate is the certificate that directly verifies the response signature or the collection of intermediate certificates.

The OCSP responder can include the signature verification certificate with the response. In this case, the Policy Server verifies the response signature and the certificate using the trusted certificate in the LDAP directory. If the signature verification certificate is not in the response, the Policy Server verifies only the response signature with the certificate or collection of certificates in the LDAP directory.

Enter a string representing an entry point in the directory where the certificate or the collection of certificates resides.

ResponderCertAttr

Required. Indicates the LDAP directory attribute that the Policy Server uses to look up the responder certificate in the responder certificate directory, specified in the ResponderCertDir setting.

ResponderLocation

Optional. Indicates the location of the OCSP responder server.

You can use the ResponderLocation setting or the AIAExtension setting, but note the following:

• If the ResponderLocation setting is left blank or it is not in the SMocsp.conf file, the AIAExtension setting must be set to YES. Additionally, an AIA extension must be in the certificate.
• If the ResponderLocation setting has a value and the AIAExtension is set to YES, the Policy Server uses the ResponderLocation for validation. The ResponderLocation setting takes precedence over the AIAExtension.
• If the OCSP responder specified for this setting is down and the AIAExtension is set to YES, authentication fails. The Policy Server does not try the responder specified in the AIA extension of the certificate.

If you enter a location, enter the value in the form responder_server_url:port_number.

Enter a URL and port number of the responder server.

AIAExtension

Optional. Specifies whether the Policy Server uses the Authority Information Access extension (AIA) in the certificate to locate validation information.

You can use the AIAExtension or ResponderLocation settings, but note the following:

• If AIAExtension is set to YES and the ResponderLocation is not set, the Policy Server uses the AIA Extension in the certificate for validation, provided the extension is in the certificate.
• If the AIAExtension is set to YES and ResponderLocation setting also has a value, the Policy Server uses the ResponderLocation for validation. The ResponderLocation setting takes precedence over the AIAExtension.
• If AIAExtension is set to NO, the Policy Server uses the ResponderLocation, regardless if there is an AIA extension in the certificate.

Enter YES or NO.

Default: NO

HttpProxyEnabled

Optional. Tells the Policy Server to send the OCSP request to the proxy server, not to the web server.

Enter YES or NO.

Default: NO

HttpProxyLocation

Optional. Specifies the URL of the proxy server. This value is only required if HttpProxyEnabled is set to YES.

Enter a URL beginning with http://.

Note: Do not enter a URL beginning with https://.

HttpProxyUserName

Optional. Specifies the user name for the login credentials to the proxy server. This user name must be the name of a valid user of the proxy server. This value is only required if HttpProxyEnabled is set to YES.

Enter an alphanumeric string.

HttpProxyPassword

Optional. Specifies the password for the proxy server user name. This value is displayed in clear text. This value is only required if HttpProxyEnabled is set to YES.

Enter an alphanumeric string.

SignRequestEnabled

Optional. Instructs the Policy Server to sign the generated OCSP request. Set this value to Yes to use the signing feature.

This value is independent of any user certificate signatures and is only relevant for the OCSP request.

Note: This setting is required only if the OCSP responder requires signed requests.

Enter YES or NO.

Default: NO

SignDigest

Optional. Designates the algorithm the Policy Server uses when signing the OCSP request. This setting is not case-sensitive. This setting is required only if the SignRequestEnabled setting is set to YES.

Enter one of the following options: SHA1, SHA224, SHA256, SHA384, SHA512

Default: SHA1

Alias

Optional. Names the alias under which the Policy Server looks for the key/certificate pair that signs the request. This key/cert pair must be in the SiteMinder smkeydatabase.

Note: The alias is required only if the SignRequestEnabled setting is set to YES.

Enter an alias using lower-case ASCII alphanumeric characters.

IgnoreNonceExtension

Optional. Tells the Policy Server not to include the nonce in the OCSP request. The nonce (number used once) is a unique number sometimes included in authentication requests to prevent the reuse of a response. Setting this parameter to Yes instructs the Policy Server not to include the nonce in the OCSP request.

Enter YES or NO.

Default: NO

PrimaryValidationMethod

Optional. Indicates whether OCSP or CRL is the primary method the Policy Server uses to validate certificates. This setting is only required if the EnableFailover setting is set to Yes.

Enter OCSP or CRL.

Default: OCSP

EnableFailover

Tells the Policy Server to failover between OCSP and CRL certificate validation methods.

Enter YES or NO.

Default: NO

Configure OCSP Checking

Configure OCSP checking so that a user with an invalid client certificate cannot access a protected resource.

Note: Before you can enable OCSP checking, set up your environment for certificate authentication.

The Policy Server can work with any OCSP response that is signed using SHA-1 and the SHA-2 family of algorithms (SHA224, SHA256, SHA384, SHA512).

To configure OCSP checking (without failover enabled)

1. Navigate to policy_server_home/config.

   A sample file, named SMocsp.Sample.conf is installed with the Policy Server in the config directory.

2. Copy the sample configuration file and rename it SMocsp.conf.

   For UNIX platforms the file name is case-sensitive; for Windows platforms it is not.

3. Open the file in a text editor.
4. Add a unique OCSPResponder entry in the file for each IssuerDN that matches an IssuerDN specified in your certificate mapping.

   Important! If you do not configure a responder record for each Issuer DN, the Policy Server authenticates users without confirming the validity of the certificate.

5. Save the file.
6. Restart the Policy Server.
7. Log on to the Administrative UI.
8. Select Infrastructure, Directory.
9. Expand the Certificate Mapping option.
10. Select Create or Modify a Certificate Mapping.

    The Certificate Mappings dialog opens.

11. Clear the Perform CRL Checks check box if OSCP is the only validity checking method that you plan to use. Do not disable CRL checking if you plan to use failover.

    If the issuer of the user certificate matches a certificate mapping and CRL Checking is enabled, the Policy Server uses CRL checking and not OCSP. Enabling failover is an exception to CRL checking taking precedence over OCSP. If you enable failover, the Policy Server uses the configured primary validation method.

12. Save the changes then exit the Administrative UI.
13. (Optional) Configure the Policy Server to sign the OCSP requests.

OCSP is now enabled. To disable OCSP, change the name of the SMocsp.conf file.

Accessing an OCSP Responder through a HTTP Proxy

OCSP requests are made over an HTTP connection, requiring an HTTP GET for the request to the OCSP responder for certificate validation.

In many enterprise environments, HTTP traffic goes through an HTTP proxy. For the Policy Server to send an OCSP request through an HTTP proxy, configure the proxy settings in the SMocsp.conf file.

To configure access to an OCSP Responder through a proxy

1. Edit the existing SMocsp.conf file or create a file in the Policy Server config directory, policy_server_home/config.
2. Edit the following settings as follows:
   • HttpProxyEnabled YES
   • HttpProxyLocation proxy_server_URL
   • HttpProxyUserName user_login_name
   • HttpProxyPassword password_for_login

   Learn how to set each value by reviewing how to create an OCSP configuration file.

3. Restart the Policy Server.