Policy Server Guides › Policy Server Configuration Guide › Certificate Mapping and Validity Checking for X.509 Certificates › Certificate Validity Checking (optional) › Configure a Certificate Mapping › OCSP Prerequisites

OCSP Prerequisites

Set up the following components to use OCSP for certificate validation:

• Establish a Certificate Authority (CA) environment.
• Set up an OCSP responder.
• Configure an LDAP directory to store an OCSP trusted responder certificate that validates the signature of the returned OCSP response. The OCSP trusted responder certificate is a single trusted verification certificate or a collection of certificates.

  You obtain these certificates in a communication that is separate from an OCSP transaction.

  To store the trusted certificate or collection of certificates, configure the LDAP directory in the User Directory section of the Administrative UI. The presence of the user directory enables the Policy Server to connect to it and locate the certificate or collection of certificates to verify the response signature. If you are storing a collection of certificates, be sure to use a multi-valued binary attribute for the directory entry to store all the certificates.

  The OCSP responder can include the signature verification certificate with the response. In this case, the Policy Server validates the certificate and the response signature with the trusted certificate in the LDAP directory.

  If the signature verification certificate is not in the response, the Policy Server verifies the signature of the response with the certificate or collection of certificates in the LDAP directory.

  When you configure OCSP, specify the location of the certificate or the collection of certificates in the ResponderCertEP setting of the SMocsp.conf file.

  The Policy Server can work with any OCSP response that is signed using SHA-1 and the SHA-2 family of algorithms (SHA224, SHA256, SHA384, SHA512).

• Store the CA certificate that issued the user certificate in an LDAP directory. This CA certificate validates the user certificate. You can store this certificate in the same LDAP directory where you store the OCSP trusted responder certificate or in a different LDAP directory.
• Configure a SiteMinder OCSP configuration file (SMocsp.conf). A sample configuration file, SMocsp.Sample.conf, is installed with the Policy Server. Copy this file, rename it to SMocsp.conf, then modify it as needed.

  For UNIX operating platforms, the file name must maintain the case-sensitivity.

• Optionally, be sure that the private key/certificate pair that the Policy Server uses to sign the OCSP request is available to the Policy Server. Store this key/certificate pair in the smkeydatabase.