Policy Server Guides › Policy Design Guide › Authentication Schemes › Certificate Mapping › How SiteMinder Confirms the Validity of Certificates › Configure Online Certificate Status Protocol Checking

Configure Online Certificate Status Protocol Checking

SiteMinder can check the status of a certificate using Online Certificate Status Protocol (OCSP). During certificate checking, the Policy Server looks for the existence of an Issuer DN in a configuration file (smocsp.conf). If the Issuer DN is found, a certificate status check is made using a certified OCSP 1.0 Responder also specified in the smocsp.conf file. If the Issuer DN is not found in the configuration file, the certificate is considered to have passed OCSP checking.

To use OCSP checking, you will require:

• An established CA environment
• An OCSP Responder
• One or more LDAP directories containing OCSP Responder and Certificate Authority public certificates.

To configure OCSP certificate status checking

1. Turn off CRL checking. In the Certificate Revocation List Checking group box of the Certificate Mapping dialog, make sure that the Perform CRL Checks check box is not checked.
2. Create an smocsp.conf file in the Policy Server config directory (siteminder_installation_dir/config)

The smocsp.conf file must be an ASCII file containing one or more OCSPResponder records, each with the following format:

[ 
OCSPResponder IssuerDN C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD CLASS 3 CA-9 
CACertDir localhost:389 
CACertEP cn=DOD CLASS 3 CA-9,ou=PKI,ou=DoD,o=U.S. Government,c=US  ResponderCertDir localhost:389 
ResponderCertEP cn=OCSP,ou=PKI,ou=DoD,o=U.S. Government,c=US ResponderCertAttr cacertificate 
ResponderLocation aristotle.jfcom.mil:80 
]

where:

• Each OCSPResponder record must start with the tag name
  OCSPResponder.
• Attribute names are not case sensitive.
• The user directory is not the IP Address of the physical directory, but is the name of the user directory connection listed in the Policy Server User Interface.
• The existence of a value for IssuerDN indicates the existence of an OCSP Responder record|object.
• CACertDir and ResponderCertDir directories should exist as user directories in the Policy Server database.
• All attributes except for AIAExtension and ResponderLocation are mandatory. In the case of these two, ResponderLocation should exist or AIAExtension should be YES.
• The default (unspecified) for AIAExtension is NO.
• The priority of AIAExtension and ResponderLocation is as follows:
  • If AIAExtension is YES:
    1. AIAExtension is used for validation, if it is found in the certificate.
    2. ResponderLocation is used.
  • If AIAExtension is NO:
    ResponderLocation will be used regardless of the value of AIAExtension in the userCertificate in the request.

    [
    OCSPResponder
    IssuerDN <IssuerDN>
    [AltIssuerDN <IssuerDN>]
    CACertDir <Name of User Dir containing CA cert>
    CACertEP <Entry point in CACertDir containing CA cert>
    ResponderCertDir <Name of User Dir containing Responder cert>
    ResponderCertEP <Entry point in ResponderCertDir containing Responder cert>
    ResponderCertAttr <Directory attribute of Responder cert>
    ResponderLocation <Server-name of Responder:port #>
    AIAExtension<YES|NO>
    ]
    

More information:

Configure Certificate Revocation List Checking