Release NotesPolicy Server Release NotesDefects Fixed in SiteMinder ReleasesDefects Fixed for 6.0 SP2 › Certificate-based Authentication OCSP Connection Issue (34587) (34541)

Previous Topic: Policy Server Resource Protection Status Issue (34418)

Next Topic: Java 1.4-based Policy Server User Interface Can Display All Agents (34410)
Certificate-based Authentication OCSP Connection Issue (34587) (34541)

During certificate-based authentication, if the you assign the IgnoreNonceExtension attribute to the value YES (which is case sensitive) in the smocsp.conf file, then the Nonce extension is disabled in the OCSP request, which is required by the CoreStreet responder for OCSP processing of certificate validity.

The following example smocsp.conf file shows the Nonce extension as being disabled in the OCSP request:

[
OCSPResponder
IssuerDN C=de,O=InsecureTestCertificate,CN=For Tests Only next
generation,E=insecure@test.insecure
AlternateIssuerDN C=de,O=InsecureTestCertificate,CN=For Tests Only next
generation,E=insecure@test.insecure
CACertDir 172.25.135.174:2351
CACertEP uid=CA Manager,ou=ocsp,dc=clearcase,dc=com
ResponderCertDir 172.25.135.174:2351
ResponderCertEP uid=Responder Manager,ou=ocsp,dc=clearcase,dc=com
ResponderCertAttr cacertificate
ResponderLocation ocsp.openvalidation.org:80
IgnoreNonceExtension YES
]

If the IgnoreNonceExtension attribute does not exist in the smocsp.conf file, then the Nonce extension remains enabled in the OCSP request, which is the default.