Setting up certificate verification using OCSP

The Online Certificate Status Protocol (OCSP) is an Internet standard used to verify the revocation status of X.509 certificates. When a TrueSight Server Automation Authentication Server uses this type of verification, it sends a message over HTTP to an OCSP Responder. In response, the OCSP Responder sends back a signed message indicating the certificate's revocation status.

OCSP checking can be used to improve the security of the overall TrueSight Server Automation system. Not only is OCSP checking enabled by default for PKI authentication, it can also be used to further secure communication between components of the TrueSight Server Automation system. For example, OCSP can determine the revocation status of customer-provisioned certificates for Application Servers (see Securing communication with CA certificates).

Typically, an Authentication Server uses the information in a certificate to determine which OCSP Responder to access when verifying a certificate. If the certificate includes a valid URL for an OCSP Responder, TrueSight Server Automation contacts that URL to verify the certificate. For almost all situations, this default approach is sufficient and users do not have to perform any additional configuration for OCSP checking. You must perform additional configuration for OCSP if any of the following conditions are true:

  • In the smart card certificate, no URL for the OCSP Responder exists.
  • You want to override the URL for the OCSP responder in the smart card certificate.
  • You want failover capability that tries a second OCSP Responder in situations when the first OCSP Responder fails.
  • Your OCSP Responder signs OCSP responses with a private key that is unrelated to the Certificate Authority that issued your smart card certificates.

To enhance the security of communication with an OCSP Responder, you might want to enable the OCSP PKCS extension. For more information about this capability, see To enable or disable nonce support.See the following topics to learn more about setting up certificate verification using OCSP:

To designate another OCSP responder

In some circumstances, an organization might want to designate an OSCP Responder, either because a certificate does not include a URL for an OSCP Responder or conditions prevent users from contacting that responder. In such a situation, an organization can use the TrueSight Server Automation system to designate another OCSP Responder (see To configure an additional OCSP responder).

When you use TrueSight Server Automation to designate an OCSP Responder, you can set up a failover capability. The Authentication Server can first attempt to contact the OCSP Responder identified within a certificate. If that attempt fails, the Authentication Server can then contact a secondary responder, identified within the TrueSight Server Automation system.

To validate responses from an OCSP responder

If you use the TrueSight Server Automation system to designate an OCSP Responder, you might need to set up a trust store so the OCSP responses can be validated (see To set up a trust store for an OCSP trusted responder). In a typical configuration, the Authentication Server contacts the OCSP Responder identified within a certificate. The response TrueSight Server Automation receives is signed either by the CA that issued the certificate or a responder designated by the CA. No additional configuration is needed to validate responses sent by the OCSP Responder. However, in some situations, the Authentication Server might be contacting a trusted responder specified within the TrueSight Server Automation system. The response from that trusted responder might be using a certificate that was not issued by the CA that originally signed the certificate being verified. In this situation, you must create a trust store used specifically for validating communication with the trusted responder.

To enable or disable nonce support

Use this procedure to enable or disable nonce support when contacting OCSP Responders. When nonce is enabled, the Authentication Server encloses a unique value in an OCSP request message. The Authentication Server expects that same value is returned in the response message from the OCSP Responder. Using nonce helps to thwart replay attacks.

  1. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
  2. To enable or disable nonce support, enter the following command:
    set OCSP IsNonceEnabled true|false
    By default nonce support is disabled.
  3. Restart the Application Server.

To configure an additional OCSP responder

Use this procedure to define an OCSP Responder other than the responder specified in a certificate. This procedure enables the Authentication Server to send the OCSP request to the specified URL.

After you define an OCSP Responder, the Authentication Server only contacts the responder identified in this procedure unless you have defined a failover capability (see To configure failover to an OCSP responder).

  1. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
  2. Specify the additional responder by entering the following command:
    set OCSP ResponderUrl <responderURL>
    where <responderURL> is the URL of the additional responder.
    If you set <responderURL> to an empty string (""), the only URL used to find an OCSP Responder is the URL obtained from the certificate. By default this value is set to an empty string.
  3. Restart the Application Server.

To configure failover to an OCSP responder

Use this procedure to set up failover capability between OCSP Responders. With failover, a second OCSP Responder can be contacted in the event that the first fails for any reason.

  1. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
  2. To enable failover between OCSP Responders, enter the following command:
    set OCSP IsFailoverEnabled true
    By default, this value is set to false and failover is not enabled.
  3. To specify which OCSP Responder the Authentication Server should contact first, enter the following command:
    set OCSP UseCustomResponder true|false
    In this command, true means the Authentication Server first contacts the additional responder you have defined using the TrueSight Server Automation system (see To configure an additional OCSP responder). Setting this value to false means the Authentication Server first contacts the OCSP Responder defined in the certificate.
  4. Restart the Application Server.

To set up a trust store for an OCSP trusted responder

Use this procedure to import a certificate and set up a trust store that is used to verify messages from an OCSP trusted responder.

To establish secure communication with an OCSP trusted responder, a trust store might be necessary in some unusual circumstances. Typically, when the Authentication Server contacts an OCSP Responder, the response is signed with the private key that was also used to sign the certificate being verified. No additional configuration is required. However, in some circumstances an OCSP trusted responder might sign its response with a key derived from some other entity. In this situation, you must set up a trust store used exclusively for validating communication with the OCSP trusted responder. The trust store must contain a certificate that allows the Authentication Server to trust messages from the OCSP Responder.

Note

The Application Server only reads its certificate store when it starts up. If you change the certificate trust store, be sure to restart the Application Server.

  1. Obtain certificates for all OCSP trusted responders from a certificate authority.
    The certificate to be added to the OCSP trust store must be the same certificate that the OCSP Responder inserted into OCSP response messages or the certificate used to issue the certificate that was inserted into OCSP response messages.
  2. Import the certificates into a trust store file on the Authentication Server.
    Several methods exist for importing a certificate. One approach is to use Java's keytool utility, which is available on any machine where the Authentication Server is installed. For example, if you are importing certificates with the Authentication Server's version of keytool, you might enter a command like the following:
    <installDirectory>/jre/bin/keytool -import -keystore PkiOcspTruststore.jks -storepass ****** -file OCSPCert.cer -alias ocspt
    where -keystore identifies the trust store you are setting up, -file identifies the certificate you are importing, -storepass provides the password for accessing the trust store, and -alias is the name you are assigning to the certificate you are adding to the trust store.
  3. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
  4. Make the OCSP trust store available to the Authentication Server by entering the following command:
    set OCSP TruststorePathname <certificateStore>
    where <certificateStore> is the local path to the OCSP trust store.
  5. Provide the password needed to decrypt the certificate by entering the following command:
    set OCSP TruststorePassword ******
    When you enter the password, it is displayed in clear text. If you attempt to view this password later using the show command, it appears in encoded text.
  6. Specify the type of OCSP trust store by entering the following command:
    set OCSP TruststoreType <trustStoreType>
    In this command, <trustStoreType> can be either of the following:
    • jks — Trust store uses the JKS format.
    • pkcs12 — Trust store uses the PKCS12 format.
  7. Restart the Application Server.

To enable or disable OCSP verification

Use this procedure to enable or disable OCSP support. Currently, OCSP verification is enabled by default for PKI authentication only.

  1. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
  2. To enable or disable OCSP support, enter the following command:
    set OCSP IsEnabled true|false
     By default, OCSP is enabled.
  3. Restart the Application Server.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*