General Configuration for Certificate Validation Protocols

You can configure how NNMi checks for revoked certificates. For example, you can configure the order in which protocols are used, and whether all the protocols are used.

NNMi uses the nms-auth-config.xml file to configure such settings.

Configuring Protocol Order

By default, NNMi performs CRL checking, and then OCSP checking.

To configure the order in which the certificate validation protocols check for revoked certificates, do the following:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux:$NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <revocation> section of the file (find the <revocation> tag), search for the line that begins with the following text:

    <ordering>
  3. Do one of the following:

    • To specify that CRL checking is to be used first, followed by OCSP, edit the line to read as follows:

      <ordering>CRL OCSP</ordering>
    • To specify that OCSP checking is to be used first, followed by CRL, edit the line to read as follows:

      <ordering>OCSP CRL</ordering>
  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig

Configuring Protocol Requests

You can configure NNMi to do either of the following with regard to protocol requests:

  • Check all certificate validation protocols for each certificate
  • Check the protocol list in the preferred order and stop when a valid response is received

To configure protocol requests, do the following:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <revocation> section of the file (find the <revocation> tag), search for the line that begins with the following text:

    <mode>
  3. Do one of the following:

    • To have NNMi check all protocols for each certificate, edit the line to read as follows:

      <mode>CHECK_ALL</mode>
    • To have NNMi check the protocol list in the preferred order and stop when a valid response is received, edit the line to read as follows:

      <mode>FIRST_SUCCESS</mode>
  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig