Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Network Node Manager i Software10.30

Administer > Configure NNMi to Support Public Key Infrastructure User Authentication > Certificate Validation (CRL and OCSP) > Validating Certificates Using CRLs

Validating Certificates Using CRLs

NNMi uses CRLs to properly deny access to clients using a certificate that is no longer trusted.

Note During authentication, when a certificate's serial number is found in a CRL, NNMi does not accept that certificate and authentication fails.

NNMi checks CRLs by default when using X.509 authentication mode; however, you can specify a CRL by editing the nms-auth-config.xml file, as described in the following sections.

Note NNMi stores the CRL configuration in the following location:

Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml
Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

There is also a default version of the configuration file, which can be used for reference purposes to view new available options. The default configuration file is stored in the following location:

Windows: %NnmInstallDir%\newconfig\HPOvNnmAS\nmsas\conf\nms-auth-config.xml
Linux: $NnmInstallDir/newconfig/HPOvNnmAS/nmsas/conf/nms-auth-config.xml

Enabling and Disabling CRL Checking

By default, NNMi enables CRL checking.

To configure CRL checking, follow these steps:

Edit the following file:

Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml
Within the <crl> section of the file (find the <crl> tag), search for the line that begins with the following text:
```
<enabled>
```
Do one of the following:
- To enable CRL checking, change the line to read as follows:
```
<enabled>true</enabled>
```
- To disable CRL checking, change the line to read as follows:
```
<enabled>false</enabled>
```
Save the nms-auth-config.xml file.
Run the following command for the change to take effect:
```
nnmsecurity.ovpl -reloadAuthConfig
```

Changing the CRL Enforcement Mode

By default, NNMi is set to enforce CRLs.

To change the product’s enforcement of CRLs, follow these steps:

Edit the following file:

Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml
Within the <crl> section of the file (find the <crl> tag), search for the line that begins with the following text:
```
<mode>
```
Change the line to read as one of the following:
```
<mode><value></mode>
```
where <value> is one of the following:
- ENFORCE: Enforce CRLs where specified in the certificates
- ATTEMPT: Check CRLs but allow access if the CRL is not available
- REQUIRE: Require and enforce CRLs in certificates
Note In REQUIRE mode, authentication will fail if there is no CRL specified or available for a user's certificate.
Save the nms-auth-config.xml file.
Run the following command for the change to take effect:
```
nnmsecurity.ovpl -reloadAuthConfig
```

Changing How Often a CRL Should be Refreshed

To configure how often NNMi refreshes the CRL, follow these steps:

Edit the following file:

Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml
Within the <crl> section of the file (find the <crl> tag), search for the line that begins with the following text:
```
<refreshPeriod>
```
Change the line to read as follows:
```
<refreshPeriod><value></refreshPeriod>
```
where <value> is the integer number of hours or days (the smallest value is 1h).

For example, enter 24h for 24 hours; enter 2d for 2 days.
Save the nms-auth-config.xml file.
Run the following command for the change to take effect:
```
nnmsecurity.ovpl -reloadAuthConfig
```

Changing the Maximum Idle Time for a CRL

You can configure how long NNMi keeps a CRL after the CRL has been idle (has not been used or accessed).

To change the maximum idle time for a CRL, follow these steps:

Edit the following file:

Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml
Within the <crl> section of the file (find the <crl> tag), search for the line that begins with the following text:
```
<maxIdleTime>
```
Change the line to read as follows:
```
<maxIdleTime><value></maxIdleTime>
```
where <value> is the integer number of hours or days (the smallest value is 1h).

For example, enter 24h for 24 hours; enter 2d for 2 days.
Save the nms-auth-config.xml file.
Run the following command for the change to take effect:
```
nnmsecurity.ovpl -reloadAuthConfig
```

CRL Expiration Warnings

When CRL checking is enabled, if a CRL expires, users might be locked out of the NNMi console. To help avoid unwanted lockouts, NNMi provides health warning messages to alert administrators that a CRL has either expired or will be expiring soon.

The expired CRL warning (Major severity) occurs when one or more CRLs have expired.

The expiring CRL warning (Minor severity) occurs when one or more CRLs has less than 1/6th of its valid period remaining. For example, if a CRL is valid for 24 hours, NNMi displays a warning if the CRL expires in fewer than four hours.

Configure the refresh period such that CRLs are always kept fresh. A properly configured refresh period ensures that, if the CRL server is unavailable for a time, there is a sufficient valid period remaining for the downloaded CRLs. In this way, NNMi can continue normal operation until the CRL server is available. In this example, a refresh period of eight hours might be appropriate.

Changing the Location for a CRL

By default, NNMi downloads CRLs from the HTTP location embedded in the certificate. If this location is not accessible to the NNMi management server, the administrator can obtain the required CRLs some other way and configure NNMi to load those CRLs from the local file system.

Note Only CRLs signed by the certificate issuer are considered when evaluating the certificate.

To configure NNMi to load CRLs from the local file system, do the following:

Edit the following file:

Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml
Within the <crl> section of the file (find the <crl> tag), search for the following text block:
Insert a line after the --> tag, and enter the following, based on your operating system:

Windows: <location>file:///C:/CRLS/<crlname>.crl</location>

Linux: <location>file:///var/opt/OV/shared/nnm/certificates/<crlname>.crl </location>
Save the nms-auth-config.xml file.
Run the following command for the change to take effect:
```
nnmsecurity.ovpl -reloadAuthConfig
```

Send Help Center feedback