Administer > Configure NNMi to Support Public Key Infrastructure User Authentication > Certificate Validation (CRL and OCSP) > Validating Certificates Using Online Certificate Status Protocol (OCSP)

Validating Certificates Using Online Certificate Status Protocol (OCSP)

NNMi supports Online Certificate Status Protocol (OCSP) to check for revoked certificates interactively.

PKI user authentication uses OCSP to verify the revocation status of a certificate by querying an OCSP responder. An OCSP responder provides immediate and accurate revocation information on specific certificates as follows:

  • An OCSP client submits a certificate status request to an OCSP responder.
  • The OCSP client suspends acceptance of the certificate in question until the OCSP responder provides a digitally signed response.
  • The OCSP responder indicates the status of the certificate by returning one of the following values:
    • Good (pass; user is granted access)
    • Revoked (fail; user is denied access)
    • Unknown (fail; user is denied access)

Because the OCSP responder is queried for every certificate, whereas the CRL is downloaded periodically (for example, once per day), OCSP responses might be more up-to-date than corresponding CRLs.

Note NNMi stores the OCSP configuration in the following location:

  • Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml
  • Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

A default version of the configuration file can be used for reference purposes to view new available options. The default configuration file is stored in the following location:

  • Windows: %NnmInstallDir%\newconfig\HPOvNnmAS\nmsas\conf\nms-auth-config.xml

  • Linux: $NnmInstallDir/newconfig/HPOvNnmAS/nmsas/conf/nms-auth-config.xml

Enabling and Disabling OCSP Checking

To configure OCSP checking, follow these steps:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <ocsp> section of the file (find the <ocsp> tag), search for the line that begins with the following text:

    <enabled>
  3. Do one of the following:

    • To enable OCSP checking, change the line to read as follows:

      <enabled>true</enabled>
    • To disable OCSP checking, change the line to read as follows:

      <enabled>false</enabled>
  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig

Changing the OCSP Enforcement Mode

By default, NNMi is set to enforce OCSP.

To change the product’s enforcement of OCSP, follow these steps:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <ocsp> section of the file (find the <ocsp> tag), search for the line that begins with the following text:

    <mode>
  3. Change the line to read as one of the following:

    <mode><value></mode>

    where <value> is one of the following:

    • ENFORCE: Enforce OCSP where specified in the certificates
    • ATTEMPT: Check OCSP but allow access if OCSP is not available
    • REQUIRE: Require and enforce OCSP in certificates
  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig

Enabling Nonce

For added security (to avoid replay attacks), an OCSP requester can add a nonce to the certificate validation request. A nonce is a random number, attached to each request, that alters the encryption. When the nonce feature is enabled, the OCSP responder computes an appropriate response using the nonce value.

Note Using a nonce puts more load on the OCSP responder because it cannot precalculate or cache responses. Some OCSP responders may not accept requests with a nonce.

Note The nonce feature is disabled by default.

To enable the OCSP nonce feature, follow these steps:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <ocsp> section of the file (find the <ocsp> tag), search for the line that begins with the following text:

    <nonce>
  3. Do one of the following:

    • To enable the nonce feature, change the line to read as follows:

      <nonce>true</nonce>
    • To disable the nonce feature (and use a general request), change the line to read as follows:

      <nonce>false</nonce>
  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig

Specifying the URL of the OCSP Responder

Optionally, you can specify the URL of the OCSP responder as follows:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <ocsp> section of the file (find the <ocsp> tag), search for the line that begins with the following text:

    <responder>
  3. Edit the line to read as follows:

    <responder><URL></responder>

    where <URL> is the URL associated with the OCSP responder.

  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig

Note The OCSP URL must use the HTTP protocol.

  • If there is no OCSP URL specified in the nms-auth-config.xml file, NNMi attempts to obtain an OCSP responder from the certificate itself.
  • If there is no OCSP responder specified in the certificate, NNMi uses the <mode> setting to determine what action to take:
    • If the mode is ENFORCE or ATTEMPT, NNMi passes the OCSP validation step for this certificate.

    • If the mode is REQUIRE, NNMi rejects the certificate.