The Online Certificate
Status Protocol (OCSP) is an automated certificate checking network
protocol defined in RFC 2560. As part of certificate validation,
WebLogic Server queries the revocation status of a certificate by
issuing an OCSP request to an OCSP responder. Certificate status is
maintained by the OCSP responder. Acceptance of the certificate is
suspended until the responder returns an OCSP response, indicating
whether the certificate is still trusted by the CA that issued it.
When configuring certificate revocation checking in a WebLogic
domain, you can customize the following OCSP settings:
- Whether to use nonces in OCSP requests and responses. A nonce is a
random number that, when included in an OCSP request, forces a fresh
response that also requires a nonce. Pre-signed OCSP responses are
rejected, which prevents replay attacks.
- Whether to enable to OCSP response local cache, an in-memory cache
for holding OCSP responses whose use optimizes performance and reduces
network bandwidth.
- The timeout setting that limits the wait time for OCSP responses.
Setting a timeout helps minimize blocked threads and also reduces the
system’s vulnerability to denial of service attacks.
- A time tolerance value for handling clock-skew differences between
WebLogic Server and OCSP responders.
- The OCSP response cache capacity and its refresh setting. The
refresh setting is expressed as a percentage of an OCSP response
validity period that, when reached, forces a refresh of the cache
entry from the OCSP responder. For example, for a validity period of
10 hours, a value of 10% specifies that after one hour, the cached
response expires and a fresh response is required. The refresh occurs
when the OCSP response is next required.
To customize the OCSP configuration in WebLogic Server: