OCSP client

Contents

Overview
General settings
Message settings
Routing settings
Advanced settings
Integration with Axway Validation Authority

Overview

You can use the Online Certificate Status Protocol (OCSP) to retrieve the revocation status of a certificate, as an alternative to retrieving Certificate Revocation Lists (CRLs).

You can use the OCSP Client filter to retrieve certificate revocation status from an OSCP responder, such as Axway Validation Authority. The input to this filter is the certificate to be checked. The message attribute containing the certificate is user defined. The output of this filter is:

  • True if the certificate status is good

  • False if the certificate status is revoked or unknown (or if an exception occurs)

General settings

Configure the following general settings on the OCSP Client dialog:

Name:

Enter a suitable name for this OCSP client filter.

OCSP Responder URL:

Enter the URL of the OCSP responder.

Message settings

Configure the following OCSP message settings on the Settings tab:

The message attribute storing the certificate to validate:

Enter the name of the attribute that contains the certificate to be checked. The default is ${certificate}.

The key to sign the request:

Click the Signing Key button to open the list of certificates in the certificate store. You can then select the key to use to sign requests to the OCSP responder.

You can select a specific certificate from the certificate store in the dialog, or click Create/Import to create or import a certificate. Alternatively, you can specify a certificate to bind to at runtime using an environment variable selector (for example, ${env.serverCertificate}). For more details on selectors, see Selecting configuration values at runtime.

Validate response:

Select the Do not validate response option to disable response validation. The response from the OCSP responder is not validated when this option is selected.

Select the Validate response option to enable response validation. Click one or more of the following options to specify how the response from the OCSP responder is validated:

  • Against the certificate contained in the response:

    The response is validated against the certificate contained in the response. This option is selected by default.

  • Against the CA certificate of the certificate being validated:

    The response is validated against the CA certificate of the certificate being validated. This option is selected by default.

  • Against the specified certificate:

    Click Signing Key to choose a certificate from the certificate store or to specify a certificate to bind to at runtime.

You can select any combination of these options. If multiple options are selected, the filter continues as soon as the response is successfully validated against one of the selected options.

In the Allowable time difference in seconds between this system and time stamp on received responses field, enter a value in seconds. You can use this field to allow for drift on server and client machines. It validates against the value producedAt in the OCSP response. The default value is 300 (5 minutes). This value is only validated if the Validate response option is selected.

Use nonce to prevent reply attack:

Select this option to include a nonce in the request. This is a randomly generated number that is added to the message to help prevent reply attacks.

Store results of certificate status in:

Click the browse button to select the cache in which to store the certificate status result. The list of currently configured caches is displayed in the tree. To add a cache, right-click the Caches tree node, and select Add Local Cache or Add Distributed Cache. Alternatively, you can configure caches under the Libraries node in the Policy Studio tree. For more details, see the Global caches topic.

Storing the certificate status in the cache enables the certificate status to be retrieved without having to return to the OCSP responder.

Routing settings

You can configure the settings for routing the OCSP request to the OCSP responder on the Routing tab.

You can configure SSL settings, credential profiles for authentication, and other settings for the connection using the SSL, Authentication, and Settings tabs. For more details, see the Connect to URL topic.

Advanced settings

On the Advanced tab, you can enable a specific policy to run after the message is created, or after the response is received.

Configure the following advanced settings:

Run this policy after the message has been created:

Click the browse button to select a policy to be run after the message has been created.

Run this policy after a response has been received:

Click the browse button to select a policy to be run after a response has been received.

Record outbound transactions:

Select this option to enable recording of outbound transactions under traffic monitor. This field is not selected by default. For more information, see the API Gateway Administrator Guide.

Integration with Axway Validation Authority

When using the OCSP client with Axway Validation Authority (VA) as an OCSP responder, you can use the following trust models:

  • Direct trust

    In this model, OCSP responses are signed with the OCSP signing certificate of the VA server. The signing certificate is not included in the OCSP response.

  • VA delegated trust

    In this model, the signing certificate is included in the OCSP response. API Gateway might not have this certificate. If not, it must have the issuer (CA) certificate of the signing certificate.

You can import certificates into API Gateway's trusted certificate store under the Certificates and Keys node in the Policy Studio tree. For more information, see the Manage certificates and keys topic.

[Note] Note
A complete documentation set for Axway Validation Authority is available on the Axway Support website: https://support.axway.com.
Prev  Up  Next
  Home