Delegated Trust Model Configuration

The delegated trust model is used exclusively in some strict DISA/DoD environments; other DISA/DoD environments may support both the direct and delegated trust models.

Use the following procedure to configure OCSP for DISA/DoD environments.

  1. From superuser mode, use the following command sequence to access cert-status-profile configuration mode. While in this mode, you configure a cert-status-profile configuration element, a container for the information required to access a single, specific OCSR. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)#
  2. The name attribute differentiates cert-status-profile configuration elements one from another. Each cert-status-profile provides configuration information for a single, specific OCSP responder.
  3. The type attribute selects the certificate revocation check methodology, the only currently supported methodology is OCSP.
  4. Retain the default value (http) for trans-protocol attribute, which identifies the transport method used to access the OCSR.
  5. The ip-address attribute works in conjunction with the port attribute to provide the IP address of the OCSR.

    ip-address identifies the OCSR by its IP address. port identifies the port monitored by the HTTP server for incoming OCSP requests.

    The port attribute can be safely ignored if the OCSR is specified as a FQDN by the host-name attribute, but is required if the OCSR is identified by the ip-address attribute.

    Allowable port values are integers within the range 1025 through 65535. In the absence of an explicitly configured value, the system provides a default value of 80, the well-known HTTP port.

  6. Alternatively, use the host-name attribute to identify the OCSR.

    host-name identifies the OCSR by a FQDN.

    If you provide both an IPv4 address/port number and a FQDN, the Oracle® Enterprise Session Border Controller uses the IP address/port number and ignores the FQDN.

    If values are provided for both attributes, the Security Gateway uses the IP address and ignores the host-name value.

  7. The realm-id attribute specifies the realm used to access the OCSR.

    In the absence of an explicitly configured value, the Oracle® Enterprise Session Border Controller provides a default value of wancom0, specifying OCSP transmissions across the wancom0 management interface.

    If the OCSR identified by a FQDN, the realm identified by realm-id must be DNS-enabled.

  8. The requester-cert attribute is meaningful only if OCSP requests are signed; ignore this attribute if requests are not signed.

    RFC 2560 does not require the digital signature of OCSP requests. OCSRs, however, can impose signature requirements.

    If a signed request is required by the OCSR, provide the name of the certificate configuration element that contains the certificate used to sign OCSP requests.

  9. The responder-cert attribute identifies the certificate used to validate signed OCSP response — a public key of the OCSR.

    In DISA/DoD environments that support the direct trust model, optionally provide the name of the certificate configuration element that contains the certificate used to validate the signed OCSP response.

    If a responder-cert is provided, it is only used if the OCSP response has no appended certificates, in which case the OCSP client attempts to validate the response signature. Depending on the validation failure or success, the response is rejected or accepted.

    If the OCSP response has an appended certificate or certificate chain, the responder-cert is ignored, and the trusted-cas list is used to validate the appended certificate(s).

  10. The trusted-cas attribute (a list of certificate configuration objects) identifies the approved DoD-approved CAs that sign OCSR certificates.

    In DISA/DoD environments that support the delegated trust model, you must provide a list of CAs used to validate the received certificate.

    If a certificate or a certificate chain is appended to the OCSP response, the OCSP client verifies that the first certificate signed the response, and that the CA is trusted by the Oracle® Enterprise Session Border Controller (that is, the CA certificate is contained in the trusted-cas list. The client then walks through each additional certificate (if any exist) ensuring that each certificate is also trusted. If all certificates are trusted, the OCSP response is accepted; otherwise, it is rejected.

  11. The retry-count attribute specifies the maximum number of times to retry an OCSP responder in the event of connection failure.

    If the retry counter specified by this attribute is exceeded, the OCSP requester contacts another responder (if multiple responders have been configured) and quarantines the unavailable responder for a period defined the dead-time attribute.

    In the absence of an explicitly configured value (an integer within the range 0 through 10), the Oracle® Enterprise Session Border Controller provides a default value of 1 (connection retries).

  12. The dead-time attribute specifies the quarantine period imposed on an unavailable OCSR.

    In the absence of an explicitly configured value (an integer within the range 0 through 3600 seconds), the Oracle® Enterprise Session Border Controller provides a default value of 0 (no quarantine period).

    Customer implementations utilizing a single OCSP responder are encouraged to retain the default value, or to specify a brief quarantine period to prevent lengthy service outages.

  13. Use done, exit, and verify-config to complete configuration of this cert-status-profile instance.
  14. Repeat Steps 1 through 13 to configure additional cert-status-profile configuration elements.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents