Online Certificate Status Protocol

The Online Certificate Status Protocol (OCSP) is defined in RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. The protocol enables users to determine the revocation state of a specific certificate, and may provide a more efficient source of revocation information than is possible with Certificate Revocation Lists (CRL).

The protocol specifies the data exchanged between an OCSP client (for example, the Oracle® Enterprise Session Border Controller) and an OCSP responder, the Certification Authority (CA), or its delegate, that issued the target certificate. An OCSP client issues a request to an OCSP responder and suspends acceptance of the certificate in question until the responder replies with a certificate status.

Certificate status is reported as

good
revoked
unknown

good indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate’s validity interval.

revoked indicates that the certificate has been revoked, either permanently or temporarily.

unknown indicates that the responder cannot identify the certificate.

Caveats

OCSP is currently supported only on TLS interfaces; it is not currently supported for use with IKEv1 and IKEv2.

Online Certificate Status Protocol Configuration

OCSP configuration consists of

Configuring one or more certificate status profiles; each profile contains information needed to contact a specific OCSP responder.
Enabling certificate revocation checking by assigning a certificate status profile to a previously configured TLS profile.

To create a certificate status profile:
From superuser mode, use the following command sequence to access cert-status-profile configuration mode. While in this mode, you provide the information required to access one or more OCSP responders.
```
ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)#
```
Use the required name parameter to identify this cert-status-profile instance — each profile instance provides configuration data for a specific OCSP responder. name is used to distinguish between multiple profile instances.
Use the required ip-address parameter to specify the IPv4 address of the OCSP responder.
Use the optional port parameter to specify the destination port.

In the absence of an explicitly configured value, the default port number of 80 is used.
Use the optional realm-id parameter to specify the realm used to transmit OCSP requests.

In the absence of an explicitly configured value, the default specifies service across the wancom0 interface.
Use the optional requester-cert parameter only if OCSP requests are signed; ignore this parameter if requests are not signed.

RFC 2560 does not require signed requests; however, local or CA policies can mandate digital signature..
Use the required responder-cert parameter to identify the certificate used to validate OCSP responses — a public key of the OCSP responder.

RFC 2560 requires that all OCSP responders digitally sign OCSP responses, and that OCSP clients validate incoming signatures.

Provide the name of the certificate configuration element that contains the certificate used to validate the signed OCSP response.
Use the optional retry-count parameter to specify the maximum number of times to retry an OCSP responder in the event of connection failure.
If the retry counter specified by this parameter is exceeded, the OCSP requester either contacts another responder (if multiple responders have been configured within this cert-status-profile) and quarantine the unavailable responder for a period defined the dead-time parameter.

In the absence of an explicitly configured value (an integer within the range 0 through 10), the default of 1 is used.
```
ORACLE(cert-status-profile)# retry-count 2
ORACLE(cert-status-profile)#
```
Use the optional dead-time parameter to specify the quarantine period imposed on an unavailable OCSP responder.

In the absence of an explicitly configured value (an integer within the range 0 through 3600 seconds), the default value (0) is used.

Customer implementations utilizing a single OCSP responder are encouraged to retain the default value, or to specify a brief quarantine period to prevent lengthy service outages.
Retain default values for the type and trans-protocol parameter to specify OCSP over an HTTP transport protocol.
Use done, exit, and verify-config to complete configuration of this cert-status-profile instance.
Repeat Steps 1 through 11 to configure additional certificate status profiles.

To enable certificate status checking:

Move to tls-profile configuration mode.

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# tls-profile
ORACLE(tls-profile)#

Use the required cert-status-check parameter to enable OCSP in conjunction with an existing TLS profile.
Use the required cert-status-profile-list parameter to assign one or more cert-status-profiles to the current TLS profile.

Each assigned cert-status-profile provides the information needed to access a single OCSP responder.

Use quotation marks to assign multiple OCSP responders. The following sequence assigns three cert-status-profiles, VerisignClass3Designate, Verisign-1, and Thawte-1 to the TLS-1 profile.

Use done, exit, and verify-config to complete configuration.

Sample Configuration:

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)# name VerisignClass3Designate
ORACLE(cert-status-profile)# ip-address 192.168.7.100
ORACLE(cert-status-profile)# responder-cert VerisignClass3ValidateOCSP
ORACLE(cert-status-profile)# done
ORACLE(cert-status-profile)# exit
...
...
ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# tls-profile
ORACLE(tls-profile)# select
<name>:
1. TLS-1
2. TLS-2
3. TLS-3
selection: 1
ORACLE(tls-profile)# cert-status-check enabled
ORACLE(cert-status-profile)# cert-status-profile-list VerisignClass3Designate Verisign-1 Thawte-1
ORACLE(cert-status-profile)# done
ORACLE(cert-status-profile)# exit

Unreachable OCSR

With OCSP enabled, the client implementation running on the Oracle® Enterprise Session Border Controller supports message exchange between the Oracle® Enterprise Session Border Controller and an OCSR as specified in RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. The Oracle® Enterprise Session Border Controller contacts the OCSR whenever a remote client attempts to establish an SSL/TLS connection with the Oracle® Enterprise Session Border Controller. The Oracle® Enterprise Session Border Controller sends a request to the OCSR to check the current status of the certificate presented by the remote client. The Oracle® Enterprise Session Border Controller suspends processing of the SSL/TLS connection request pending receipt of the OCSR response. In previous releases (prior to Version S-CX6.3.0), a good OCSR response resulted in the establishment of a secure SSL/TLS connection. A revoked or unknown OCSR response, or the failure to reach an OCSR, resulted in the rejection of the connection attempt.

This behavior, which adheres to the requirements of RFC 2560, conflicts with the requirements of Section 5.4.6.2.1.6.4.a.i of UCR 2008 which requires an OCSP client to attempt authentication of remote clients in the event of an unreachable OCSR.

Release S-CX6.3F1 adds a new attribute (ignore-dead-responder) to the TLS profile configuration element to provide compliance with DISA/DoD requirements specifying OCSP client operations when faced with unreachable OCSRs. By default, the attribute is disabled meaning that all client connections will be disallowed in the event of unreachable OCSRs.

In DISA/DoD environments ignore-dead-responder should be enabled, allowing local certificate-based authentication by the Oracle® Enterprise Session Border Controller in the event of unreachable OCSRs. Successful authentication is achieved if the certificate presented by the remote client was signed by a Certificate Authority (CA) referenced by the trusted-ca-certificates attribute. If the local authentication succeeds, the secure TLS/SSL connection is established; otherwise the connection is rejected.

Unreachable OCSR Configuration

The following sample configuration implements DISA/DoD-compliant client behavior in the event of an unreachable OCSR.

ACMEPACKET# configure terminal 
ACMEPACKET(configure)# security#
ACMEPACKET(security)# tls-profile
ACMEPACKET(security)# show
tls-profile
        name                        DoD
        end-entity-certificate      sylarCert-2048
        trusted-ca-certificates     dod1 dod2 disaA disaB IBM1
        cipher-list                 all
        verify-depth                10
        mutual-authenticate         disabled
        tls-version                 tlsv1
        cert-status-check           enabled
        cert-status-profile-list    DoD
        ignore-dead-responder       enabled
        ...
        ...
ACMEPACKET(tls-profile)#

OCSR Status Monitoring

OCSR monitoring is provided to track the reachability of individual OCSRs, and, in topologies containing multiple OCSRs, the overall availability of OCSR service.

If monitoring is enabled for individual OCSRs, reachability is monitored by observing responder transactions.

Initially, all OCSRs are considered reachable. If a previously reachable OCSR fails to respond to a certificate status request, the Oracle® Enterprise Session Border Controller marks the OCSR as unreachable, and generates an SNMP trap and log entry indicating that status. If a previously unreachable OCSR respond to a certificate status request, the Oracle® Enterprise Session Border Controller returns the OCSR to the reachable status, and generates an SNMP trap and log entry indicating that status change.

Use the following procedure to enable monitoring of individual OCSRs.

Navigate to the new security-config configuration element.

ORACLE# configure terminal 
ORACLE(configure)# security# 
ORACLE(security)# security-config 
ORACLE(security-config)#

Enable monitoring of individual OCSRs by setting the ocsr-monitoring-traps attribute to enabled; this attribute is disabled by default.
```
ORACLE(security-config)# ocsr-monitoring-traps enabled 
ORACLE(security-config)# 
```
Use done, exit, and verify-config to complete required configuration.
Reachability status of individual OCSRs is aggregated to monitor the overall availability of OCSR service. Using the procedure explained above, the Oracle® Enterprise Session Border Controller maintains a count of all OCSRs, and of all reachable OCSRs.
- If all OCSRs are reachable, the Oracle® Enterprise Session Border Controller generates a trap and log entry noting this optimal state.
- If all OCSRs are unreachable, the Oracle® Enterprise Session Border Controller generates a trap and log entry noting this erroneous state.
- When the Oracle® Enterprise Session Border Controller transitions from either of the two states described above (in the optimal state, when an OCSR becomes unreachable; in the erroneous state, when an unreachable OCSR becomes reachable), the Oracle® Enterprise Session Border Controller generates a trap and log entry indicating that an unspecified number of OCSRs are reachable.
Monitoring of OCSR service availability is a by-product of enabling SNMP; no further configuration is required.

OCSR Access via FQDN

Prior software releases supported OCSR access only via IPv4 addresses and port numbers. In response to a DISA/DoD request, Release S-CX6.3F1 adds support for OCSR access via FQDNs. Since multiple public key infrastructure (PKI) elements capable of supporting OCSP requests can exist within a DISA/DoD environment, the Domain Name Service (DNS) lookup that resolves the FQDN can result in more than one OCSR IP address being returned to the Oracle® Enterprise Session Border Controller in its role of OCSP client. When processing a lookup that contains more than one IP address, the Oracle® Enterprise Session Border Controller uses a  round-robin algorithm to select from the list of OCSR addresses.

OCSR Access via FQDN is available on all media interfaces and on the wancom0 administrative interface. Note that support for FQDN-based access is requires the configuration of DNS support.

If the realm attribute is configured in the certificate-status-profile configuration element, the required DNS query is issued on the corresponding network interface. This model requires configuration of the dns-ip-primary attribute, and optionally the dns-ip-backup1 and dns-ip-backup2 attributes for the realm’s network interface.

If the realm attribute is not configured in the certificate-status-profile, the required DNS query is issued on the wancom0 interface. This model requires configuration of the dns-ip-primary attribute, and optionally the dns-ip-backup1 and  dns-ip-backup2 attributes for the wancom0 interface.

Access via an FQDN is supported by a new attribute (hostname) in the  cert-status-profile configuration element.

The Oracle® Enterprise Session Border Controller allows configuration of both an OCSR IP address and port number (using the ip-address and port attributes) and an OCSR domain (using the hostname attribute).

In such cases the verify-config command issues a warning and notes that  IP address-based access will be used.

OCSR Access Configuration via IP Address

The following sample configuration accesses an OCSR at 192.168.7.100:8080.

ORACLE# configure terminal
ORACLE(configure)# security#
ORACLE(secirity)# cert-status-profile#
ORACLE(cert-status-profile)# show
cert-status-profile
       name                      defaultOCSP
       ip-address                192.168.7.100
       hostname
       port                      8080
       type                      OCSP
       trans-proto               HTTP
       requestor-cert            ocspVerisignClient
       responder-cert            VerisignCA2
       trusted-cas
       realm-id                  admin
       retry-count               1
       dead-time                 0
       last-modified-by
       last-modified-date
ORACLE(cert-status-profile)#

OCSR Access Configuration via FQDN

The following sample configuration accesses one or more OCSRs at example.disa.mil.

Note that in the absence of a specified domain, the wancom0 interface must be DNS-enabled.

ORACLE# configure terminal
ORACLE(configure)# security#
ORACLE(cert-status-profile)# show
cert-status-profile
        name                        DISAdomain2
        ip-address
        hostname                    example.disa.mil
        port
        type                        OCSP
        trans-proto                 HTTP
        requestor-cert
        responder-cert
        trusted-cas                 dod1 dod2 disaA disaB IBM1
        realm-id
        retry-count                 1
        dead-time                   0
        last-modified-by
        last-modified-date
ORACLE(cert-status-profile)#

Direct and Delegated Trust Models

RFC 2560 specifies that an OCSR must digitally sign OCSP responses, and that an OCSP client must validate the received signature. In prior releases, successful validation of the signed response served to authenticate the responder. Such an authentication method is referred to as a direct trust model in that it does not require confirmation from a trusted Certificate Authority (CA). Rather it requires that the OCSP client be in possession of the public counterpart of the private key used by the OCSR to sign the response. This certificate is identified by the responder-cert attribute in the cert-status-profile configuration element. Prior to Release S-CX6.3F1, authentication via signature validation was the only authentication method provided by the OCSP client implementation.

Release S-CX6.3F1 continues support for the direct trust model, while also supporting an alternative delegated trust model as described in Section 5.4.6.2.1.6.1.e.3.c of UCR 2010. The delegated trust model requires that OCSR be authenticated by a trusted CA. Within the DISA/DoD delegated trust model, an OCSR certificate is appended to every response, thus eliminating the need for a pre-provisioned responder certificate. The appended certificate is a signing certificate issued and signed by a DoD-approved CA that issued the certificate that is being validated. These OCSR certificates have a short lifespan and are reissued regularly.

Direct Trust Model Configuration

The direct trust model is used in virtually all commercial/enterprise environments. Configuration of the direct trust model is unchanged from that contained in the latest version of your hardware or the Oracle® Enterprise Session Border ControllerConfiguration Guide.

Delegated Trust Model Configuration

The delegated trust model is used exclusively in some strict DISA/DoD environments; other DISA/DoD environments may support both the direct and delegated trust models.

Use the following procedure to configure OCSP for DISA/DoD environments.

From superuser mode, use the following command sequence to access cert-status-profile configuration mode. While in this mode, you configure a cert-status-profile configuration element, a container for the information required to access a single, specific OCSR.
```
ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)#
```
The name attribute differentiates cert-status-profile configuration elements one from another. Each cert-status-profile provides configuration information for a single, specific OCSP responder.
The type attribute selects the certificate revocation check methodology, the only currently supported methodology is OCSP.
Retain the default value (http) for trans-protocol attribute, which identifies the transport method used to access the OCSR.
The ip-address attribute works in conjunction with the port attribute to provide the IP address of the OCSR.

ip-address identifies the OCSR by its IP address. port identifies the port monitored by the HTTP server for incoming OCSP requests.

The port attribute can be safely ignored if the OCSR is specified as a FQDN by the host-name attribute, but is required if the OCSR is identified by the ip-address attribute.

Allowable port values are integers within the range 1025 through 65535. In the absence of an explicitly configured value, the system provides a default value of 80, the well-known HTTP port.
Alternatively, use the host-name attribute to identify the OCSR.

host-name identifies the OCSR by a FQDN.

If you provide both an IPv4 address/port number and a FQDN, the Oracle® Enterprise Session Border Controller uses the IP address/port number and ignores the FQDN.

If values are provided for both attributes, the Security Gateway uses the IP address and ignores the host-name value.
The realm-id attribute specifies the realm used to access the OCSR.

In the absence of an explicitly configured value, the Oracle® Enterprise Session Border Controller provides a default value of wancom0, specifying OCSP transmissions across the wancom0 management interface.

If the OCSR identified by a FQDN, the realm identified by realm-id must be DNS-enabled.
The requester-cert attribute is meaningful only if OCSP requests are signed; ignore this attribute if requests are not signed.

RFC 2560 does not require the digital signature of OCSP requests. OCSRs, however, can impose signature requirements.

If a signed request is required by the OCSR, provide the name of the certificate configuration element that contains the certificate used to sign OCSP requests.
The responder-cert attribute identifies the certificate used to validate signed OCSP response — a public key of the OCSR.

In DISA/DoD environments that support the direct trust model, optionally provide the name of the certificate configuration element that contains the certificate used to validate the signed OCSP response.

If a responder-cert is provided, it is only used if the OCSP response has no appended certificates, in which case the OCSP client attempts to validate the response signature. Depending on the validation failure or success, the response is rejected or accepted.

If the OCSP response has an appended certificate or certificate chain, the responder-cert is ignored, and the trusted-cas list is used to validate the appended certificate(s).
The trusted-cas attribute (a list of certificate configuration objects) identifies the approved DoD-approved CAs that sign OCSR certificates.

In DISA/DoD environments that support the delegated trust model, you must provide a list of CAs used to validate the received certificate.

If a certificate or a certificate chain is appended to the OCSP response, the OCSP client verifies that the first certificate signed the response, and that the CA is trusted by the Oracle® Enterprise Session Border Controller (that is, the CA certificate is contained in the trusted-cas list. The client then walks through each additional certificate (if any exist) ensuring that each certificate is also trusted. If all certificates are trusted, the OCSP response is accepted; otherwise, it is rejected.
The retry-count attribute specifies the maximum number of times to retry an OCSP responder in the event of connection failure.

If the retry counter specified by this attribute is exceeded, the OCSP requester contacts another responder (if multiple responders have been configured) and quarantines the unavailable responder for a period defined the dead-time attribute.

In the absence of an explicitly configured value (an integer within the range 0 through 10), the Oracle® Enterprise Session Border Controller provides a default value of 1 (connection retries).
The dead-time attribute specifies the quarantine period imposed on an unavailable OCSR.

In the absence of an explicitly configured value (an integer within the range 0 through 3600 seconds), the Oracle® Enterprise Session Border Controller provides a default value of 0 (no quarantine period).

Customer implementations utilizing a single OCSP responder are encouraged to retain the default value, or to specify a brief quarantine period to prevent lengthy service outages.
Use done, exit, and verify-config to complete configuration of this cert-status-profile instance.
Repeat Steps 1 through 13 to configure additional cert-status-profile configuration elements.