Customize the domain-wide OCSP settings

Before you begin

Enable certificate revocation checking. For information, see Enable certificate revocation checking in a domain and X.509 Certificate Revocation Checking.
If you Enable automatic realm restart in the default security realm, you do not need to restart WebLogic Server after activating changes to the OCSP configuration.

The Online Certificate Status Protocol (OCSP) is an automated certificate checking network protocol defined in RFC 2560. As part of certificate validation, WebLogic Server queries the revocation status of a certificate by issuing an OCSP request to an OCSP responder. Certificate status is maintained by the OCSP responder. Acceptance of the certificate is suspended until the responder returns an OCSP response, indicating whether the certificate is still trusted by the CA that issued it.

When configuring certificate revocation checking in a WebLogic domain, you can customize the following OCSP settings:

Whether to use nonces in OCSP requests and responses. A nonce is a random number that, when included in an OCSP request, forces a fresh response that also requires a nonce. Pre-signed OCSP responses are rejected, which prevents replay attacks.
Whether to enable to OCSP response local cache, an in-memory cache for holding OCSP responses whose use optimizes performance and reduces network bandwidth.
The timeout setting that limits the wait time for OCSP responses. Setting a timeout helps minimize blocked threads and also reduces the system’s vulnerability to denial of service attacks.
A time tolerance value for handling clock-skew differences between WebLogic Server and OCSP responders.
The OCSP response cache capacity and its refresh setting. The refresh setting is expressed as a percentage of an OCSP response validity period that, when reached, forces a refresh of the cache entry from the OCSP responder. For example, for a validity period of 10 hours, a value of 10% specifies that after one hour, the cached response expires and a fresh response is required. The refresh occurs when the OCSP response is next required.

To customize the OCSP configuration in WebLogic Server:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
In the left pane of the Console, under Domain Structure, select the domain name.
Select Security > SSL Certificate Revocation Checking > OCSP.
Customize one or more of the following:
- To enable the use of nonces in OCSP requests and responses, select the Enable Nonces check box. (Nonces are disabled by default.)
- To enable the OCSP response cache, select the Enable Response Cache check box. (The OCSP response cache is enabled by default.)
- To customize the OCSP response timeout setting, click Advanced, and specify the Response Timeout (seconds). Optionally, specify the Time Tolerance (seconds) to handle clock-skew differences between WebLogic Server and OCSP responders.
- To customize the OCSP response cache, click Advanced, and specify the Capacity or the Refresh Period (percent).
Click Save.
In the Change Center, click Activate Changes. If automatic realm restart is enabled in the default realm, you do not need to restart WebLogic Server for changes to go into effect.

Administration Console Online Help

Customize the domain-wide OCSP settings