DO NOT SHARE THESE DOCS WITH CUSTOMERS!
This is an LA release that will only be provided to a select number of PLM-sanctioned customers (PDFs only). Contact PLM for details.
In this section:
The Online Certificate Status Protocol (OCSP) enables SBC applications to determine the revocation status of a given certificate. OCSP is used to satisfy some of the operational requirements of providing timely revocation information.
When a peer sends certificates, an OCSP client (e.g. SIPFE) issues a status request to an OCSP responder and suspends acceptance of the certificates in question until the responder provides a response. The OCSP client needs the address/URL of the OCSP responder, the certificate to be checked, and the certificate issuer’s certificate. The OCSP URL can be FQDN or IPv4 address plus port number.
The SBC supports OCSP stapling, which means the client does not need to query the OCSP responder to retrieve the certificate status. OCSP stapling allows you to provide the validity information of your security certificate. Refer to SIP Profiles for more information.
SBC supports adding OCSP configuration to an existing/new TLS profile, and performing automatic OCSP checking in OpenSSL library without making substantial changes to OCSP clients (SIPFE, etc.). The OCSP clients may be involved when OCSP checking returns errors. The user may create up to four OCSP profiles per system as described in "Key Concepts" section below.
The SBC can act in TLS server role as well as TLS client role.
The SBC integrates OCSP status-checking as a part of certificate validation in OpenSSL library.
OCSP Profile can also be assigned to an EMA TLS Profile.
The user may create up to four OCSP profiles per system, each specifying the OCSP capabilities and protocol parameters applying to one or more TLS connections that use the profile (a SIP/TLS connection may reference an OCSP profile in its assigned TLS profile). The OCSP profile is referenced by the existing TLS profile.
When configuring an OCSP profile, be aware that you may delete a given OCSP profile when it is not referenced by any TLS connections.
When OCSP is enabled for a TLS connection, every individual certificate in the chain presented by the peer device during the establishment of the connection is validated against an OCSP responder for its revocation status.
When the SBC is upgraded from a release which already supports OCSP, all the parameter values of existing OCSP profiles are retained after the upgrade completes.
On SBC main screen, go to Configuration > System Provisioning > Security Configuration > Ocsp Profile. The Ocsp Profile window is displayed.
To edit any of the Ocsp Profile in the list, click the radio button next to the specific Ocsp Profile name. The Edit Selected Ocsp Profile window is displayed as in the following figure.
Make the required changes and click Save at the right hand bottom of the panel to save the changes made.
To create a new Ocsp Profile, click New Ocsp Profile on the Ocsp Profile List panel. The Create New Ocsp Profile window is displayed.
The following fields are displayed:
Parameter | Description |
---|---|
Ocsp Name | Specifies the name of the Ocsp Profile to be created. |
State | The administration state of this OCSP profile. The options are:
Note: The OCSP statistics counters for a configured OCSP profile can be reset by disabling and re-enabling the profile’s state. |
Default Responder | Enter default OCSP responder URL: IPv4 address, or FQDN. |
Aia Override | Enable flag to override OCSP responder specified in certificate's AIA. The options are:
|
OCSP Stapling | Use this flag to enable or disable OCSP stapling. OCSP stapling allows you to provide the validity information of your security certificate.
The SBC disables this flag if the OCSP Profile State flag is Disabled. |
Response Wait Time | Specifies the OCSP response waiting time, in seconds. If response is not received within this period, the server is considered unavailable. |
OCSP Response Caching Timer | Configure this parameter with the timer (in days) for the OCSP response caching. The range is 1-30, and the default is 1. The SBC deletes the OCSP cached response when this timer expires. |
To copy an Ocsp Profile, click the radio button next to the specific Ocsp Profile to highlight the row.
Click Copy Ocsp Profile on the Ocsp Profile List panel. The Copy Selected Ocsp Profile window is displayed.
Make the required changes to the required fields and click Save to save the changes. The copied Ocsp Profile is displayed at the bottom of the original Ocsp Profile in the Ocsp Profile List panel.