Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: insert sbc space variables

Add_workflow_for_techpubs
AUTH1
JIRAIDAUTHSBX-88904
REV5
REV6
REV3
REV1

Panel

In this section:

Table of Contents
maxLevel4

Info
iconfalse

Related articles:

...

The Online Certificate Status Protocol (OCSP) enables 

Spacevars
0product
applications to determine the revocation status of a given certificate. OCSP is used to satisfy some of the operational requirements of providing timely revocation information.

The user may create one OCSP profile specifying the OCSP capabilities listed below, and protocol parameters applying to one or more TLS connections that use the profile (a SIP/TLS connection may reference an OCSP profile in its assigned TLS profile).

  • OCSP capability: enabled/disabled (default: disabled)
  • Primary responder URI
    • IPv4 address and port number, or
    • FQDN
  • Priority of URI for the responder:
    The user can specify one of the following priority orders in contacting the OCSP service:
    • If aiaOverride parameter is enabled, default OCSP responder configured is used.

    • if aiaOverride parameter is disabled and certificate contains AIA field, it is used.

    • If certificate does not contain AIA field, it falls back on the default responder conffgured.

If the corresponding OCSP response does not return before the time expires after sending an OCSP request, the response is considered unavailable. The range is configurable to 1-16 seconds, with a default of 2 seconds.

When configuring an OCSP profile, take note of the following:

  • You are not allowed to configure the primary and backup responders with the same IP address or FQDN.

  • You may delete a given OCSP profile when it is not referenced by any TLS connections.

The

Spacevars
0product
supports OCSP stapling, which means the client does not need to query the OCSP responder to retrieve the certificate status. OCSP stapling allows you to provide the validity information of your security certificate. Refer to SIP Profiles for more information.

When OCSP is enabled for a TLS connection, every individual certificate in the chain presented by the peer device during the establishment of the connection is validated against an OCSP responder for its revocation status. 

When the

Spacevars
0product
is upgraded from a release which already supports OCSP, all the parameter values of existing OCSP profiles are retained after the upgrade completes.

OCSP support involves configuring OCSP profile and then assigning the OCSP profile name to both a TLS Profile and EMA TLS Profile. Also available is the ability to monitor and reset OCSP statistics.

CLI Syntax

Code Block
languagenone
% set profiles security ocspProfile <profile name>
	aiaOverride <disabled | enabled>
	ocspStapling <disabled | enabled>
	defaultResponder <URL>
	responseWaitTime <1-16 seconds>
	ocspResponseCachingTimer <1-30>
	state <disabled | enabled>

% show profiles security ocspProfile <profile name>
	aiaOverride

...


	ocspStapling
	defaultResponder 
	responseWaitTime

...


	ocspResponseCachingTimer
	state 

% delete profiles security ocspProfile <profile name>

CLI Parameters

Caption
0Table
1CLI Parameters
ParameterLength/RangeDefaultDescription
ocspProfile1-23N/AThe name of the OCSP profile.
aiaOverride

N/A

disabled

Enable flag to override OCSP responder specified in certificate's AIA.

  • disabled (default)
  • enabled
ocspStaplingN/Adisabled

Use this flag to enable or disable OCSP stapling. OCSP stapling allows you to provide the validity information of your security certificate.

  • disabled (default)
  • enabled

The

Spacevars
0product
disables this flag if the ocspProfile state flag is disabled.

defaultResponder N/AN/AEnter default OCSP responder URL: IPv4 address or FQDN.
responseWaitTime1-162

OCSP response waiting time, in seconds. If response is not received within this period, the response is considered unavailable.

ocspResponseCachingTimer1-301<1-30> - Configure this parameter with the timer (in days) for the OCSP response caching.

The

Spacevars
0product
deletes the OCSP cached response when this timer expires.

stateN/Adisabled

The administration state of this OCSP profile.

  • disabled (default)
  • enabled

CLI Example

Code Block
languagenone
% set profiles security ocspProfile myOcspProfile aiaOverride disabled ocspStapling enabled defaultResponder http://ocsp.verisign.com; responseWaitTime 3 ocspResponseCachingTimer 3 state enabled

% show profiles security ocspProfile myOcspProfile
state            enabled;
defaultResponder http://ocsp.verisign.com;
aiaOverride      disabled;
ocspStapling enabled;
responseWaitTime 3;
ocspResponseCachingTimer 3;