In this section:
The Online Certificate Status Protocol (OCSP) enables SBC applications to determine the revocation status of a given certificate. OCSP is used to satisfy some of the operational requirements of providing timely revocation information.
The user may create one OCSP profile specifying the OCSP capabilities listed below, and protocol parameters applying to one or more TLS connections that use the profile (a SIP/TLS connection may reference an OCSP profile in its assigned TLS profile).
If aiaOverride parameter is enabled, default OCSP responder configured is used.
if aiaOverride parameter is disabled and certificate contains AIA field, it is used.
If certificate does not contain AIA field, it falls back on the default responder conffgured.
If the corresponding OCSP response does not return before the time expires after sending an OCSP request, the response is considered unavailable. The range is configurable to 1-16 seconds, with a default of 2 seconds.
When configuring an OCSP profile, take note of the following:
You are not allowed to configure the primary and backup responders with the same IP address or FQDN.
You may delete a given OCSP profile when it is not referenced by any TLS connections.
When OCSP is enabled for a TLS connection, every individual certificate in the chain presented by the peer device during the establishment of the connection is validated against an OCSP responder for its revocation status.
When the SBC is upgraded from a release which already supports OCSP, all the parameter values of existing OCSP profiles are retained after the upgrade completes.
OCSP support involves configuring OCSP profile and then assigning the OCSP profile name to both a TLS Profile and EMA TLS Profile. Also available is the ability to monitor and reset OCSP statistics.
% set profiles security ocspProfile <profile name> aiaOverride <disabled | enabled> defaultResponder <URL> responseWaitTime <1-16 seconds> state <disabled | enabled> % show profiles security ocspProfile <profile name> aiaOverride defaultResponder responseWaitTime state % delete profiles security ocspProfile <profile name>
% set profiles security ocspProfile myOcspProfile aiaOverride disabled defaultResponder http://ocsp.verisign.com; responseWaitTime 3 state enabled % show profiles security ocspProfile myOcspProfile state enabled; defaultResponder http://ocsp.verisign.com; aiaOverride disabled; responseWaitTime 3;