In this section:

The Online Certificate Status Protocol (OCSP) enables SBC applications to determine the revocation status of a given certificate. OCSP is used to satisfy some of the operational requirements of providing timely revocation information.

When a peer sends certificates, an OCSP client (e.g. SIPFE) issues a status request to an OCSP responder and suspends acceptance of the certificates in question until the responder provides a response. The OCSP client needs the address/URL of the OCSP responder, the certificate to be checked, and the certificate issuer’s certificate. The OCSP URL can be FQDN or IPv4 address plus port number.

The SBC supports adding OCSP configuration to an existing/new TLS profile, and performing automatic OCSP checking in OpenSSL library without making substantial changes to OCSP clients (SIPFE, etc.). The OCSP clients may be involved when OCSP checking returns errors. The user may create up to four OCSP profiles per system as described in "Key Concepts" section below.

The SBC can act in TLS server role as well as TLS client role.

  • As a TLS server with Client Authentication enabled, the SBC checks OCSP status when the TLS client sends its certificate chain to the SBC. Upon receiving Certificate Verify from client, the SBC performs OCSP status checking for each certificate in the chain after validating signature, expiration time, etc. for each certificate in the chain.
  • When acting as a TLS client, the SBC checks OCSP status when the peer TLS server sends its certificate chain to the SBC. The SBC then performs OCSP status checking for each certificate in the chain.

The SBC integrates OCSP status-checking as a part of certificate validation in OpenSSL library.

OCSP Profile can also be assigned to an EMA TLS Profile.

Key Concepts

The user may create up to four OCSP profiles per system, each specifying the OCSP capabilities and protocol parameters applying to one or more TLS connections that use the profile (a SIP/TLS connection may reference an OCSP profile in its assigned TLS profile). The OCSP profile is referenced by the existing TLS profile.

  • OCSP capability
    • enabled
    • disabled (default)
  • Default responder URI (default: blank):
    • IPv4 address and port number, or
    • FQDN
  • AIA override:
    • enabled - Forces the use of configured Default responder for OCSP validation regardless of whether or not the certificate being validated references a responder by AIA.
    • disabled (default) - The responder referenced via AIA by the certificate being validated is used, or the Default responder as configured is used only if the AIA is not available.
  • OCSP response waiting time - If the corresponding OCSP response does not return before the time expires after sending an OCSP request, the response is considered unavailable.
    • Range: 1-16 seconds, default = 2.
The configured default responder may point to the certificate authority (CA) that issued the certificate in question, a Trusted Responder whose public key is trusted by the SBC, or a CA Authorized Responder (or Delegated Trust Responder in UCR term) that is designated by one or more CAs.

When configuring an OCSP profile, be aware that you may delete a given OCSP profile when it is not referenced by any TLS connections.

When OCSP is enabled for a TLS connection, every individual certificate in the chain presented by the peer device during the establishment of the connection is validated against an OCSP responder for its revocation status. 

When the SBC is upgraded from a release which already supports OCSP, all the parameter values of existing OCSP profiles are retained after the upgrade completes.

To View Ocsp Profile

On the SBC main screen, go to Configuration > System Provisioning > Security Configuration > Ocsp Profile. The Ocsp Profile window is displayed.

Security Configuration - Ocsp Profile

 

To Edit Ocsp Profile

To edit any of the Ocsp Profile in the list, click the radio button next to the specific Ocsp Profile name.

Security Configuration - Ocsp Profile Highlighted

 

 The Edit Selected Ocsp Profile window is displayed below.

Security Configuration - Ocsp Profile Edit Window

 

 

Make the required changes and click Save at the right hand bottom of the panel to save the changes made.

To Create Ocsp Profile

To create a new Ocsp Profile, click New Ocsp Profile tab on the Ocsp Profile List panel.

Security Configuration - Ocsp Profile Fields

 

 

The Create New Ocsp Profile window is displayed.

Security Configuration - Ocsp Profile Create Window

 

 

The following fields are displayed:

Ocsp Profile Parameters

 

Parameter

Description

Ocsp Name

Specifies the name of the Ocsp Profile to be created.

State 

The administration state of this OCSP profile. The options are:

  • disabled (default)
  • enabled

The OCSP statistics counters for a configured OCSP profile can be reset by disabling and re-enabling the profile’s state


Default Responder 

Enter default OCSP responder URL: IPv4 address, or FQDN.

Aia Override 

Enable flag to override OCSP responder specified in certificate's AIA. The options are:

  • disabled (default)
  • enabled
Response Wait TimeSpecifies the OCSP response waiting time, in seconds. If response is not received within this period, the server is considered unavailable.

To Copy Ocsp Profile

To copy any of the created Ocsp Profile and to make any minor changes, click the radio button next to the specific Ocsp Profile to highlight the row.

Security Configuration - Ocsp Profile Highlighted

 


Click Copy Ocsp Profile tab on the Ocsp Profile List panel.

Security Configuration - Ocsp Profile Fields

 


 

The Copy Selected Ocsp Profile window is displayed along with the field details which can be edited.

Security Configuration - Ocsp Profile Copy Window

 

 

Make the required changes to the required fields and click Save to save the changes. The copied Ocsp Profile is displayed at the bottom of the original Ocsp Profile in the Ocsp Profile List panel.

To Delete Ocsp Profile

To delete any of the created Ocsp Profile, click the radio button next to the specific Ocsp Profile which you want to delete.

Security Configuration - Ocsp Profile Highlighted

 

 

Click Delete at the end of the highlighted row. A delete confirmation message appears seeking your decision.

Security Configuration - Ocsp Profile Delete Confirmation

 

Click OK to remove the specific Ocsp Profile from the list.

 

  • No labels