Online Certificate Status Protocol (OCSP) Support in Sterling B2B Integrator

The Online Certificate Status Protocol (OCSP) is a set of ASN.1 defined data structures for requesting and receiving information about certificate revocation status. These data structures can be sent and received by many transport protocols in principle. In practice, HTTP is used.

An OCSP client sends questions and processes responses. An OCSP responder answers questions and generates responses.

An OCSP client implementation consists of the following:

  • Data structures for managing information about OCSP responders
  • Functionality for generating OCSP requests
  • Functionality for processing OCSP responses
  • Functionality for transmitting OCSP requests and receiving OCSP responses

An OCSP check for a certificate in Sterling B2B Integrator is determined when the OCSP check within Sterling B2B Integrator is implemented as a part of internal system APIs used by services for getting certificates and keys from the database. OCSP checks are performed by Sterling B2B Integrator when methods are called to get certificates and keys from the objects that encapsulate them in the database.

The following steps describe how the OCSP check is implemented in Sterling B2B Integrator:

  1. The system checks the object that encapsulates the certificate to determine if OCSP checking is enabled. This allows the system to determine with no additional database calls whether to attempt an OCSP check.
  2. If OCSP checking is enabled, the system retrieves the encoded issuer name from a certificate.
  3. The system hashes the encoded issuer name with SHA1.
  4. The system attempts to find an authority configured in the system that has a name whose hash matches that of the certificate. If no authority is found, no check is performed.
  5. If an authority is found, the system checks the OCSP policy for the authority. If the policy permits or requires OCSP checks, see the CERT_AUTHORITY table for more information. The system attempts to find an OCSP responder for the authority.
  6. If an OCSP responder is found for the authority, an OCSP check is attempted. If no OCSP responder is found for the authority, one of the following happens:
    • If the authorization policy is set to always check, an exception is thrown and the check fails.
    • If the authorization policy is to only check when a responder is configured, no check is performed.
Two new database tables have been added to manage OCSP-related information:
  • CERT_AUTHORITY
  • OCSP_RESPONDER
CERT_AUTHORITY

The CERT_AUTHORITY table maintains information about certificate authorities.

ColumnTypeDescription
OBJECT_IDVARCHAR (255)This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null.
NAMEVARCHAR (255)A name for a record. Null allowed.
CREATE_DATEDATETIMEA create date for a record.
MODIFIED_DATEDATETIMEThe date a record was last modified.
MODIFIED_BYVARCHAR(255)Information about who modified a record.
ISSUER_NAMEBLOBThe RDN of the authority is taken from its certificate.
HASH_ALGVARCHAR(128)The hash algorithm is used to compute name and key hashes. Only SHA1 is supported.
RDN_HASHVARCHAR(255)BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed.
KEY_HASHVARCHAR(255)BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate
CERT_OIDVARCHAR(255)The OBJECT_ID of the authority’s certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed.
OCSP_POLICYVARCHAR(128)

The OCSP policy for the authority. This consists of two comma-separated values. The values describe when to use OCSP and what to check.

Possible values are:

OCSP_When

  • never-never use OCSP
  • resp – use OCSP only if a responder is configured when a request is made
  • always – always use OCSP when a request is made. This requires a responder to be configured and will cause certificate checking to fail if no responder is configured

OCSP_What

  • none – never check any certificates
  • end-user- Check only end-user certificates
  • both – check both end-user and intermediate certificates. Currently not supported
  • Null is not allowed in this column
CRL_POLICYVARCHAR(128)Currently not used.
LOCK_IDINTEGERUsed by the system to lock rows in the table.
CREATESTIMESTAMPThe timestamp of record creation for a row in the table.
MODIFYTIMESTAMPThe last modification time for a row in the table.
CREATEUSERIDVARCHAR(40)The user ID that created a row in the table.
MODIFYUSERIDVARCHAR(40)The user ID that modified a row in the table.
CREATEPROGIDVARCHAR(40)The name of a program or object that created a row in the table.
MODIFYPROGIDVARCHAR(40)The name of a program or object that modified a record in the table.
OCSP_RESPONDER

The OCSP_RESPONDER table maintains information about OCSP responders.

ColumnTypeDescription
OBJECT_IDVARCHAR (255)This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null.
NAMEVARCHAR (255)A name for a record. Null allowed.
CREATE_DATEDATETIMEA create date for a record.
MODIFIED_DATEDATETIMEThe date a record was last modified.
MODIFIED_BYVARCHAR(255)Information about who modified a record.
ISSUER_NAMEBLOBThe RDN of the authority is taken from its certificate.
HASH_ALGVARCHAR(128)The hash algorithm is used to compute name and key hashes. Only SHA1 is supported.
RDN_HASHVARCHAR(255)BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed.
KEY_HASHVARCHAR(255)BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate
CERT_OIDVARCHAR(255)The OBJECT_ID of the authority’s certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed.
CACHE_TTLVARCHAR(64)

The time in seconds to allow OCSP responses to life in the internal response cache

If the column is NULL, OCSP responses will only be cached for 1 second, which in practice means not at all.

TRANS_PROF_OIDVARCHAR(255)OBJECT_ID of a profile in the GIS database. You have to create a profile for the OCSP responder that includes the correct URL for the responder.
COMM_BPVARCHAR(255)Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended
COMM_WAITVARCHAR(24)The number of seconds to wait for communication with the OCSP responder to take place before inferring that something is wrong.
LOCK_IDINTEGERUsed by the system to lock rows in the table.
CREATESTIMESTAMPThe timestamp of record creation for a row in the table.
MODIFYTIMESTAMPThe last modification time for a row in the table.
CREATEUSERIDVARCHAR(40)The user ID that created a row in the table.
MODIFYUSERIDVARCHAR(40)The user ID that modified a row in the table.
CREATEPROGIDVARCHAR(40)The name of a program or object that created a row in the table.
MODIFYPROGIDVARCHAR(40)

The name of a program or object that modified a record in the table.

SEND_NONCEVARCHAR(8)

Indicates whether to send a nonce with OCSP requests.

Valid values:

  • true
  • false
REQ_NONCEVARCHAR(8)

Indicates whether to require a nonce in OCSP responses. The system only recognizes the requirement for nonces on responses if it is required to send them in requests (SEND_NONCE=true).

Valid values:

  • true
  • false
RESP_CERT_IN_CA_STOREVARCHAR(8)

Indicates whether the certificate used to verify signatures on OCSP responses is in the CA store.

Valid values:

  • true
  • false - The trusted store is checked.
RESP_CERT_OIDVARCHAR(255)

The object ID of the certificate is used to verify signatures on OCSP responses. This is the object ID of a record in the CA_CERT_INFO or TRUSTED_CERT_INFO table.

When configuring the system, you can create as many authorities and responders as you like.

To configure the system to use OCSP:

  1. Check the certificate for the certificate authority who issues the certificates you want to check in with OCSP into Sterling Integrator to verify it is a CA certificate.
  2. List the CA certificates in the system and get the object ID for the certificate you just installed.
  3. If the authority’s OCSP response signing certificate is different than the authority’s certificate issuing certificate, check the authority’s OCSP response signing certificate into Sterling Integrator as a Trusted certificate.
  4. If you checked in an additional OCSP signing certificate, list the Trusted certificates in the system and get the object ID for the certificate you just installed.
  5. Go to the bin directory of the Sterling Integrator installation.
  6. Start the database if necessary.
  7. Start the bash or sh shell.
  8. Source the file tmp.sh
  9. Create an authority using the utility in the class com.sterlingcommerce.security.ocsp.SCICertAuthority.
  10. Create an OCSP responder using the utility in the class com.sterlingcommerce.security.ocsp.SCIOCSPResponder
  11. Update the certificates for the authority or individual certificates to enable OCSP. The utility com.sterlingcommerce.security.ocsp.SetAuthorityCertificatesOCSPInfo will configure all trusted and system certificates for an authority. The utility com.sterlingcommerce.security.ocsp.SetSystemCertificateOCSPInfo will configure one system certificate. The utility com.sterlingcommerce.security.ocsp.SetTrustedCertificateOCSPInfo will configure one trusted certificate.

The following scripts run the OCSP configuration utilities. There is a Unix/Linux and Windows version of each script. The scripts take the same command-line arguments as the utility programs they invoke. The scripts are located in the bin directory of the product install. The information about the command-line arguments is repeated in this section describing the scripts.

ManageCertAuthority.sh and ManageCertAuthority.cmd
ArgumentDescription
-a, -l, -d, -u2

Operation to perform:

  • -a - add
  • -l - list
  • -d - delete
  • -u2 - update existing database record with newly computed key and RDN hashes

The –l option takes no additional arguments. The –d option takes a single argument: the object ID of the record to delete

NameName of the authority. Required with -a.
Modified_by

User who modified or created the identity. Required with –a.

Hash_algHash algorithm for the authority. Only the value “SHA1” is supported. Required with –a.
Certificate_idObject ID of the CA certificate associated with the authority. Required with –a.
OCSP_policy

The OCSP policy string for the authority. This is a comma-delimited string as described in the section on the CERT_AUTHORITY table. Required with –a.

For the first element of the string, the following are permitted:

  • never – never use OCSP
  • resp – use OCSP only if a responder is configured when a request is made
  • always – always use OCSP when a request is made. This requires a responder to be configured and will cause certificate checking to fail if no responder is configured

For the second element of the string, the following are permitted:

OCSP What
  • none – never check any certificates
  • end-user- Check only end user certificates
  • both – check both end-user and intermediate certificates. Currently not supported.
Examples:
  • never,none
  • always,end-user

Crl_policy

CRL policy string for the authority. Required with –a. A value is required for this argument, but it is not currently used. “None” is acceptable.
Object_ID

An object ID to use when creating this record. Optional with -a. Required with -u2.

ManageOCSPResponder.sh and ManageOCSPResponder.cmd
ArgumentDescription
-lGets a list of the currently configured OCSP Responders.

This option takes no additional arguments.

-dDeletes the configured OCSP Responder with the provided object ID for responders configuration data.

This option takes object_id as an additional argument.

-u2

Updates existing records in the database with the correct information about the public key of the authority certificate and the subject DN of the authority certificate.

This needs to be run against all existing records for both Cert Authority and OCSP Responders, or you need to delete and recreate the records to get the proper information into the database.

This option takes object_id as an additional argument.

-aAdds configuration data for a new OCSP Responder to be used for checking the status of certificates issued by the provided authority.

Additional arguments are name, modified_by, hash_alg, authority_cert_oid, response_signing_cert_oid, resp_signing_cert_in_ca_store, cache_ttl, trans_prof_oid, comm_bp, comm_wait, send_nonce, require_nonce, and object_id.

name(Required with -a) Name of the authority.
modified_by

(Required with -a) User who modified or created the identity.

hash_alg(Required with -a) Hash algorithm for the authority. Only the value “SHA1” is supported.
authority_cert_oid(Required with -a) Object ID of the CA certificate associated with the authority.
response_signing_cert_oid(Required with -a) Object ID of the certificate that the provider of the OCSP services used to sign the response providing the status for the certificates. This certificate must be added to the CA Digital Certificate store or the Trusted Digital Certificate store. This is the System Certificate ID for the certificate as it appears in the store.
resp_signing_cert_in_ca_store(Required with -a) Flag indicating if the previous value for the response_signing_cert_oid argument is found in the CA Digital Certificate Store in Sterling B2B Integrator.
cache_ttl(Required with -a) The time-to-live in seconds for OCSP responses in the internal cache.
trans_prof_oid(Required with -a) The object ID of a transport configured for communicating with the OCSP responder.
comm_bp(Required with -a) Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended.
comm_wait(Required with -a) The number of seconds to wait for communication with the responder until inferring that an error has occurred.
send_nonce(Required with -a) Indicates if a NONCE value will be sent to the OCSP service. The NONCE value is used to prevent replay attacks by some OCSP providers.
require_nonce(Required with -a) Indicates if the server should require that the OCSP service provide a NONCE value in the response.
object_id

(Optional with -a) An object ID to use when creating this record.

SetSystemCertOCSPInfo.sh SetSystemCerOCSPInfo.cmd
This utility will set the OCSP information in the database for a single system certificate
ArgumentDescription
-o, -n

How to interpret the second argument:

-o object_ID

-n name

Object_ID/Name

Object ID or name of the authority as determined by argument 1.

SetSystemCertOCSPInfo.sh and SetTrustedCertOCSPInfo.cmd
This utility will set the OCSP information in the database for a single trusted certificate
ArgumentDescription
-o, -n

How to interpret the second argument:

-o object_ID

-n name

Object_ID/Name

Object ID or name of the authority as determined by argument 1.

Use the following example to learn how to run the OCSP configuration scripts. These scripts assume that you have already checked in the CA certificates for the authority, started the database, are in the bin directory of your Sterling B2B Integrator installation and have sourced the file tmp.sh in the bin directory.

After getting the object ID of the CA certificate from the authority, in Sterling B2B Integrator from the Administration menu, select Trading Partners > Digital Certificates-CA. Select a certificate. The Certificate Summary dialog box appears with the certificate information, including its object ID.

Complete the following steps to run an OCSP Script: