The Online Certificate Status Protocol (OCSP) is a set of ASN.1 defined data structures for requesting and receiving information about certificate revocation status. These data structures can be sent and received by many transport protocols in principle. In practice, HTTP is used.
An OCSP client sends questions and processes responses. An OCSP responder answers questions and generates responses.
An OCSP client implementation consists of the following:
An OCSP check for a certificate in Sterling B2B Integrator is determined when the OCSP check within Sterling B2B Integrator is implemented as a part of internal system APIs used by services for getting certificates and keys from the database. OCSP checks are performed by Sterling B2B Integrator when methods are called to get certificates and keys from the objects that encapsulate them in the database.
The following steps describe how the OCSP check is implemented in Sterling B2B Integrator:
The CERT_AUTHORITY table maintains information about certificate authorities.
| Column | Type | Description |
| OBJECT_ID | VARCHAR (255) | This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null. |
| NAME | VARCHAR (255) | A name for a record. Null allowed. |
| CREATE_DATE | DATETIME | A create date for a record. |
| MODIFIED_DATE | DATETIME | The date a record was last modified. |
| MODIFIED_BY | VARCHAR(255) | Information about who modified a record. |
| ISSUER_NAME | BLOB | The RDN of the authority is taken from its certificate. |
| HASH_ALG | VARCHAR(128) | The hash algorithm is used to compute name and key hashes. Only SHA1 is supported. |
| RDN_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed. |
| KEY_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate |
| CERT_OID | VARCHAR(255) | The OBJECT_ID of the authority’s certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed. |
| OCSP_POLICY | VARCHAR(128) | The OCSP policy for the authority. This consists of two comma-separated values. The values describe when to use OCSP and what to check. Possible values are: OCSP_When
OCSP_What
|
| CRL_POLICY | VARCHAR(128) | Currently not used. |
| LOCK_ID | INTEGER | Used by the system to lock rows in the table. |
| CREATES | TIMESTAMP | The timestamp of record creation for a row in the table. |
| MODIFY | TIMESTAMP | The last modification time for a row in the table. |
| CREATEUSERID | VARCHAR(40) | The user ID that created a row in the table. |
| MODIFYUSERID | VARCHAR(40) | The user ID that modified a row in the table. |
| CREATEPROGID | VARCHAR(40) | The name of a program or object that created a row in the table. |
| MODIFYPROGID | VARCHAR(40) | The name of a program or object that modified a record in the table. |
The OCSP_RESPONDER table maintains information about OCSP responders.
| Column | Type | Description |
| OBJECT_ID | VARCHAR (255) | This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null. |
| NAME | VARCHAR (255) | A name for a record. Null allowed. |
| CREATE_DATE | DATETIME | A create date for a record. |
| MODIFIED_DATE | DATETIME | The date a record was last modified. |
| MODIFIED_BY | VARCHAR(255) | Information about who modified a record. |
| ISSUER_NAME | BLOB | The RDN of the authority is taken from its certificate. |
| HASH_ALG | VARCHAR(128) | The hash algorithm is used to compute name and key hashes. Only SHA1 is supported. |
| RDN_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed. |
| KEY_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate |
| CERT_OID | VARCHAR(255) | The OBJECT_ID of the authority’s certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed. |
| CACHE_TTL | VARCHAR(64) | The time in seconds to allow OCSP responses to life in the internal response cache If the column is NULL, OCSP responses will only be cached for 1 second, which in practice means not at all. |
| TRANS_PROF_OID | VARCHAR(255) | OBJECT_ID of a profile in the GIS database. You have to create a profile for the OCSP responder that includes the correct URL for the responder. |
| COMM_BP | VARCHAR(255) | Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended |
| COMM_WAIT | VARCHAR(24) | The number of seconds to wait for communication with the OCSP responder to take place before inferring that something is wrong. |
| LOCK_ID | INTEGER | Used by the system to lock rows in the table. |
| CREATES | TIMESTAMP | The timestamp of record creation for a row in the table. |
| MODIFY | TIMESTAMP | The last modification time for a row in the table. |
| CREATEUSERID | VARCHAR(40) | The user ID that created a row in the table. |
| MODIFYUSERID | VARCHAR(40) | The user ID that modified a row in the table. |
| CREATEPROGID | VARCHAR(40) | The name of a program or object that created a row in the table. |
| MODIFYPROGID | VARCHAR(40) | The name of a program or object that modified a record in the table. |
| SEND_NONCE | VARCHAR(8) | Indicates whether to send a nonce with OCSP requests. Valid values:
|
| REQ_NONCE | VARCHAR(8) | Indicates whether to require a nonce in OCSP responses. The system only recognizes the requirement for nonces on responses if it is required to send them in requests (SEND_NONCE=true). Valid values:
|
| RESP_CERT_IN_CA_STORE | VARCHAR(8) | Indicates whether the certificate used to verify signatures on OCSP responses is in the CA store. Valid values:
|
| RESP_CERT_OID | VARCHAR(255) | The object ID of the certificate is used to verify signatures on OCSP responses. This is the object ID of a record in the CA_CERT_INFO or TRUSTED_CERT_INFO table. |
When configuring the system, you can create as many authorities and responders as you like.
To configure the system to use OCSP:
The following scripts run the OCSP configuration utilities. There is a Unix/Linux and Windows version of each script. The scripts take the same command-line arguments as the utility programs they invoke. The scripts are located in the bin directory of the product install. The information about the command-line arguments is repeated in this section describing the scripts.
| Argument | Description |
| -a, -l, -d, -u2 | Operation to perform:
The –l option takes no additional arguments. The –d option takes a single argument: the object ID of the record to delete |
| Name | Name of the authority. Required with -a. |
| Modified_by | User who modified or created the identity. Required with –a. |
| Hash_alg | Hash algorithm for the authority. Only the value “SHA1” is supported. Required with –a. |
| Certificate_id | Object ID of the CA certificate associated with the authority. Required with –a. |
| OCSP_policy | The OCSP policy string for the authority. This is a comma-delimited string as described in the section on the CERT_AUTHORITY table. Required with –a. For the first element of the string, the following are permitted:
For the second element of the string, the following are permitted: OCSP What
Examples:
|
Crl_policy | CRL policy string for the authority. Required with –a. A value is required for this argument, but it is not currently used. “None” is acceptable. |
| Object_ID | An object ID to use when creating this record. Optional with -a. Required with -u2. |
| Argument | Description |
| -l | Gets a list of the currently configured OCSP Responders. This option takes no additional arguments. |
| -d | Deletes the configured OCSP Responder with the provided object ID for responders configuration data. This option takes object_id as an additional argument. |
| -u2 | Updates existing records in the database with the correct information about the public key of the authority certificate and the subject DN of the authority certificate. This needs to be run against all existing records for both Cert Authority and OCSP Responders, or you need to delete and recreate the records to get the proper information into the database. This option takes object_id as an additional argument. |
| -a | Adds configuration data for a new OCSP Responder to be used for checking the status of certificates issued by the provided authority. Additional arguments are name, modified_by, hash_alg, authority_cert_oid, response_signing_cert_oid, resp_signing_cert_in_ca_store, cache_ttl, trans_prof_oid, comm_bp, comm_wait, send_nonce, require_nonce, and object_id. |
| name | (Required with -a) Name of the authority. |
| modified_by | (Required with -a) User who modified or created the identity. |
| hash_alg | (Required with -a) Hash algorithm for the authority. Only the value “SHA1” is supported. |
| authority_cert_oid | (Required with -a) Object ID of the CA certificate associated with the authority. |
| response_signing_cert_oid | (Required with -a) Object ID of the certificate that the provider of the OCSP services used to sign the response providing the status for the certificates. This certificate must be added to the CA Digital Certificate store or the Trusted Digital Certificate store. This is the System Certificate ID for the certificate as it appears in the store. |
| resp_signing_cert_in_ca_store | (Required with -a) Flag indicating if the previous value for the response_signing_cert_oid argument is found in the CA Digital Certificate Store in Sterling B2B Integrator. |
| cache_ttl | (Required with -a) The time-to-live in seconds for OCSP responses in the internal cache. |
| trans_prof_oid | (Required with -a) The object ID of a transport configured for communicating with the OCSP responder. |
| comm_bp | (Required with -a) Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended. |
| comm_wait | (Required with -a) The number of seconds to wait for communication with the responder until inferring that an error has occurred. |
| send_nonce | (Required with -a) Indicates if a NONCE value will be sent to the OCSP service. The NONCE value is used to prevent replay attacks by some OCSP providers. |
| require_nonce | (Required with -a) Indicates if the server should require that the OCSP service provide a NONCE value in the response. |
| object_id | (Optional with -a) An object ID to use when creating this record. |
| Argument | Description |
| -o, -n | How to interpret the second argument: -o object_ID -n name |
| Object_ID/Name | Object ID or name of the authority as determined by argument 1. |
| Argument | Description |
| -o, -n | How to interpret the second argument: -o object_ID -n name |
| Object_ID/Name | Object ID or name of the authority as determined by argument 1. |
Use the following example to learn how to run the OCSP configuration scripts. These scripts assume that you have already checked in the CA certificates for the authority, started the database, are in the bin directory of your Sterling B2B Integrator installation and have sourced the file tmp.sh in the bin directory.
After getting the object ID of the CA certificate from the authority, in Sterling B2B Integrator from the Administration menu, select Trading Partners > Digital Certificates-CA. Select a certificate. The Certificate Summary dialog box appears with the certificate information, including its object ID.
Complete the following steps to run an OCSP Script:
./ManageCertAuthority.sh -a VPCA admin SHA1
"sedna:a1807c:11dc6d53ba4:-7b4b" "always,end-user" "none"./ManageOCSPResponder.sh -a VPCA admin SHA1
"sedna:a1807c:11dc6d53ba4:-7b4b" "2400" "a1807c:11dc79aacbd:-7570"
HTTPClientSend 3600./ManageCertAuthority.sh -lReturn output for each authority displays:
CERT_AUTHORITY:
OBJECT_ID: sedna:1ded0fd:11dc9d22929:-7fbd
NAME: VPCA
CREATE_DATE: 2008-11-23
MODIFIED_DATE: 2008-11-23
MODIFIED_BY: null
ISSUER_NAME: Country=US, StateOrProvince=Dublin,
OrganizationUnit=GIS Development,
Organization=Sterling,
CommonName=Test CA
HASH_ALG: SHA1
RDN_HASH: 24E63F8AE9F51497529EA0CC34467A4680737A9F
ENCODED_RDN_HASH: JOY/iun1FJdSnqDMNEZ6RoBzep8=
KEY_HASH: C96F2FF442EBFA07672DCEC49B729D4D24898313
ENCODED_KEY_HASH: yW8v9ELr+gdnLc7Em3KdTSSJgxM=
CERT_OID: sedna:a1807c:11dc6d53ba4:-7b4b
OCSP_WHEN_POLICY: always
OCSP_WHAT_POLICY: end-user
CRL_POLICY: null./SetAuthorityCertsOCSPInfo.sh -o
"sedna:1ded0fd:11dc9d22929:-7fbd" yesThe following steps describe the logic of OCSP checking in Sterling B2B Integrator:
If the certificate status is ok, the OCSP check succeeds. Otherwise, it fails.
Browse Categories
Share Blog Post
Sterling B2B Integrator supports translation, including support for several languages that can be used for the user interface and for notifications. In addition, some user documentation is available in the languages listed below.
Implementation Overview & Process – This section provides a sequential overview of the process to be followed in order to implement Sterling B2B Integrator.
Sterling B2B Integrator provides many powerful features to help you meet your business needs.
IBM® Sterling B2B Integrator supports only IBM MQ (formerly IBM Websphere MQ) as a messaging queue.
A messaging queue is required for Sterling B2B Integrator if you are using adapter containers.
IBM MQ version 9.0.0.4 or higher is supported.
For all databases that are supported by Sterling B2B Integrator, use the JDBC driver recommended by the database vendor for your database version.
To obtain the driver, go to the Microsoft Download Center at http://www.microsoft.com/en-us/download/default.aspx and search for the required SQL Server JDBC driver version.
For DB2, see http://www.ibm.com/support/docview.wss?uid=swg21363866 for information.
During installation or an upgrade, you must specify the initial port number for Sterling B2B Integrator.
To specify an initial port number, follow these guidelines:
For example, if you specify 10100 as the initial port number, then you need to make sure that 10100 through 10199 are not used by any other applications on your system.
During the upgrade, about 50 default ports are pre-assigned for different services. For example, if you do not want xxx32 (10132) to be a default port, you could assign another number within the port range.
After your installation or upgrade, refer to the following file for all of the port assignments.
An increased market demand for the enhanced Internet Protocol (IP) has lowered the worldwide supply of Internet Protocol version 4 (IPv4) addresses. The Internet Protocol version 6 (IPv6) expands the IP address space from 32 bits to 128 bits, providing an increased supply of IP addresses.
Sterling B2B Integrator is enabled for IPv6 support, providing a dual IPv4 and IPv6 stack, tunneling, proxying, and translation between the two IP address versions.
Sterling B2B Integrator interoperates with various related products, many of which do not yet support IPv6 addresses. Therefore, in Sterling B2B Integrator, a limited set of configurations use IPv6 addresses. The dual stack approach permits interoperability between Sterling B2B Integrator and a mixed set of IPv4 and IPv6 enabled services and adapters wherever feasible.
However, if you choose to implement an IPv6 installation, limitations exist in the Sterling B2B Integrator system requirements and the selected services and adapters. Consider the limitations before you attempt to install Sterling B2B Integrator with IPv6 addresses.
IPv6 supported combinations
The following table lists the IPv6 configuration combinations supported by Sterling B2B Integrator
Database | AIX® | Windows | Linux® (see note) |
|---|---|---|---|
| DB2® | Yes | No | Yes |
| MSSQL | No | No | Yes |
| Oracle | No | No | Yes |
| MySQL | No | No | Yes |
The following Sterling B2B Integrator components provide IPv6 compliance with some limitations.
Component | IPv6 compliance | Limitations |
|---|---|---|
| HTTP Client/Server adapter | Full | - |
| HTTP GET/POST service | Full | - |
| HTTP Begin/End Session adapter | Full | - |
| FTP Client/Server adapter | Full | - |
| PGP Package/Unpackage service | Full | - |
| Command Line Adapter 2 | Full | - |
| WebSphere MQ Suite | Full | - |
| JMS adapter | Partial | The URI does not accept IPv6 addresses as characters ‘[ ]' are not allowed. However, it works with a host name. |
| SFTP Client/Server adapter | Full | - |
| SMTP/POP3/MIME | Full | - |
| FSA | Full | - |
| Lightweight JDBC adapter | Partial | Supports an IPv6 remote host only with a DB2 and AIX combination. However, if your Sterling B2B Integrator installation is under an IPv6 address, the Lightweight JDBC adapter can still be used with any other database currently supported by the adapter by using an IPv4 remote host. |
| Web services | Full | - |
| BEA Tuxedo adapter | Full | - |
| Zengin adapter | Full | - |
| ConnectDirect | Full | Supports IPv6 on C:D UNIX 4.0 and C:D Windows 4.4.00 |
| E5 | Full | - |
| TIBCO adapter | Full | - |
| SNMP | Full | - |
| Transora adapter | Full | - |
| OFTP | Full | - |
| SAP Suite adapter | Unsupported | - |
| JGroups | Partial | Do not use IPV6 with JGroups on AIX |
The use of IPv6 addresses in an installation of Sterling B2B Integrator requires certain guidelines.
Consider the following IPv6 address information when you plan the installation:
0) between colons where there are no other numbers. For example, use [fe80:0:0:0:213:72ff:fe3c:21bf] instead of fe80::213:72ff:fe3c:21bf.You can install and run perimeter servers in a UNIX, Linux or Windows Server environment.
Perimeter servers can be co-resident with Sterling B2B Integrator installations or can be installed on remote servers. To take full advantage of the security features of a perimeter server, it should be installed on a different computer than where Sterling B2B Integrator is installed.
Perimeter servers are supported on the same operating system and JDK combinations as Sterling B2B Integrator. The operating system and JDK version that the perimeter server uses do not need to match the operating system and JDK version of Sterling B2B Integrator.
Refer to the JDK instructions for the operating system on which you are installing the perimeter server.
For more information about perimeter servers, see Installing and configuring perimeter servers.
The SWIFTNet7 adapter communicates to the SWIFTNet Network through the SWIFTNet MEFG Servers for SWIFTNet version 7. It responds to and accepts InterAct and FileAct messages that are sent by remote SWIFTNet correspondents.
If you are using the SWIFTNet7 Adapter on the IBM AIX platform, you must patch your IBM XL C/C++ runtime library to July 2009 Runtime for IBM XL C++ for AIX. Additionally, you must upgrade your AIX operating system to Version 6.1 (or higher).
If you are using SSL, you must upgrade to the latest security fix of the OpenSSL library that corresponds to the MEFG Installation version, for example OpenSSL 1.0.1p or OpenSSL 1.0.2d. It is recommended that you continue to monitor and apply the latest security fixes to the OpenSSL library to apply fixes to the OpenSSL security defects.
For OpenSSL, the download is available from OpenSSL (http://www.openssl.org).
For IBM AIX, the download is available from IBM (https://www.ibm.com/support/home/).
If you are using the SWIFTNet7 Adapter on the Windows platform, you must upgrade your Windows operating system to at least Windows Server 2008 R2 (with all security patches).
If you are using SSL, you must upgrade to the latest security fix of the OpenSSL library that corresponds to the MEFG Installation version, for example OpenSSL 1.0.1p or OpenSSL 1.0.2d. It is recommended that you continue to monitor and apply the latest security fixes to the OpenSSL library to apply fixes to the OpenSSL security defects.
For OpenSSL, the download is available from OpenSSL (http://www.openssl.org).
For Windows, the download is available from Microsoft® (Windows Server 2008 R2 and Windows Server 2008).
To use the SWIFTNet7 Adapter on the Red Hat Enterprise Linux platform, you must be using Red Hat Enterprise Linux Server Release 6.1 or higher x64, 64-bit Kernel, including any patches within 6.x. Supported kernel version: 2.6.18-164.2.1.el5 or higher within version 2.x.
Install the SWIFT Remote API for Linux before installing MEFG. The SWIFT Remote API download is available from SWIFT (http://www.swift.com), and shcould be a version compatable with MEFG and SWIFTNet Link.
If you are using SSL, you must also upgrade to the latest security fix of the OpenSSL library that corresponds to the MEFG Installation version. For example OpenSSL 1.0.1p or OpenSSL 1.0.2d. We recommend that you continue to monitor and continue to apply the latest security fixes to the OpenSSL library to apply fixes to OpenSSL security defects.
For Red Hat Enterprise Linux, any necessary downloads are available from RedHat (http://www.redhat.com/products/enterprise-linux/).
For OpenSSL, the download is available from RedHat (http://www.redhat.com).
Integration with WebSphere Transformation Extender (WTX) on Red Hat Enterprise Linux for IBM System z requires WebSphere Transformation Extender version 8.4.0.3.14.
You can choose between different security certificates before you install Sterling B2B Integrator.
If you install with the default SSL certificate, but you later want to switch to a CA-related certificate, you can change the certificate with the sslCert property in the noapp.properties_platform_ifcresources_ext.in file.
| Cookie | Duration | Description |
|---|---|---|
| cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
| cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
| cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
| cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
| cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
| viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
To deliver next-generation B2B and File Transfer capabilities
