Online Certificate Status Protocol (OCSP) Support in Sterling B2B Integrator
The Online Certificate Status Protocol (OCSP) is a set of ASN.1 defined data structures for requesting and receiving information about certificate revocation status. These data structures can be sent and received by many transport protocols in principle. In practice, HTTP is used.
An OCSP client sends questions and processes responses. An OCSP responder answers questions and generates responses.
An OCSP client implementation consists of the following:
- Data structures for managing information about OCSP responders
- Functionality for generating OCSP requests
- Functionality for processing OCSP responses
- Functionality for transmitting OCSP requests and receiving OCSP responses
An OCSP check for a certificate in Sterling B2B Integrator is determined when the OCSP check within Sterling B2B Integrator is implemented as a part of internal system APIs used by services for getting certificates and keys from the database. OCSP checks are performed by Sterling B2B Integrator when methods are called to get certificates and keys from the objects that encapsulate them in the database.
The following steps describe how the OCSP check is implemented in Sterling B2B Integrator:
- The system checks the object that encapsulates the certificate to determine if OCSP checking is enabled. This allows the system to determine with no additional database calls whether to attempt an OCSP check.
- If OCSP checking is enabled, the system retrieves the encoded issuer name from a certificate.
- The system hashes the encoded issuer name with SHA1.
- The system attempts to find an authority configured in the system that has a name whose hash matches that of the certificate. If no authority is found, no check is performed.
- If an authority is found, the system checks the OCSP policy for the authority. If the policy permits or requires OCSP checks, see the CERT_AUTHORITY table for more information. The system attempts to find an OCSP responder for the authority.
- If an OCSP responder is found for the authority, an OCSP check is attempted. If no OCSP responder is found for the authority, one of the following happens:
- If the authorization policy is set to always check, an exception is thrown and the check fails.
- If the authorization policy is to only check when a responder is configured, no check is performed.
- CERT_AUTHORITY
- OCSP_RESPONDER
CERT_AUTHORITY
The CERT_AUTHORITY table maintains information about certificate authorities.
Column | Type | Description |
OBJECT_ID | VARCHAR (255) | This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null. |
NAME | VARCHAR (255) | A name for a record. Null allowed. |
CREATE_DATE | DATETIME | A create date for a record. |
MODIFIED_DATE | DATETIME | The date a record was last modified. |
MODIFIED_BY | VARCHAR(255) | Information about who modified a record. |
ISSUER_NAME | BLOB | The RDN of the authority is taken from its certificate. |
HASH_ALG | VARCHAR(128) | The hash algorithm is used to compute name and key hashes. Only SHA1 is supported. |
RDN_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed. |
KEY_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate |
CERT_OID | VARCHAR(255) | The OBJECT_ID of the authority’s certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed. |
OCSP_POLICY | VARCHAR(128) | The OCSP policy for the authority. This consists of two comma-separated values. The values describe when to use OCSP and what to check. Possible values are: OCSP_When
OCSP_What
|
CRL_POLICY | VARCHAR(128) | Currently not used. |
LOCK_ID | INTEGER | Used by the system to lock rows in the table. |
CREATES | TIMESTAMP | The timestamp of record creation for a row in the table. |
MODIFY | TIMESTAMP | The last modification time for a row in the table. |
CREATEUSERID | VARCHAR(40) | The user ID that created a row in the table. |
MODIFYUSERID | VARCHAR(40) | The user ID that modified a row in the table. |
CREATEPROGID | VARCHAR(40) | The name of a program or object that created a row in the table. |
MODIFYPROGID | VARCHAR(40) | The name of a program or object that modified a record in the table. |
OCSP_RESPONDER
The OCSP_RESPONDER table maintains information about OCSP responders.
Column | Type | Description |
OBJECT_ID | VARCHAR (255) | This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null. |
NAME | VARCHAR (255) | A name for a record. Null allowed. |
CREATE_DATE | DATETIME | A create date for a record. |
MODIFIED_DATE | DATETIME | The date a record was last modified. |
MODIFIED_BY | VARCHAR(255) | Information about who modified a record. |
ISSUER_NAME | BLOB | The RDN of the authority is taken from its certificate. |
HASH_ALG | VARCHAR(128) | The hash algorithm is used to compute name and key hashes. Only SHA1 is supported. |
RDN_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed. |
KEY_HASH | VARCHAR(255) | BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate |
CERT_OID | VARCHAR(255) | The OBJECT_ID of the authority’s certificate is in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls are not allowed. |
CACHE_TTL | VARCHAR(64) | The time in seconds to allow OCSP responses to life in the internal response cache If the column is NULL, OCSP responses will only be cached for 1 second, which in practice means not at all. |
TRANS_PROF_OID | VARCHAR(255) | OBJECT_ID of a profile in the GIS database. You have to create a profile for the OCSP responder that includes the correct URL for the responder. |
COMM_BP | VARCHAR(255) | Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended |
COMM_WAIT | VARCHAR(24) | The number of seconds to wait for communication with the OCSP responder to take place before inferring that something is wrong. |
LOCK_ID | INTEGER | Used by the system to lock rows in the table. |
CREATES | TIMESTAMP | The timestamp of record creation for a row in the table. |
MODIFY | TIMESTAMP | The last modification time for a row in the table. |
CREATEUSERID | VARCHAR(40) | The user ID that created a row in the table. |
MODIFYUSERID | VARCHAR(40) | The user ID that modified a row in the table. |
CREATEPROGID | VARCHAR(40) | The name of a program or object that created a row in the table. |
MODIFYPROGID | VARCHAR(40) | The name of a program or object that modified a record in the table. |
SEND_NONCE | VARCHAR(8) | Indicates whether to send a nonce with OCSP requests. Valid values:
|
REQ_NONCE | VARCHAR(8) | Indicates whether to require a nonce in OCSP responses. The system only recognizes the requirement for nonces on responses if it is required to send them in requests (SEND_NONCE=true). Valid values:
|
RESP_CERT_IN_CA_STORE | VARCHAR(8) | Indicates whether the certificate used to verify signatures on OCSP responses is in the CA store. Valid values:
|
RESP_CERT_OID | VARCHAR(255) | The object ID of the certificate is used to verify signatures on OCSP responses. This is the object ID of a record in the CA_CERT_INFO or TRUSTED_CERT_INFO table. |
When configuring the system, you can create as many authorities and responders as you like.
To configure the system to use OCSP:
- Check the certificate for the certificate authority who issues the certificates you want to check in with OCSP into Sterling Integrator to verify it is a CA certificate.
- List the CA certificates in the system and get the object ID for the certificate you just installed.
- If the authority’s OCSP response signing certificate is different than the authority’s certificate issuing certificate, check the authority’s OCSP response signing certificate into Sterling Integrator as a Trusted certificate.
- If you checked in an additional OCSP signing certificate, list the Trusted certificates in the system and get the object ID for the certificate you just installed.
- Go to the bin directory of the Sterling Integrator installation.
- Start the database if necessary.
- Start the bash or sh shell.
- Source the file tmp.sh
- Create an authority using the utility in the class com.sterlingcommerce.security.ocsp.SCICertAuthority.
- Create an OCSP responder using the utility in the class com.sterlingcommerce.security.ocsp.SCIOCSPResponder
- Update the certificates for the authority or individual certificates to enable OCSP. The utility com.sterlingcommerce.security.ocsp.SetAuthorityCertificatesOCSPInfo will configure all trusted and system certificates for an authority. The utility com.sterlingcommerce.security.ocsp.SetSystemCertificateOCSPInfo will configure one system certificate. The utility com.sterlingcommerce.security.ocsp.SetTrustedCertificateOCSPInfo will configure one trusted certificate.
The following scripts run the OCSP configuration utilities. There is a Unix/Linux and Windows version of each script. The scripts take the same command-line arguments as the utility programs they invoke. The scripts are located in the bin directory of the product install. The information about the command-line arguments is repeated in this section describing the scripts.
ManageCertAuthority.sh and ManageCertAuthority.cmd
Argument | Description |
-a, -l, -d, -u2 | Operation to perform:
The –l option takes no additional arguments. The –d option takes a single argument: the object ID of the record to delete |
Name | Name of the authority. Required with -a. |
Modified_by | User who modified or created the identity. Required with –a. |
Hash_alg | Hash algorithm for the authority. Only the value “SHA1” is supported. Required with –a. |
Certificate_id | Object ID of the CA certificate associated with the authority. Required with –a. |
OCSP_policy | The OCSP policy string for the authority. This is a comma-delimited string as described in the section on the CERT_AUTHORITY table. Required with –a. For the first element of the string, the following are permitted:
For the second element of the string, the following are permitted: OCSP What
Examples:
|
Crl_policy | CRL policy string for the authority. Required with –a. A value is required for this argument, but it is not currently used. “None” is acceptable. |
Object_ID | An object ID to use when creating this record. Optional with -a. Required with -u2. |
ManageOCSPResponder.sh and ManageOCSPResponder.cmd
Argument | Description |
-l | Gets a list of the currently configured OCSP Responders. This option takes no additional arguments. |
-d | Deletes the configured OCSP Responder with the provided object ID for responders configuration data. This option takes object_id as an additional argument. |
-u2 | Updates existing records in the database with the correct information about the public key of the authority certificate and the subject DN of the authority certificate. This needs to be run against all existing records for both Cert Authority and OCSP Responders, or you need to delete and recreate the records to get the proper information into the database. This option takes object_id as an additional argument. |
-a | Adds configuration data for a new OCSP Responder to be used for checking the status of certificates issued by the provided authority. Additional arguments are name, modified_by, hash_alg, authority_cert_oid, response_signing_cert_oid, resp_signing_cert_in_ca_store, cache_ttl, trans_prof_oid, comm_bp, comm_wait, send_nonce, require_nonce, and object_id. |
name | (Required with -a) Name of the authority. |
modified_by | (Required with -a) User who modified or created the identity. |
hash_alg | (Required with -a) Hash algorithm for the authority. Only the value “SHA1” is supported. |
authority_cert_oid | (Required with -a) Object ID of the CA certificate associated with the authority. |
response_signing_cert_oid | (Required with -a) Object ID of the certificate that the provider of the OCSP services used to sign the response providing the status for the certificates. This certificate must be added to the CA Digital Certificate store or the Trusted Digital Certificate store. This is the System Certificate ID for the certificate as it appears in the store. |
resp_signing_cert_in_ca_store | (Required with -a) Flag indicating if the previous value for the response_signing_cert_oid argument is found in the CA Digital Certificate Store in Sterling B2B Integrator. |
cache_ttl | (Required with -a) The time-to-live in seconds for OCSP responses in the internal cache. |
trans_prof_oid | (Required with -a) The object ID of a transport configured for communicating with the OCSP responder. |
comm_bp | (Required with -a) Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended. |
comm_wait | (Required with -a) The number of seconds to wait for communication with the responder until inferring that an error has occurred. |
send_nonce | (Required with -a) Indicates if a NONCE value will be sent to the OCSP service. The NONCE value is used to prevent replay attacks by some OCSP providers. |
require_nonce | (Required with -a) Indicates if the server should require that the OCSP service provide a NONCE value in the response. |
object_id | (Optional with -a) An object ID to use when creating this record. |
SetSystemCertOCSPInfo.sh SetSystemCerOCSPInfo.cmd
Argument | Description |
-o, -n | How to interpret the second argument: -o object_ID -n name |
Object_ID/Name | Object ID or name of the authority as determined by argument 1. |
SetSystemCertOCSPInfo.sh and SetTrustedCertOCSPInfo.cmd
Argument | Description |
-o, -n | How to interpret the second argument: -o object_ID -n name |
Object_ID/Name | Object ID or name of the authority as determined by argument 1. |
Use the following example to learn how to run the OCSP configuration scripts. These scripts assume that you have already checked in the CA certificates for the authority, started the database, are in the bin directory of your Sterling B2B Integrator installation and have sourced the file tmp.sh in the bin directory.
After getting the object ID of the CA certificate from the authority, in Sterling B2B Integrator from the Administration menu, select Trading Partners > Digital Certificates-CA. Select a certificate. The Certificate Summary dialog box appears with the certificate information, including its object ID.
Complete the following steps to run an OCSP Script: