Online Certificate Status Protocol

The Online Certificate Status Protocol (OCSP) is defined in RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. The protocol enables users to determine the revocation state of a specific certificate, and may provide a more efficient source of revocation information than is possible with Certificate Revocation Lists (CRL).

The protocol specifies the data exchanged between an OCSP client (for example, the Oracle Communications Session Border Controller) and an OCSP responder, the Certification Authority (CA), or its delegate, that issued the target certificate. An OCSP client issues a request to an OCSP responder and suspends acceptance of the certificate in question until the responder replies with a certificate status.

Certificate status is reported as

good
revoked
unknown

good indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate’s validity interval.

revoked indicates that the certificate has been revoked, either permanently or temporarily.

unknown indicates that the responder cannot identify the certificate.

Caveats

OCSP is currently supported only on TLS interfaces; it is not currently supported for use with IKEv1 and IKEv2.

Online Certificate Status Protocol Configuration

OCSP configuration consists of:

Configuring one or more certificate status profiles; each profile contains information needed to contact a specific OCSP responder.
Enabling certificate revocation checking by assigning a certificate status profile to a previously configured TLS profile.

Access the cert-status-profile configuration element.

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)#

name—Identify this cert-status-profile instance.
Each profile instance provides configuration data for a specific OCSP responder.
ip-address—Specify the IPv4 address of the OCSP responder.
port—Specify the destination port.

The default port number is 80.
realm-id —Specify the realm used to transmit OCSP requests.

The default is the wancom0 interface.

If the IP address resolved by DNS is not accessible from the identified realm, the SBC sends the OCSP request out on the wancom0 interface. If the address is not routeable, create a host-route configuration element.
requester-cert—Specify the requester certificate only if OCSP requests are signed; ignore this parameter if requests are not signed.

RFC 2560 does not require signed requests; however, local or CA policies can mandate digital signatures.
responder-cert—Identify the certificate used to validate OCSP responses.
This value is the public key of the OCSP responder.
RFC 2560 requires that all OCSP responders digitally sign OCSP responses, and that OCSP clients validate incoming signatures.

Provide the name of the certificate configuration element that contains the certificate used to validate the signed OCSP response.
retry-count—Specify the maximum number of times to retry an OCSP responder in the event of connection failure.
If the retry counter is exceeded, the OCSP requester either contacts another responder (if multiple responders have been configured within this cert-status-profile) and quarantines the unavailable responder for the period defined in the dead-time parameter.

In the absence of an explicitly configured value (an integer within the range 0 through 10), the default of 1 is used.
```
ORACLE(cert-status-profile)# retry-count 2
ORACLE(cert-status-profile)#
```
dead-time—Specify the quarantine period imposed on an unavailable OCSP responder.

The range is 0 through 3600 seconds, and the default is 0.

Customers using a single OCSP responder should retain the default value or specify a brief quarantine period to prevent lengthy service outages.
Retain the default values for type and trans-protocol.
Use done, exit, and verify-config to complete configuration of this cert-status-profile instance.
Repeat Steps 1 through 11 to configure additional certificate status profiles.

Enable Certificate Status Checking

After configuring certificate status profiles, enable checking certificates.

Access the tls-profile configuration element.

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# tls-profile
ORACLE(tls-profile)#

cert-status-check—Enable OCSP in conjunction with an existing TLS profile.
cert-status-profile-list—Assign one or more cert-status-profiles to the current TLS profile.

Each assigned cert-status-profile provides the information needed to access a single OCSP responder.

Use quotation marks to assign multiple OCSP responders. The following sequence assigns three cert-status-profiles (VerisignClass3Designate, Verisign-1, and Thawte-1) to the TLS-1 profile.

Use done, exit, and verify-config to complete configuration.

Sample Configuration:

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)# name VerisignClass3Designate
ORACLE(cert-status-profile)# ip-address 192.168.7.100
ORACLE(cert-status-profile)# responder-cert VerisignClass3ValidateOCSP
ORACLE(cert-status-profile)# done
ORACLE(cert-status-profile)# exit
...
...
ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# tls-profile
ORACLE(tls-profile)# select
<name>:
1. TLS-1
2. TLS-2
3. TLS-3
selection: 1
ORACLE(tls-profile)# cert-status-check enabled
ORACLE(cert-status-profile)# cert-status-profile-list "VerisignClass3Designate Verisign-1 Thawte-1"
ORACLE(cert-status-profile)# done
ORACLE(cert-status-profile)# exit

The tls-profile configuration element is not RTC supported for MSRP Online Certificate Status Protocol. To support MSRP OCSP, reboot the SBC.

Unreachable OCSP Responder

With OCSP enabled, the client implementation running on the SBC supports message exchange between the SBC and an OCSP responder as specified in RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. The SBC contacts the OCSP responder whenever a remote client attempts to establish an SSL/TLS connection with the SBC. The SBC sends a request to the OCSP responder to check the current status of the certificate presented by the remote client. The SBC suspends processing of the SSL/TLS connection request pending receipt of the OCSP response. In previous releases (prior to Version S-CX6.3.0), a good OCSP response resulted in the establishment of a secure SSL/TLS connection. A revoked or unknown OCSP response, or the failure to reach an OCSP responder, resulted in the rejection of the connection attempt.

This behavior, which adheres to the requirements of RFC 2560, conflicts with the requirements of Section 5.4.6.2.1.6.4.a.i of UCR 2008 which requires an OCSP client to attempt authentication of remote clients in the event of an unreachable OCSP responder.

The attribute ignore-dead-responder in the TLS profile configuration element provides compliance with DISA/DoD requirements specifying OCSP client operations when faced with unreachable OCSP responders. By default, the attribute is disabled meaning that all client connections will be disallowed in the event of unreachable OCSP responders.

In DISA/DoD environments ignore-dead-responder should be enabled, allowing local certificate-based authentication by the SBC in the event of unreachable OCSP responders. Successful authentication is achieved if the certificate presented by the remote client was signed by a Certificate Authority (CA) referenced by the trusted-ca-certificates attribute. If the local authentication succeeds, the secure TLS/SSL connection is established; otherwise the connection is rejected.

Unreachable OCSP Responder Configuration

The following sample configuration implements DISA/DoD-compliant client behavior in the event of an unreachable OCSP responder.

ACMEPACKET# configure terminal 
ACMEPACKET(configure)# security#
ACMEPACKET(security)# tls-profile
ACMEPACKET(security)# show
tls-profile
        name                        DoD
        end-entity-certificate      sylarCert-2048
        trusted-ca-certificates     dod1 dod2 disaA disaB IBM1
        cipher-list                 all
        verify-depth                10
        mutual-authenticate         disabled
        tls-version                 tlsv13
        cert-status-check           enabled
        cert-status-profile-list    DoD
        ignore-dead-responder       enabled
        ...
        ...
ACMEPACKET(tls-profile)#

OCSP Status Monitoring

OCSP monitoring is provided to track the reachability of individual OCSP responders, and, in topologies containing multiple OCSP responders, the overall availability of the OCSP service.

If monitoring is enabled for individual OCSP responders, reachability is monitored by observing responder transactions.

Initially, all OCSP responders are considered reachable. If a previously reachable OCSP responder fails to respond to a certificate status request, the SBC marks the OCSP responder as unreachable, and generates an SNMP trap and log entry indicating that status. If a previously unreachable OCSP responder responds to a certificate status request, the SBC returns the OCSP responder to the reachable status, and generates an SNMP trap and log entry indicating that status change.

Use the following procedure to enable monitoring of individual OCSP responders.

Navigate to the new security-config configuration element.

ORACLE# configure terminal 
ORACLE(configure)# security# 
ORACLE(security)# security-config 
ORACLE(security-config)#

Enable monitoring of individual OCSP responders by setting the ocsr-monitoring-traps attribute to enabled; this attribute is disabled by default.
```
ORACLE(security-config)# ocsr-monitoring-traps enabled 
ORACLE(security-config)# 
```
Use done, exit, and verify-config to complete required configuration.
Reachability status of individual OCSP responders is aggregated to monitor the overall availability of the OCSP service. Using the procedure explained above, the Oracle Communications Session Border Controller maintains a count of all OCSP responders, and of all reachable OCSP responders.
- If all OCSP responders are reachable, the SBC generates a trap and log entry noting this optimal state.
- If all OCSP responders are unreachable, the SBC generates a trap and log entry noting this erroneous state.
- When the SBC transitions from either of the two states described above (in the optimal state, when an OCSP responder becomes unreachable; in the erroneous state, when an unreachable OCSP responder becomes reachable), the SBC generates a trap and log entry indicating that an unspecified number of OCSP responders are reachable.
Monitoring of the OCSP service availability is a by-product of enabling SNMP; no further configuration is required.

OCSP Access via FQDN

OCSP responders can be accessed via IPv4 addresses and port numbers as well as FQDNs. Since multiple public key infrastructure (PKI) elements capable of supporting OCSP requests can exist within a DISA/DoD environment, the Domain Name Service (DNS) lookup that resolves the FQDN can result in more than one OCSP responder IP address being returned to the SBC in its role of OCSP client. When processing a lookup that contains more than one IP address, the SBC uses a  round-robin algorithm to select from the list of OCSP responder addresses.

OCSP access via FQDN is available on all media interfaces and on the wancom0 administrative interface. Note that support for FQDN-based access requires the configuration of DNS support.

If the realm attribute is configured in the certificate-status-profile configuration element, the required DNS query is issued on the corresponding network interface. This model requires configuration of the dns-ip-primary attribute, and optionally the dns-ip-backup1 and dns-ip-backup2 attributes for the realm’s network interface.

If the realm attribute is not configured in the certificate-status-profile, the required DNS query is issued on the wancom0 interface. This model requires configuration of the dns-ip-primary attribute, and optionally the dns-ip-backup1 and  dns-ip-backup2 attributes for the wancom0 interface.

Access via an FQDN is supported by the hostname attribute in the  cert-status-profile configuration element.

The SBC allows configuration of both an OCSP responder IP address and port number (using the ip-address and port attributes) and an OCSP responder domain (using the hostname attribute).

In such cases the verify-config command issues a warning and notes that  IP address-based access will be used.

OCSP Access Configuration via IP Address

The following sample configuration accesses an OCSP responder at 192.168.7.100:8080.

ORACLE# configure terminal
ORACLE(configure)# security#
ORACLE(secirity)# cert-status-profile#
ORACLE(cert-status-profile)# show
cert-status-profile
       name                      defaultOCSP
       ip-address                192.168.7.100
       hostname
       port                      8080
       type                      OCSP
       trans-proto               HTTP
       requestor-cert            ocspVerisignClient
       responder-cert            VerisignCA2
       trusted-cas
       realm-id                  admin
       retry-count               1
       dead-time                 0
       last-modified-by
       last-modified-date
ORACLE(cert-status-profile)#

OCSP Access Configuration via FQDN

The following sample configuration accesses one or more OCSP responders at example.disa.mil.

Note that in the absence of a specified domain, the wancom0 interface must be DNS-enabled.

ORACLE# configure terminal
ORACLE(configure)# security#
ORACLE(cert-status-profile)# show
cert-status-profile
        name                        DISAdomain2
        ip-address
        hostname                    example.disa.mil
        port
        type                        OCSP
        trans-proto                 HTTP
        requestor-cert
        responder-cert
        trusted-cas                 dod1 dod2 disaA disaB IBM1
        realm-id
        retry-count                 1
        dead-time                   0
        last-modified-by
        last-modified-date
ORACLE(cert-status-profile)#

Direct and Delegated Trust Models

RFC 2560 specifies that an OCSP responder must digitally sign OCSP responses, and that an OCSP client must validate the received signature. In prior releases, successful validation of the signed response served to authenticate the responder. Such an authentication method is referred to as a direct trust model in that it does not require confirmation from a trusted Certificate Authority (CA). Rather it requires that the OCSP client be in possession of the public counterpart of the private key used by the OCSP responder to sign the response. This certificate is identified by the responder-cert attribute in the cert-status-profile configuration element.

The SBC continues support for the direct trust model, while also supporting an alternative delegated trust model as described in Section 5.4.6.2.1.6.1.e.3.c of UCR 2010. The delegated trust model requires that the OCSP responder be authenticated by a trusted CA. Within the DISA/DoD delegated trust model, an OCSP responder certificate is appended to every response, thus eliminating the need for a pre-provisioned responder certificate. The appended certificate is a signing certificate issued and signed by a DoD-approved CA that issued the certificate that is being validated. These OCSP responder certificates have a short lifespan and are reissued regularly.

Direct Trust Model Configuration

The direct trust model is used in virtually all commercial/enterprise environments. Configuration of the direct trust model is unchanged from that contained in the latest version of your hardware or the Oracle Communications Session Border ControllerConfiguration Guide.

Delegated Trust Model Configuration

The delegated trust model is used exclusively in some strict DISA/DoD environments; other DISA/DoD environments may support both the direct and delegated trust models.

Use the following procedure to configure OCSP for DISA/DoD environments.

From superuser mode, use the following command sequence to access cert-status-profile configuration mode. While in this mode, you configure a cert-status-profile configuration element, a container for the information required to access a single, specific OCSP responder.
```
ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)#
```
The name attribute differentiates cert-status-profile configuration elements one from another. Each cert-status-profile provides configuration information for a single, specific OCSP responder.
The type attribute selects the certificate revocation check methodology, the only currently supported methodology is OCSP.
Retain the default value (http) for trans-protocol attribute, which identifies the transport method used to access the OCSP responder.
The ip-address attribute works in conjunction with the port attribute to provide the IP address of the OCSP responder.

ip-address identifies the OCSP responder by its IP address. port identifies the port monitored by the HTTP server for incoming OCSP requests.

The port attribute can be safely ignored if the OCSP responder is specified as a FQDN by the host-name attribute, but is required if the OCSP responder is identified by the ip-address attribute.

Allowable port values are integers within the range 1025 through 65535. In the absence of an explicitly configured value, the system provides a default value of 80, the well-known HTTP port.
Alternatively, use the host-name attribute to identify the OCSP responder.

host-name identifies the OCSP responder by a FQDN.

If you provide both an IPv4 address/port number and a FQDN, the Oracle Communications Session Border Controller uses the IP address/port number and ignores the FQDN.

If values are provided for both attributes, the Security Gateway uses the IP address and ignores the host-name value.
The realm-id attribute specifies the realm used to access the OCSP responder.

In the absence of an explicitly configured value, the Oracle Communications Session Border Controller provides a default value of wancom0, specifying OCSP transmissions across the wancom0 management interface.

If the OCSP responder identified by a FQDN, the realm identified by realm-id must be DNS-enabled.
The requester-cert attribute is meaningful only if OCSP requests are signed; ignore this attribute if requests are not signed.

RFC 2560 does not require the digital signature of OCSP requests. OCSP responders, however, can impose signature requirements.

If a signed request is required by the OCSP responder, provide the name of the certificate configuration element that contains the certificate used to sign OCSP requests.
The responder-cert attribute identifies the certificate used to validate signed OCSP response — a public key of the OCSP responder.

In DISA/DoD environments that support the direct trust model, optionally provide the name of the certificate configuration element that contains the certificate used to validate the signed OCSP response.

If a responder-cert is provided, it is only used if the OCSP response has no appended certificates, in which case the OCSP client attempts to validate the response signature. Depending on the validation failure or success, the response is rejected or accepted.

If the OCSP response has an appended certificate or certificate chain, the responder-cert is ignored, and the trusted-cas list is used to validate the appended certificate(s).
The trusted-cas attribute (a list of certificate configuration objects) identifies the approved DoD-approved CAs that sign OCSP responder certificates.

In DISA/DoD environments that support the delegated trust model, you must provide a list of CAs used to validate the received certificate.

If a certificate or a certificate chain is appended to the OCSP response, the OCSP client verifies that the first certificate signed the response, and that the CA is trusted by the Oracle Communications Session Border Controller (that is, the CA certificate is contained in the trusted-cas list. The client then walks through each additional certificate (if any exist) ensuring that each certificate is also trusted. If all certificates are trusted, the OCSP response is accepted; otherwise, it is rejected.
The retry-count attribute specifies the maximum number of times to retry an OCSP responder in the event of connection failure.

If the retry counter specified by this attribute is exceeded, the OCSP requester contacts another responder (if multiple responders have been configured) and quarantines the unavailable responder for a period defined the dead-time attribute.

In the absence of an explicitly configured value (an integer within the range 0 through 10), the Oracle Communications Session Border Controller provides a default value of 1 (connection retries).
The dead-time attribute specifies the quarantine period imposed on an unavailable OCSP responder.

In the absence of an explicitly configured value (an integer within the range 0 through 3600 seconds), the Oracle Communications Session Border Controller provides a default value of 0 (no quarantine period).

Customer implementations utilizing a single OCSP responder are encouraged to retain the default value, or to specify a brief quarantine period to prevent lengthy service outages.
Use done, exit, and verify-config to complete configuration of this cert-status-profile instance.
Repeat Steps 1 through 13 to configure additional cert-status-profile configuration elements.