Enabling Certificate Revocation Checking For Drm And Tks Users - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 8.0 - ADMINISTRATION:
- Using manual (48 pages) ,
- Agents manual (146 pages) ,
- Manual (124 pages)
Table of Contents
Advertisement
Chapter 7. Using the Online Certificate Status Protocol Responder
passed since a particular validation request has been made to the OCSP server, the cache
settings give the TPS the option of getting the validity of the certificate from the value in the cache
rather than the server. This flexibility reduces the strain on the OCSP server.
The default values that govern cache behavior are all set to allow a fairly long time between
fetches to the OCSP server.
There are three parameters that control caching behavior:
• NSSOCSPCacheSize controls the number of certificate validity requests that can be stored in
cache. The default is 1000.
• NSSOCSPMinCacheEntryDuration sets the minimum amount of time (in minutes) that the
TPS waits after checking a certificate's status before the certificate status can be re-checked. To
increase security, set this time to something small, so that the OCSP responder can be checked
as often as possible and catch recently revoked certificates. The default time is one hour.
• NSSOPCSPMaxCacheEntryDuration sets the maximum amount of time before
the TPS checks the OCSP responder about a certificate. OCSP responders have an
optional setting to configure it's a good time for the client to query the service. The
NSSOPCSPMaxCacheEntryDuration attribute overrides the default settings in the OCSP
responder and allows you to define whatever window you want. The default setting for this is
one day.
For example:
NSSOCSPCacheSize 1000
NSSOCSPMinCacheEntryDuration 60
NSSOPCSPMaxCacheEntryDuration 80
8. Restart the subsystem. For example:
service pki-tps restart
7.5. Enabling Certificate Revocation Checking for DRM and
TKS Users
Like the RA and TPS, the DRM and TKS subsystems do not have OCSP checking enabled, by
default, to validate subsystem certificates. This means it is possible for someone to log into the
administrative or agent interfaces with a revoked certificate.
OCSP checking can be enabled for the DRM and TKS very easily by editing the server.xml file.
1. Open the server.xml file for the subsystem. For example:
vim /var/lib/pki-kra/conf/server.xml
2. There are two different sections in the file for the agent and administrator interfaces. The OCSP
parameters need to be added to both sections to enable and configure OCSP checking. For
example:
<Connector name="Agent" port="10443" maxHttpHeaderSize="8192"
194
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
Related Products for Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION
- Red Hat CERTIFICATE 7.2 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
- Red Hat CERTIFICATE SYSTEM 7.1 - ADMINSISTRATOR
- Red Hat CERTIFICATE 7.3 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT
- Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE
- Red Hat CERTIFICATE 8.0 RELEASE NOTES
- Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE
- Red Hat CLUSTER SUITE - CONFIGURING AND MANAGING A CLUSTER 2006
- Red Hat CLUSTER MANAGER - INSTALLATION AND
- Red Hat Cluster Suite
- Red Hat Application Server
- Red Hat APPLICATION SERVER - JONAS
- Red Hat APPLICATION STACK 1.1 RELEASE
- Red Hat APPLICATION STACK 1.2 RELEASE
- Red Hat APPLICATION STACK 1.3 RELEASE
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?
Questions and answers