Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual page 107

5 Specify a display name, then select X509Class from the drop-down menu.
6 Click Next.
7 Configure the validation options:
Validations: The validation type. Trust validation occurs if the certificate chain is verified in
the NIDP Trust Store. In addition to usual certificate validations, the Identity Server supports
CRL (certificate revocation list) and OCSP (Online Certificate Status Protocol) validations for
each authentication request.
Access Manager caches CRLs, so the revoked status of a newly revoked certificate is not
picked up until the next cache refresh. For higher security requirements, use OCSP validation
with CRL validation. You can select None, CRL, OCSP, OCSP-CRL, or CRL-OCSP
validation. In a production environment, for highest security, select either OCSP-CRL or CRL-
OCSP validation. The default setting is to check OCSP first, then CRL.
CRL Validation: Checks the CRL. If you enable CRL validations, the CRL distribution point
extension is read out of the user's X.509 certificate. The CRL distribution point contains URL
where the complete CRL can be found, as published by the certificate authority. The system
performs sanity checks on the CRL itself and then checks to see if the user certificate is in the
revoked list. The system can get the CRL over HTTP and LDAP. If you are not expecting the
distribution point in user certificates, you can specify a value in the LDAP URL to get the CRL.
Configuring Advanced Local Authentication Procedures 107