Administrator

Enabling the Online Certificate Status Protocol

Enable the Online Certificate Status Protocol (OCSP) to allow the server to check whether certificates have been revoked.

Context

A CA may issue a user certificate that remains valid for months, or even years. If the certificate becomes compromised (for example, due to a lost device or unauthorized access to the private key), you can ask the CA system to revoke the certificate. Unless the server explicitly checks for revocation, the certificate appears valid.

To establish HTTPS connections, the JVM also performs revocation checking, which is controlled by Java system properties. The properties described above do not affect the JVM.

Procedure

  1. See the Java documentation for the system properties you can set to configure revocation checking and for debugging related issues. Package oracle.security.crypto.ocspInformation published on non-SAP site.
  2. Edit the <SMP_HOME>\sapjvm_8\jre\lib\security\java.security file.
  3. Uncomment and configure your required OCSP properties.
    #
    # Properties to configure OCSP for certificate revocation checking
    #
    
    # Enable OCSP
    #
    # By default, OCSP is not used for certificate revocation checking.
    # This property enables the use of OCSP when set to the value "true".
    #
    # NOTE: SocketPermission is required to connect to an OCSP responder.
    #
    # Example,
    #   ocsp.enable=true
    
    #
    # Location of the OCSP responder
    #
    # By default, the location of the OCSP responder is determined implicitly
    # from the certificate being validated. This property explicitly specifies
    # the location of the OCSP responder. The property is used when the
    # Authority Information Access extension (defined in RFC 3280) is absent
    # from the certificate or when it requires overriding.
    #
    # Example,
    #   ocsp.responderURL=http://ocsp.example.net:80
    
    #
    # Subject name of the OCSP responder's certificate
    #
    # By default, the certificate of the OCSP responder is that of the issuer
    # of the certificate being validated. This property identifies the certificate
    # of the OCSP responder when the default does not apply. Its value is a string
    # distinguished name (defined in RFC 2253) which identifies a certificate in
    # the set of certificates supplied during cert path validation. In cases where
    # the subject name alone is not sufficient to uniquely identify the certificate
    # then both the "ocsp.responderCertIssuerName" and
    # "ocsp.responderCertSerialNumber" properties must be used instead. When this
    # property is set then those two properties are ignored.
    #
    # Example,
    #   ocsp.responderCertSubjectName="CN=OCSP Responder, O=XYZ Corp"
    
    #
    # Issuer name of the OCSP responder's certificate
    #
    # By default, the certificate of the OCSP responder is that of the issuer
    # of the certificate being validated. This property identifies the certificate
    # of the OCSP responder when the default does not apply. Its value is a string
    # distinguished name (defined in RFC 2253) which identifies a certificate in
    # the set of certificates supplied during cert path validation. When this
    # property is set then the "ocsp.responderCertSerialNumber" property must also
    # be set. When the "ocsp.responderCertSubjectName" property is set then this
    # property is ignored.
    #
    # Example,
    #   ocsp.responderCertIssuerName="CN=Enterprise CA, O=XYZ Corp"
    
    #
    # Serial number of the OCSP responder's certificate
    #
    # By default, the certificate of the OCSP responder is that of the issuer
    # of the certificate being validated. This property identifies the certificate
    # of the OCSP responder when the default does not apply. Its value is a string
    # of hexadecimal digits (colon or space separators may be present) which
    # identifies a certificate in the set of certificates supplied during cert path
    # validation. When this property is set then the "ocsp.responderCertIssuerName"
    # property must also be set. When the "ocsp.responderCertSubjectName" property
    # is set then this property is ignored.
    #
    # Example,
    #   ocsp.responderCertSerialNumber=2A:FF:00