Show TOC

Enabling OCSPLocate this document in the navigation structure

(Optional) Enable Online Certificate Status Protocol (OCSP) to check if a certificate has been revoked.

Context

A CA may issue a certificate to a user that would remain valid for a months or perhaps even years. If the certificate becomes compromised (for example, due to a lost device or unauthorized access to the private key) the CA system can be notified to revoke that certificate. Unless SAP Mobile Platform explicitly checks for revocation, the certificate appears valid.

In the X.509 User Certificate of your security profile, set the property to enable revocation checking in addition to setting up OCSP in the java.security file.

Enable OCSP.

Procedure

  1. Edit the <SMP_HOME>\sapjvm_7\jre\lib\security\java.security file.
    #
    # Properties to configure OCSP for certificate revocation checking
    #
    
    # Enable OCSP
    #
    # By default, OCSP is not used for certificate revocation checking.
    # This property enables the use of OCSP when set to the value "true".
    #
    # Note: SocketPermission is required to connecto to an OCSP responder.
    #
    # Example,
    #   ocsp.enable=true
    
    #
    # Location of the OCSP responder
    #
    # By default, the location of the OCSP responder is determined implicitly
    # from the certificate being validated. This property explicitly specifies
    # the location of the OCSP responder. The property is used when the
    # Authority Information Access extension (defined in RFC 3280) is absent
    # from the certificate or when it requires overriding.
    #
  2. Uncomment and configure your required OCSP properties. For more information, see Java documentation at http://docs.oracle.com/cd/B28196_01/idmanage.1014/b28168/toc.htmInformation published on non-SAP site