Enabling OCSP checking for native interceptors of IBM MQ AMS
Online Certificate Status Protocol (OCSP) checking in IBM® MQ Advanced Message Security is enabled by default, based on information in the certificates being used.
Procedure
Add the following options to the keystore configuration file:
Note: All the OCSP stanza are optional and can be specified independently.
Option | Description |
---|---|
ocsp.enable=off
|
Enable the OCSP checking if the certificate being checked has an Authority
Info Access (AIA) Extension with an PKIX_AD_OCSP access method containing a URI of where the OCSP
Responder is located. Possible values: |
ocsp.url=< responder_URL >
|
The URL address of OCSP responder. If this option is omitted then non-AIA OCSP checking is disabled. |
ocsp.http.proxy.host=< OCSP_proxy >
|
The URL address of the OCSP proxy server. If this option is omitted then a proxy is not used for non-AIA online certificate checks. |
ocsp.http.proxy.port=< port_number >
|
The OCSP proxy server's port number. If this option is omitted then the default port of 8080 is used. |
ocsp.nonce.generation=on/off
|
Generate nonce when querying OCSP. The default value is
|
ocsp.nonce.check=on/off
|
Check nonce after receiving a response from OCSP. The default value is
|
ocsp.nonce.size=8
|
Nonce size in bytes. |
ocsp.http.get=on/off
|
Specify HTTP GET as your request method. If this option is set to
off , HTTP POST is used. The default value is
off .
|
ocsp.max_response_size=20480
|
Maximum size of response from the OCSP responder provided in bytes. |
ocsp.cache_size=100
|
Enable internal OCSP response caching and set the limit for the number of cache entries. |
ocsp.timeout=30
|
Waiting time for a server response, in seconds, after which IBM MQ Advanced Message Security times-out. |
ocsp.unknown=ACCEPT |
Defines the behavior when an OCSP server cannot be reached within a timeout
period. Possible values:
|