Question & Answer
Question
Answer
This can be caused by the client or queue manager (if doing MCA Interception) unable to reach OCSP or CRL responders to validate the certificate(s) in use. This check is usually done via http call based on the contents of the certificates being used.
Many times, machines are locked down and can not access the OCSP/CRL responders.
There are configuration options for the keystore.conf file, which allow you to configure a proxy host, if that is available to access the http OCSP/CRL responders.
If a proxy is available, add the following to the keystore.conf:
ocsp.http.proxy.host=< OCSP_proxy >
ocsp.http.proxy.port=< port_number >
settings for CRL checking also in the knowledgecenter at:
CRL settings are here in the KC:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q014850_.htm
OCSP settings are here in the KC:
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.1.0/com.ibm.mq.sec.doc/q014820_.htm
If needed you can disable these checks by adding the following into your keystore.conf file:
ocsp.enable=off
crl.cdp=off
If having similar issues for normal SSL channels, see the dwanswers at:
Was this topic helpful?
Document Information
Modified date:
22 June 2020
UID
ibm16237080