Configuring OCSP Certificate Revocation Checking
To configure a Solace PubSub+ event broker to use a certificate authority (CA) with Open Certificate Status Protocol (OCSP) revocation checking, complete the following steps:
- Step 1: Review Prerequisites
- Step 2: Configure Certificate Authorities
- Step 3: Configure OCSP Parameters
- Step 4: Enable CA Revocation Checking
- Step 5: Configure Message VPN Overrides
- Step 6: Enable OCSP Certificate Revocation Checking
Step 1: Review Prerequisites
To successfully use CA certificates with certificate revocation checking, the following configurations are required on a Solace PubSub+ event broker:
- TLS/SSL service must be configured and enabled. This requires configuring a server certificate and enabling the TLS service. See TLS / SSL Service Configuration.
- Client certificate authentication must be configured and enabled for any Message VPNs that the clients will connect to. See Configuring Client Certificate Parameters for Message VPNs.
Step 2: Configure Certificate Authorities
To configure a CA, see Configuring the Client Authentication Certificate Authorities List.
Step 3: Configure OCSP Parameters
You can optionally configure any of the following parameters for the OCSP:
It is possible to configure an override URL on the certificate authority to ignore the URLs supplied in the client certificates. The override URL will then be used to find the OCSP responder.
To configure an override URL, enter the following commands:solace(configure/authentication/client-certificate-authority)# revocation-check ocsp
solace(configure/authentication/client-certificate-authority/revocation-check/ocsp)# override-url <url> <port>Where:
url
is the URL of the OCSP responder. Theurl
must be a complete URL includinghttp://
. Only HTTP URLs are supported.<port>
is the port number on which the OCSP responder is listening.- You can place multiple OSCP responders behind a load balancer. The responders will be required to sign the OCSP responses with certificates issued to specific common names. You can configure up to 8 unique common names per CA as valid response signers.
To configure a responder common name, enter the following commands:
solace(configure/authentication/client-certificate-authority)# revocation-check ocsp
solace(configure/authentication/client-certificate-authority/revocation-check/ocsp)# responder-common-name {empty | name <common-name>}Where:
empty
removes all common names from the list.name <common-name>
adds a common name to the list. You can configure up to eight unique common names per CA as valid responders. You can configure a non-responder certificate to sign an OCSP response. This is typically used with an OCSP override in cases where a single certificate is used to sign client certificate and OCSP responses.
To configure a non-responder certificate, enter the following commands:
solace(configure/authentication/client-certificate-authority)# revocation-check ocsp
solace(configure/authentication/client-certificate-authority/revocation-check/ocsp)# allow-non-responder-certificateIf the event broker does not receive a response from the OCSP responder within the default timeout, the OCSP request is considered to have failed. A timeout can be configured to wait for a response from the OCSP responder.
To configure an OCSP timeout, enter the following commands:
solace(configure/authentication/client-certificate-authority)# revocation-check ocsp
solace(configure/authentication/client-certificate-authority/revocation-check/ocsp)# timeout <seconds>Where:
seconds
is the OCSP timeout in seconds that is used in the initial connection attempt with the OCSP responder. The defaulttimeout
value is 5 seconds.
Step 4: Enable CA Revocation Checking
For the event broker to successfully use the CA, enable the revocation checking:
solace(configure/authentication/client-certificate-authority/revocation-check/ocsp)# exit
solace(configure/authentication/client-certificate-authority/revocation-check)# no shutdown
Step 5: Configure Message VPN Overrides
You can optionally configure revocation overrides for specific Message VPNs, based on the revocation status of the client certificates.
To configure the revocation checking overrides, see Configuring Message VPN Overrides.
Step 6: Enable OCSP Certificate Revocation Checking
Once CA and CRL configurations are completed, certificate revocation checking can be enabled for the event broker.
- Enable OCSP certificate revocation checking for the event broker:
solace(configure)# authentication
solace(configure/authentication)# client-certificate-revocation-checking ocsp - Verify if the OCSP certificate revocation checking has been enabled:
solace(configure/authentication)# show authentication
Example:CLI and SEMP user class:
radius-domain:
auth-type: Internal database authentication
profile-name:
Replace Duplicate Client Connections: yes
Client Certificate Revocation Checking: ocsp
Shell Users Direct shell login enabled
===================================================== ==========================
support Yes