An OCSP check for a certificate in Sterling B2B Integrator
is determined when the OCSP check within Sterling B2B Integrator is
implemented as a part of internal system APIs used by services for
getting certificates and keys from the database. OCSP checks are performed
by Sterling B2B Integrator when methods are called to get certificates
and keys from the objects that encapsulate them in the database.
The following steps describe how the OCSP check is implemented
in Sterling B2B Integrator:
- The system checks the object that encapsulates the certificate
to determine if OCSP checking is enabled. This allows the system
to determine with no additional database calls whether to attempt
an OCSP check.
- If OCSP checking is enabled, the system retrieves the encoded
issuer name from a certificate.
- The system hashes the encoded issuer name with SHA1.
- The system attempts to find an authority configured in
the system that has a name whose hash matches that of the certificate.
If no authority is found, no check is performed.
- If an authority is found, the system checks the OCSP policy
for the authority. If the policy permits or requires OCSP checks,
see the CERT_AUTHORITY table for more information. The system attempts
to find an OCSP responder for the authority.
- If an OCSP responder is found for the authority, an OCSP
check is attempted. If no OCSP responder is found for the authority,
one of the following happens:
- If the authority policy is set to always check, an exception
is thrown and the check fails.
- If the authority policy is to only check when a responder
is configured, no check is performed.