How Sterling B2B Integrator Performs an OCSP Check
An OCSP check for a certificate in Sterling B2B Integrator is determined when the OCSP check within Sterling B2B Integrator is implemented as a part of internal system APIs used by services for getting certificates and keys from the database. OCSP checks are performed by Sterling B2B Integrator when methods are called to get certificates and keys from the objects that encapsulate them in the database.
The following steps describe how the OCSP check is implemented in Sterling B2B Integrator:
- The system checks the object that encapsulates the certificate to determine if OCSP checking is enabled. This allows the system to determine with no additional database calls whether to attempt an OCSP check.
- If OCSP checking is enabled, the system retrieves the encoded issuer name from a certificate.
- The system hashes the encoded issuer name with SHA1.
- The system attempts to find an authority configured in the system that has a name whose hash matches that of the certificate. If no authority is found, no check is performed.
- If an authority is found, the system checks the OCSP policy for the authority. If the policy permits or requires OCSP checks, see the CERT_AUTHORITY table for more information. The system attempts to find an OCSP responder for the authority.
- If an OCSP responder is found for the authority, an OCSP
check is attempted. If no OCSP responder is found for the authority,
one of the following happens:
- If the authority policy is set to always check, an exception is thrown and the check fails.
- If the authority policy is to only check when a responder is configured, no check is performed.