Database Tables

Two new database tables have been added to manage OCSP-related information:
  • CERT_AUTHORITY
  • OCSP_RESPONDER

CERT_AUTHORITY

The CERT_AUTHORITY table maintains information about certificate authorities.

Column Type Description
OBJECT_ID VARCHAR (255) This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null.
NAME VARCHAR (255) A name for a record. Null allowed.
CREATE_DATE DATETIME A create date for a record.
MODIFIED_DATE DATETIME The date a record was last modified.
MODIFIED_BY VARCHAR(255) Information about who modified a record.
ISSUER_NAME BLOB The RDN of the authority taken from its certificate.
HASH_ALG VARCHAR(128) The hash algorithm used to compute name and key hashes. Only SHA1 is supported.
RDN_HASH VARCHAR(255) BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed.
KEY_HASH VARCHAR(255) BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate
CERT_OID VARCHAR(255) The OBJECT_ID of the authority’s certificate in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls not allowed.
OCSP_POLICY VARCHAR(128)

The OCSP policy for the authority. This consists of two comma separated values. The values describe when to use OCSP and what to check.

Possible values are:

OCSP_When

  • never – never use OCSP
  • resp – use OCSP only if a responder is configured when a request is made
  • always – always use OCSP when a request is made. This requires a responder to be configured and will cause certificate checking to fail if no responder is configured

OCSP_What

  • none – never check any certificates
  • end-user- Check only end user certificates
  • both – check both end-user and intermediate certificates. Currently not supported
  • Null is not allowed in this column
CRL_POLICY VARCHAR(128) Currently not used.
LOCK_ID INTEGER Used by the system to lock rows in the table.
CREATETS TIMESTAMP The timestamp of record creation for a row in the table.
MODIFYTS TIMESTAMP The last modification time for a row in the table.
CREATEUSERID VARCHAR(40) The user ID that created a row in the table.
MODIFYUSERID VARCHAR(40) The user ID that modified a row in the table.
CREATEPROGID VARCHAR(40) The name of a program or object that created a row in the table.
MODIFYPROGID VARCHAR(40) The name of a program or object that modified a record in the table.

OCSP_RESPONDER

The OCSP_RESPONDER table maintains information about OCSP responders.

Column Type Description
OBJECT_ID VARCHAR (255) This is a GUID that constitutes a unique ID for a record. This is the primary key. Cannot be null.
NAME VARCHAR (255) A name for a record. Null allowed.
CREATE_DATE DATETIME A create date for a record.
MODIFIED_DATE DATETIME The date a record was last modified.
MODIFIED_BY VARCHAR(255) Information about who modified a record.
ISSUER_NAME BLOB The RDN of the authority taken from its certificate.
HASH_ALG VARCHAR(128) The hash algorithm used to compute name and key hashes. Only SHA1 is supported.
RDN_HASH VARCHAR(255) BASE64 encoded SHA1 hash of the DER encoded issuer RDN taken from the authority’s certificate. This column is indexed.
KEY_HASH VARCHAR(255) BASE64 encoded SHA1 hash of the encoded public key in the issuer’s certificate
CERT_OID VARCHAR(255) The OBJECT_ID of the authority’s certificate in the CA_CERT_INFO table. Each authority must have a CA certificate in the database. Nulls not allowed.
CACHE_TTL VARCHAR(64)

The time in seconds to allow OCSP responses to live in the internal response cache

If the column is NULL, OCSP responses will only be cached for 1 second, which in practice means not at all.
TRANS_PROF_OID VARCHAR(255) OBJECT_ID of a profile in the GIS database. You have to create a profile for the OCSP responder that includes the correct URL for the responder.
COMM_BP VARCHAR(255) Name of a business process to use to communicate with the OCSP responder. This has to be a business process that does HTTP communication. Services in the business process have to be configured to not require or present HTTP headers when sending and receiving, respectively. The process HTTPClientSend that comes with the system can be used and is recommended
COMM_WAIT VARCHAR(24) The number of seconds to wait for communication with the OCSP responder to take place before inferring that something is wrong.
LOCK_ID INTEGER Used by the system to lock rows in the table.
CREATETS TIMESTAMP The timestamp of record creation for a row in the table.
MODIFYTS TIMESTAMP The last modification time for a row in the table.
CREATEUSERID VARCHAR(40) The user ID that created a row in the table.
MODIFYUSERID VARCHAR(40) The user ID that modified a row in the table.
CREATEPROGID VARCHAR(40) The name of a program or object that created a row in the table.
MODIFYPROGID VARCHAR(40)

The name of a program or object that modified a record in the table.
SEND_NONCE VARCHAR(8)

Indicates whether to send a nonce with OCSP requests.

Valid values:

  • true
  • false
REQ_NONCE VARCHAR(8)

Indicates whether to require a nonce in OCSP responses. The system only recognizes the requirement for nonces on responses if it is required to send them in requests (SEND_NONCE=true).

Valid values:

  • true
  • false
RESP_CERT_IN_CA_STORE VARCHAR(8)

Indicates whether the certificate used to verify signatures on OCSP responses is in the CA store.

Valid values:

  • true
  • false - The trusted store is checked.
RESP_CERT_OID VARCHAR(255)

The object ID of the certificate used to verify signatures on OCSP responses. This is the object ID of a record in the CA_CERT_INFO or TRUSTED_CERT_INFO table.