An OCSP check for a certificate in Sterling B2B Integrator is determined when the OCSP
check within Sterling B2B Integrator is
implemented as a part of internal system APIs used by services for getting certificates and keys
from the database.
About this task
OCSP checks are performed by Sterling B2B Integrator when methods are called to
get certificates and keys from the objects that encapsulate them in the database.
The following steps describe how the OSCSP
check is implemented in Sterling B2B Integrator:
Procedure
- The system examines the object that encapsulates the certificate
to determine if OCSP checking is enabled. This allows the system
to decide with no additional database calls whether to attempt an
OCSP check.
- If OCSP checking is enabled, the system gets the encoded
issuer name from a certificate.
- The system hashes the encoded issuer name with SHA1.
- The system attempts to find an authority configured in
the system that has a name whose hash matches that of the certificate.
- If no authority is found, no check is performed.
- If an authority is found, the system checks the OCSP policy
for the authority. If the policy permits or requires OCSP checks,
see the CERT_AUTHORITY table for more information. The system attempts
to find an OCSP responder for the authority.
- If no OCSP responder is found for the authority, one of
the following happens:
- If the authority policy is set to always check, an exception
is thrown and the check fails.
- If the authority policy is to only check when a responder
is configured, no check is performed.
- If an OCSP responder is found for the authority, an OCSP check
is attempted.