Enabling OCSP checking in Java

To enable OCSP checkin for Java in Advanced Message Security, modify the java.security file or the keystore configuration file.

About this task

There are two ways of enabling OCSP checking in Advanced Message Security:

Using java.security

Check whether your certificate has Authority Information Access (AIA) set up.

Procedure

  1. If AIA is not set up or you want to override your certificate, edit the $JAVA_HOME/lib/security/java.security file with the following properties: 
    ocsp.responderURL=http://url.to.responder:port
ocsp.responderCertSubjectName=CN=Example CA,O=IBM,C=US
    and enable OCSP checking by editing the $JAVA_HOME/lib/security/java.security file with the following line:
    ocsp.enable=true
  2. If AIA is set up, enable OCSP checking by editing the $JAVA_HOME/lib/security/java.security file with the following line: 
    ocsp.enable=true

What to do next

If you are using Java Security Manager, too complete the configuration, add the following Java permission to lib/security/java.policy
permission java.security.SecurityPermission "getProperty.ocsp.enable";

Using keystore.conf

Procedure

Add the following attribute to the configuration file: 
ocsp.enable=true
Important: Setting this attribute in the configuration file overrides java.security settings.

What to do next

To complete the configuration, add the following Java permissions to lib/security/java.policy:
permission java.security.SecurityPermission "getProperty.ocsp.enable";
permission java.security.SecurityPermission "setProperty.ocsp.enable";