OCSP/CRL checking

Online Certificate Status Protocol (OCSP)/Certificate Revocation List (CRL) checking is performed against remote incoming certificates. The process checks the whole chain involved from the personal certificate of the remote system right through to its root certificate.

Using openSSL to verify OCSP validation

If your enterprise uses openSSL to validate OCSP, and then you attempt to use a GSKit TLS connection, you receive an UNKNOWN status warning.

This is because all certificates in the chain, apart from the root, are checked by GSKit for revocation status. GSKit operation is in accordance with RFC 5280 and this is described in the GSKit Trust Policy. The GSKit algorithm tries all available sources for revocation information, as described in RFC 5280 and the GSKit Trust Policy.

How does the OCSP/CRL checking work in IBM MQ?

IBM® MQ supports two mechanisms for controlling behavior when checking certificates against named OCSP or CRL endpoints, either in the certificate extension or, as defined in the AUTHINFO objects:
  • The OCSPCheckExtensions, CDPCheckExtensions, and OCSPAuthentication attributes of the SSL stanza of the qm.ini file, and
  • Using the SSLCRLNL parameter of the queue manager and the AUTHINFO OCSP and CRLLDAP configurations. See ALTER AUTHINFO and ALTER QMGR for more information.
    Attention:

    The ALTER AUTHINFO command with AUTHTYPE(OCSP) does not apply for use on IBM i or z/OS® queue managers. However, it can be specified on those platforms to be copied to the client channel definition table (CCDT) for client use.

The OCSPCheckExtensions and CDPCheckExtensions SSL stanza attributes control whether IBM MQ will verify a certificate against the OCSP or CRL server detailed inside the AIA extension of the certificate.

If not enabled, the OCSP or CRL server in the certificate extension is not contacted.

If OCSP or CRL servers are detailed through AUTHINFO objects, and referenced using the SSLCRLNL QMGR attribute then, during certificate revocation processing, IBM MQ attempts to contact these servers.
Important: Only one OCSP AUTHINFO object can be defined in the SSLCRLNL namelist.
If:
  • OCSPCheckExtensions=NO and CDPCheckExtensions=NO are set, and
  • No OCSP or CRL servers are defined in AUTHINFO objects
no certificate revocation checking is performed.
When verifying a certificate for its revocation status, IBM MQ contacts the OCSP or CRL servers named in the following order, if enabled:
  1. The OCSP Server detailed in an AUTHTYPE(OCSP) object, and referenced in the SSLCRLNL QMGR attribute.
  2. OCSP servers detailed in the AIA extension of the certificates, if OCSPCheckExtensions=YES.
  3. CRL servers detailed in the CRLDistributionPoints extension of the certificates, if CDPCheckExtensions =YES.
  4. Any CRL servers detailed in AUTHINFO(CRLLDAP) objects and referenced in the SSLCRLNL QMGR attribute.

While verifying a certificate, if a step results in the OCSP server or CRL server returning a definitive REVOKED or VALID response to a query for the certificate, no further checks are performed and the status of the certificate as presented is used to determine whether to trust it or not.

If an OCSP server or CRL server returns a result of UNKNOWN, processing continues until an OCSP or CRL server returns a definitive result, or all options are exhausted.

The behavior of whether a certificate is considered revoked, if its status cannot be determined, is different for OCSP and CRL servers:
  • For CRL servers, if no CRL can be obtained, the certificate is considered NOT_REVOKED
  • For OCSP servers, if no revocation status can be obtained from a named OCSP server then the behavior is controlled through the OCSPAuthentication attribute in the SSL Stanza of the qm.ini file.

    You can configure this attribute to either, block a connection, allow a connection, or allow a connection with a warning message.

You can use the SSLHTTPProxyName=string attribute in the SSL stanza of the qm.ini and mqclient.ini files for the OCSP checks if needed. The string is either the host name, or network address of the HTTP Proxy server that is to be used by GSKit for OCSP checks.