TTLSGskOcspParms statement
Use the TTLSGskOcspParms statement to define a set of OCSP parameters to use for Certificate Revocation List (CRL) checking for an AT-TLS environment action. A TTLSGskOcspParms statement can be specified inline in a TTLSGskAdvancedParms statement or referenced by a TTTLSGskAdvancedParms statement.
Syntax
Parameters
- OcspUrl
- Specifies the HTTP URL of an OCSP responder. The OCSP responder
is used to obtain certificate revocation status during
certificate validation. A certificate does not need an AIA
extension if a responder URL is configured by using this option. The value must conform to the definition of an HTTP URL:
where host can be an IPv4 or IPv6 IP address, or a domain name. The maximum length of the OcspUrl is 2083 characters.http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
Tips:- If OcspUrl is specified, OcspAiaEnable is set to On and OcspUrlPriority is set to On, the responder defined by OcspUrl is used before the responders identified in the AIA extension are used.
- If OcspUrl is specified, OcspAiaEnable is set to On and OcspUrlPriority is set to Off, the responders identified in the AIA extension are used before the responder defined by OcspUrl is used.
This parameter sets System SSL's GSK_OCSP_URL attribute.
- OcspAiaEnable
- Specifies whether the AIA extensions in the certificate are used
for revocation checking.
- On
- Indicates that the AIA extension in the certificate is used for certificate revocation checking.
- Off
- Indicates that the AIA extension in the certificate is not used for certificate revocation checking. This is the default.
Tips:- Use this parameter to set the SSL attribute GSK_OCSP_ENABLE.
- If GSK_OSCP_URL is specified, OcspAiaEnable is set to On and OcspUrlPriority is set to On, the responder defined by GSK_OCSP_URL is used before the responders identified in the AIA extension are used.
- If OcspUrl is specified, OcspAiaEnable is set to On and OcspUrlPriority is set to Off, the responders identified in the AIA extension are used before the responder defined by OcspUrl is used.
- OcspProxyServerName
- Specifies the DNS name or IP address of the OCSP proxy server.
When DNS name is used, the maximum length is 255 characters.
This parameter sets System SSL's GSK_OCSP_PROXY_SERVER_NAME attribute.
- OcspProxyServerPort
- Sets the OCSP responder port for the proxy server. The port must
be in the range 1 - 65535. Port 80 is used if no OCSP proxy server
port is set.
This parameter sets System SSL's GSK_OCSP_PROXY_SERVER_PORT attribute.
- OcspRetrieveViaGet
- Specifies whether the HTTP request to the OCSP responder is sent
by using either the HTTP Get Method or the HTTP Post Method.
Valid values are as follows:
- On
- Indicates that the HTTP GET Method is used when sending an OCSP request whose total request size, after Base64 encoding, is less than 255 bytes. Use this option to enable HTTP caching on the OCSP responder when the responder is enabled for caching.
- Off
- Indicates that the HTTP request is sent by using an HTTP Post Method. This is the default.
This parameter sets System SSL's GSK_OCSP_RETRIEVE_VIA_GET attribute.
- OcspUrlPriority
- Specifies the order of precedence for contacting OCSP responder
locations if both OcspUrl and OcsAiaEnable are active.
- On
- Indicates that the responder defined by OcspUrl is used before the responders identified in the AIA extension are used. This is the default.
- Off
- Indicates that the responders identified in the AIA extension are used before the responder defined by OcspUrl is used.
This parameter sets System SSL's GSK_OCSP_URL_PRIORITY attribute.
- OcspRequestSigkeylabel
- Specifies the label of the key to use to sign OCSP requests. OCSP
requests are signed only when a key label is specified. The
maximum length of the OcspRequestSigkeykeylabel is 127 characters.
Only requests that are sent to the OCSP responder identified by using the OcspUrl setting are signed. Requests that are sent to an OCSP responder selected from a certificate AIA extension are not signed.
This parameter sets System SSL's GSK_OCSP_REQUEST_SIGKEYLABEL attribute.
- OcspRequestSigalg
- Specifies the hash and signature algorithm pair to use to sign OCSP requests as a string that
consists of a 4-character value. The default value is RSA with SHA256 ('0401').
Only requests that are sent to the OCSP responder identified by using the OcspUrl setting are signed.
This parameter sets System SSL's GSK_OCSP_REQUEST_SIGALG attribute. See the following table for the supported signature algorithm pair constants that can be specified.
Table 1. OcspRequestSigalg SignaturePairs Signature algorithm pair constant Hexadecimal characters TLS_SIGALG_MD5_WITH_RSA 0101 TLS_SIGALG_SHA1_WITH_RSA 0201 TLS_SIGALG_SHA1_WITH_DSA 0202 TLS_SIGALG_SHA1_WITH_ECDSA 0203 TLS_SIGALG_SHA224_WITH_RSA 0301 TLS_SIGALG_SHA224_WITH_DSA 0302 TLS_SIGALG_SHA224_WITH_ECDSA 0303 TLS_SIGALG_SHA256_WITH_RSA 0401 TLS_SIGALG_SHA256_WITH_DSA 0402 TLS_SIGALG_SHA256_WITH_ECDSA 0403 TLS_SIGALG_SHA384_WITH_RSA 0501 TLS_SIGALG_SHA384_WITH_ECDSA 0503 TLS_SIGALG_SHA512_WITH_RSA 0601 TLS_SIGALG_SHA512_WITH_ECDSA 0603 Restriction: TLS_SIGALG_MD5_WITH_RSA (0x0101) cannot be specified when FIPS mode is enabled.
- OcspResponseSigAlgPairs
- Specifies a preference ordered list of signature algorithm pairs to be sent on the OCSP request
that may be used by the OCSP responder to select an appropriate algorithm for signing the OCSP
response. The OCSP response will be rejected if OcspResponseSigAlgPairs is specified and the OCSP
response is signed by a signature algorithm that was not specified in the list. The algorithms value
is a string of one or more 4-hexadecimal character signature algorithm pairs or a single signature
algorithm pair constant in order of preference. When using hexadecimal notation, the algorithm
string cannot have intervening blanks between the signature algorithm pairs. If duplicate signature
algorithm pairs are specified, the first instance is used and all other instances are ignored. The
maximum number of TLS signature algorithm pairs is 64.The default value is null. The System SSL
environment variable associated with this parameter is GSK_OCSP_RESPONSE_SIGALG_PAIRS. The signature
algorithms pairs list can be specified as follows:
Table 2. OcspResponseSigAlgPairs SignaturePairs Signature algorithm pair constant Hexadecimal characters TLS_SIGALG_MD5_WITH_RSA 0101 TLS_SIGALG_SHA1_WITH_RSA 0201 TLS_SIGALG_SHA1_WITH_DSA 0202 TLS_SIGALG_SHA1_WITH_ECDSA 0203 TLS_SIGALG_SHA224_WITH_RSA 0301 TLS_SIGALG_SHA224_WITH_DSA 0302 TLS_SIGALG_SHA224_WITH_ECDSA 0303 TLS_SIGALG_SHA256_WITH_RSA 0401 TLS_SIGALG_SHA256_WITH_DSA 0402 TLS_SIGALG_SHA256_WITH_ECDSA 0403 TLS_SIGALG_SHA384_WITH_RSA 0501 TLS_SIGALG_SHA384_WITH_ECDSA 0503 TLS_SIGALG_SHA512_WITH_RSA 0601 TLS_SIGALG_SHA512_WITH_ECDSA 0603 Restriction: TLS_SIGALG_MD5_WITH_RSA (0x0101) cannot be specified when FIPS mode is enabled.
- OcspServerStapling
- Specifies TLS server support for the inclusion of the OCSP response for the server's end entity
certificate or certificate chain as a TLS extension during the TLS handshake when requested by the
TLS client. For System SSL, GSK_SERVER_OCSP_STAPLING is set to this value. Valid values are:
- Off
- Specifies that the server should not contact OCSP responders to retrieve the OCSP responses for the server's end entity certificate or the server's certificate chain. This is the default.
- Any
- Specifies that the server should contact the OCSP responders to retrieve the OCSP responses for the server's end entity certificate and the server's certificate chain.
- EndEntity
- Specifies that the server should contact the OCSP responders to retrieve the OCSP response for the server's end entity certificate only.
Restriction: If 'Any' or 'EndEntity' is specified, then either OcspUrl or OcspAiaEnable On must also be specified.
- OcspClientCacheSize
- Sets the maximum number of OCSP responses or cached certificate
statuses to be kept in the OCSP response cache. The valid cache size
number is in the range 0 - 32000. The default number is 256. If 0
is specified, the OCSP response cache is disabled. The OCSP response
cache is allocated by using the requested size rounded up to the nearest
multiple of 16 with a minimum size of 16.
This parameter sets System SSL's GSK_OCSP_CLIENT_CACHE_SIZE attribute.
- OcspCliCacheEntryMaxsize
- Sets the maximum number of OCSP responses or cached certificate
statuses that are allowed to be kept in the OCSP response cache
for an issuing CA certificate. The number is in the range 0 -
32000 and must be less than or equal to the size specified for OcspClientCacheSize.
The size is set to 0 by default, which means that no limit is
set on the number of cached certificate statuses allowed for
a specific issuing CA certificate other than the limit imposed by
OcspClientCacheSize.Tip: Use OcspClientCacheSize to specify the total number of cached certificate statuses allowed in the entire OCSP cache. If this count is exceeded, any expired certificate statuses are first removed. If no expired certificate statuses have the same issuing CA certificate, the certificate status that is closest to the expiration time is removed first. If OcspCliCacheEntryMaxsize is set to a value greater than OcspClientCacheSize, the following waring message is issued:
OcspCliCacheEntryMaxsize must be less than or equal to the size specified for OcspClientCacheSize.
This parameter sets System SSL's GSK_OCSP_CLIENT_CACHE_ENTRY_MAXSIZE attribute.
- OcspNonceGenEnable
- Specifies whether the OCSP request includes a generated nonce.
- On
- Indicates that OCSP nonce generation is enabled.
- Off
- Indicates that OCSP nonce generation is disabled. This is the default.
- OcspNonceCheckEnable
- Specifies whether checking of the nonce in the OCSP response is
enabled.
- On
- Indicates that the nonce in the OCSP response is checked to ensure that it matches the one that is sent in the OCSP request.
- Off
- Indicates that the checking of the nonce in the OCSP response is disabled. This is the default.
Tips:- If OcspNonceCheckEnable is set to On, OcspNonceGenEnable is implicitly
set to On. If OcspNonceGenEnable is set to Off,
the follwoing warning message is issued and the
OcspNonceGenEnable is set to On:
OcspNonceGenEnable is being set to a value of On because OcspNonceCheckEnable was configured with a value of On.
- You can set OcspNonceCheckEnable to On to improve security. However, if the OCSP responder does not support nonces, it might cause failures.
This parameter sets System SSL's GSK_OCSP_NONCE_CHECK_ENABLE attribute.
- OcspNonceSize
- Specifies the nonce size in bytes to be sent in OCSP requests.
Valid values are in the range 8 - 256 bytes.
The minimum and default size are 8 bytes.
This parameter sets System SSL's GSK_OCSP_NONCE_SIZE attribute.
- OcspResponseTimeout
- Specifies the time in seconds to wait for a complete response
from the OCSP responder. Valid values are in the range
0 - 43200 seconds. A value of 0 indicates that no time limit is
set. The default value is 15 seconds.
This parameter sets System SSL's GSK_OCSP_RESPONSE_TIMEOUT attribute.
- OcspMaxResponseSize
- Specifies the maximum size in bytes allowed in a response from
an OCSP responder. A value of 0 disables checking the size and
allows an OCSP response of any size. If the value for the maximum
response size is too small, OCSP support is implicitly disabled. Valid
values are in the range 0 - 2147483647. The default value is
20480 (20 KB).
This parameter sets System SSL's GSK_OCSP_MAX_RESPONSE_SIZE attribute.