TTLSGskOcspParms statement

Use the TTLSGskOcspParms statement to define a set of OCSP parameters to use for Certificate Revocation List (CRL) checking for an AT-TLS environment action. A TTLSGskOcspParms statement can be specified inline in a TTLSGskAdvancedParms statement or referenced by a TTTLSGskAdvancedParms statement.

Syntax

Put Braces and Parameters on Separate Lines

TTLSGskOcspParms Parameters

Parameters

OcspUrl

Specifies the HTTP URL of an OCSP responder. The OCSP responder is used to obtain certificate revocation status during certificate validation. A certificate does not need an AIA extension if a responder URL is configured by using this option.

The value must conform to the definition of an HTTP URL:

http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]

where host can be an IPv4 or IPv6 IP address, or a domain name. The maximum length of the OcspUrl is 2083 characters.

Tips:

If OcspUrl is specified, OcspAiaEnable is set to On and OcspUrlPriority is set to On, the responder defined by OcspUrl is used before the responders identified in the AIA extension are used.
If OcspUrl is specified, OcspAiaEnable is set to On and OcspUrlPriority is set to Off, the responders identified in the AIA extension are used before the responder defined by OcspUrl is used.

This parameter sets System SSL's GSK_OCSP_URL attribute.

OcspAiaEnable

Specifies whether the AIA extensions in the certificate are used for revocation checking.

On: Indicates that the AIA extension in the certificate is used for certificate revocation checking.
Off: Indicates that the AIA extension in the certificate is not used for certificate revocation checking. This is the default.

Tips:

Use this parameter to set the SSL attribute GSK_OCSP_ENABLE.
If GSK_OSCP_URL is specified, OcspAiaEnable is set to On and OcspUrlPriority is set to On, the responder defined by GSK_OCSP_URL is used before the responders identified in the AIA extension are used.
If OcspUrl is specified, OcspAiaEnable is set to On and OcspUrlPriority is set to Off, the responders identified in the AIA extension are used before the responder defined by OcspUrl is used.

OcspProxyServerName

Specifies the DNS name or IP address of the OCSP proxy server. When DNS name is used, the maximum length is 255 characters.

This parameter sets System SSL's GSK_OCSP_PROXY_SERVER_NAME attribute.

OcspProxyServerPort

Sets the OCSP responder port for the proxy server. The port must be in the range 1 - 65535. Port 80 is used if no OCSP proxy server port is set.

This parameter sets System SSL's GSK_OCSP_PROXY_SERVER_PORT attribute.

OcspRetrieveViaGet

Specifies whether the HTTP request to the OCSP responder is sent by using either the HTTP Get Method or the HTTP Post Method. Valid values are as follows:

On: Indicates that the HTTP GET Method is used when sending an OCSP request whose total request size, after Base64 encoding, is less than 255 bytes. Use this option to enable HTTP caching on the OCSP responder when the responder is enabled for caching.
Off: Indicates that the HTTP request is sent by using an HTTP Post Method. This is the default.

This parameter sets System SSL's GSK_OCSP_RETRIEVE_VIA_GET attribute.

OcspUrlPriority

Specifies the order of precedence for contacting OCSP responder locations if both OcspUrl and OcsAiaEnable are active.

On: Indicates that the responder defined by OcspUrl is used before the responders identified in the AIA extension are used. This is the default.
Off: Indicates that the responders identified in the AIA extension are used before the responder defined by OcspUrl is used.

This parameter sets System SSL's GSK_OCSP_URL_PRIORITY attribute.

OcspRequestSigkeylabel

Specifies the label of the key to use to sign OCSP requests. OCSP requests are signed only when a key label is specified. The maximum length of the OcspRequestSigkeykeylabel is 127 characters.

Only requests that are sent to the OCSP responder identified by using the OcspUrl setting are signed. Requests that are sent to an OCSP responder selected from a certificate AIA extension are not signed.

This parameter sets System SSL's GSK_OCSP_REQUEST_SIGKEYLABEL attribute.

OcspRequestSigalg

Specifies the hash and signature algorithm pair to use to sign OCSP requests as a string that consists of a 4-character value. The default value is RSA with SHA256 ('0401').

Only requests that are sent to the OCSP responder identified by using the OcspUrl setting are signed.

This parameter sets System SSL's GSK_OCSP_REQUEST_SIGALG attribute. See the following table for the supported signature algorithm pair constants that can be specified.

Table 1. OcspRequestSigalg SignaturePairs
Signature algorithm pair constant	Hexadecimal characters
TLS_SIGALG_MD5_WITH_RSA	0101
TLS_SIGALG_SHA1_WITH_RSA	0201
TLS_SIGALG_SHA1_WITH_DSA	0202
TLS_SIGALG_SHA1_WITH_ECDSA	0203
TLS_SIGALG_SHA224_WITH_RSA	0301
TLS_SIGALG_SHA224_WITH_DSA	0302
TLS_SIGALG_SHA224_WITH_ECDSA	0303
TLS_SIGALG_SHA256_WITH_RSA	0401
TLS_SIGALG_SHA256_WITH_DSA	0402
TLS_SIGALG_SHA256_WITH_ECDSA	0403
TLS_SIGALG_SHA384_WITH_RSA	0501
TLS_SIGALG_SHA384_WITH_ECDSA	0503
TLS_SIGALG_SHA512_WITH_RSA	0601
TLS_SIGALG_SHA512_WITH_ECDSA	0603

Restriction: TLS_SIGALG_MD5_WITH_RSA (0x0101) cannot be specified when FIPS mode is enabled.

OcspResponseSigAlgPairs

Specifies a preference ordered list of signature algorithm pairs to be sent on the OCSP request that may be used by the OCSP responder to select an appropriate algorithm for signing the OCSP response. The OCSP response will be rejected if OcspResponseSigAlgPairs is specified and the OCSP response is signed by a signature algorithm that was not specified in the list. The algorithms value is a string of one or more 4-hexadecimal character signature algorithm pairs or a single signature algorithm pair constant in order of preference. When using hexadecimal notation, the algorithm string cannot have intervening blanks between the signature algorithm pairs. If duplicate signature algorithm pairs are specified, the first instance is used and all other instances are ignored. The maximum number of TLS signature algorithm pairs is 64.The default value is null. The System SSL environment variable associated with this parameter is GSK_OCSP_RESPONSE_SIGALG_PAIRS. The signature algorithms pairs list can be specified as follows:

Table 2. OcspResponseSigAlgPairs SignaturePairs
Signature algorithm pair constant	Hexadecimal characters
TLS_SIGALG_MD5_WITH_RSA	0101
TLS_SIGALG_SHA1_WITH_RSA	0201
TLS_SIGALG_SHA1_WITH_DSA	0202
TLS_SIGALG_SHA1_WITH_ECDSA	0203
TLS_SIGALG_SHA224_WITH_RSA	0301
TLS_SIGALG_SHA224_WITH_DSA	0302
TLS_SIGALG_SHA224_WITH_ECDSA	0303
TLS_SIGALG_SHA256_WITH_RSA	0401
TLS_SIGALG_SHA256_WITH_DSA	0402
TLS_SIGALG_SHA256_WITH_ECDSA	0403
TLS_SIGALG_SHA384_WITH_RSA	0501
TLS_SIGALG_SHA384_WITH_ECDSA	0503
TLS_SIGALG_SHA512_WITH_RSA	0601
TLS_SIGALG_SHA512_WITH_ECDSA	0603

Restriction: TLS_SIGALG_MD5_WITH_RSA (0x0101) cannot be specified when FIPS mode is enabled.

OcspServerStapling

Specifies TLS server support for the inclusion of the OCSP response for the server's end entity certificate or certificate chain as a TLS extension during the TLS handshake when requested by the TLS client. For System SSL, GSK_SERVER_OCSP_STAPLING is set to this value. Valid values are:

Off: Specifies that the server should not contact OCSP responders to retrieve the OCSP responses for the server's end entity certificate or the server's certificate chain. This is the default.
Any: Specifies that the server should contact the OCSP responders to retrieve the OCSP responses for the server's end entity certificate and the server's certificate chain.
EndEntity: Specifies that the server should contact the OCSP responders to retrieve the OCSP response for the server's end entity certificate only.

Restriction: If 'Any' or 'EndEntity' is specified, then either OcspUrl or OcspAiaEnable On must also be specified.

OcspClientCacheSize

Sets the maximum number of OCSP responses or cached certificate statuses to be kept in the OCSP response cache. The valid cache size number is in the range 0 - 32000. The default number is 256. If 0 is specified, the OCSP response cache is disabled. The OCSP response cache is allocated by using the requested size rounded up to the nearest multiple of 16 with a minimum size of 16.

This parameter sets System SSL's GSK_OCSP_CLIENT_CACHE_SIZE attribute.

OcspCliCacheEntryMaxsize

Sets the maximum number of OCSP responses or cached certificate statuses that are allowed to be kept in the OCSP response cache for an issuing CA certificate. The number is in the range 0 - 32000 and must be less than or equal to the size specified for OcspClientCacheSize. The size is set to 0 by default, which means that no limit is set on the number of cached certificate statuses allowed for a specific issuing CA certificate other than the limit imposed by OcspClientCacheSize.

Tip: Use OcspClientCacheSize to specify the total number of cached certificate statuses allowed in the entire OCSP cache. If this count is exceeded, any expired certificate statuses are first removed. If no expired certificate statuses have the same issuing CA certificate, the certificate status that is closest to the expiration time is removed first. If OcspCliCacheEntryMaxsize is set to a value greater than OcspClientCacheSize, the following waring message is issued:

OcspCliCacheEntryMaxsize must be less than or equal to the size specified for OcspClientCacheSize.

This parameter sets System SSL's GSK_OCSP_CLIENT_CACHE_ENTRY_MAXSIZE attribute.

OcspNonceGenEnable

Specifies whether the OCSP request includes a generated nonce.

On: Indicates that OCSP nonce generation is enabled.
Off: Indicates that OCSP nonce generation is disabled. This is the default.

This parameter sets System SSL's GSK_OCSP_NONCE_GENERATION_ENABLE attribute.

OcspNonceCheckEnable

Specifies whether checking of the nonce in the OCSP response is enabled.

On: Indicates that the nonce in the OCSP response is checked to ensure that it matches the one that is sent in the OCSP request.
Off: Indicates that the checking of the nonce in the OCSP response is disabled. This is the default.

Tips:

If OcspNonceCheckEnable is set to On, OcspNonceGenEnable is implicitly set to On. If OcspNonceGenEnable is set to Off, the follwoing warning message is issued and the OcspNonceGenEnable is set to On:
```
OcspNonceGenEnable is being set to a value of On because OcspNonceCheckEnable was configured with a value of On.
```
You can set OcspNonceCheckEnable to On to improve security. However, if the OCSP responder does not support nonces, it might cause failures.

This parameter sets System SSL's GSK_OCSP_NONCE_CHECK_ENABLE attribute.

OcspNonceSize

Specifies the nonce size in bytes to be sent in OCSP requests. Valid values are in the range 8 - 256 bytes.

The minimum and default size are 8 bytes.

This parameter sets System SSL's GSK_OCSP_NONCE_SIZE attribute.

OcspResponseTimeout

Specifies the time in seconds to wait for a complete response from the OCSP responder. Valid values are in the range 0 - 43200 seconds. A value of 0 indicates that no time limit is set. The default value is 15 seconds.

This parameter sets System SSL's GSK_OCSP_RESPONSE_TIMEOUT attribute.

OcspMaxResponseSize

Specifies the maximum size in bytes allowed in a response from an OCSP responder. A value of 0 disables checking the size and allows an OCSP response of any size. If the value for the maximum response size is too small, OCSP support is implicitly disabled. Valid values are in the range 0 - 2147483647. The default value is 20480 (20 KB).

This parameter sets System SSL's GSK_OCSP_MAX_RESPONSE_SIZE attribute.