(image source : http://support.f5.com/techdocs/home/bigip/manuals/bigip4_5/bigip4_5features/images/BIGip_OCSPa.gif)
During the SSL handshake a server invokes OCSP/CRL protocols to verify that the client’s X509 Certificate is not revoked by its issuer. Those protocols needs to make a http call to servers at CA in order to do the verification. The responses include information about the revocation of the certificates. The SSL connection can’t be establish any further if the response indicate that the certificates are revoked. If not then the server can perform the SSL handshake.
In ESB 4.8.1 this feature is already implemented for transport sender. I have implemented it for the transport listener.
In order to enable this feature you have to add the following configuration to “Transport Ins (Listeners)” section in axis2.xml file.
<parameter name="SSLVerifyClient">require</parameter> <!--supports optional|require or defaults to none --> <parameter name="CertificateRevocationVerifier" enable="true"> <CacheSize>50</CacheSize> <!-- In minutes --> <CacheDelay>1</CacheDelay> </parameter>
There is automatically managed cache associated with both ocsp and crl verifications.
Testing ocsp/crl validation by creating self signed certificates will be explained in next blog post.
Testing ocsp/crl validation by creating self signed certificates will be explained in next blog post.
0 comments:
Post a Comment
Please give your comments.