Configuring Liberty to use OCSP to check certificates

After you configure i2 Analyze to use client certificate authentication, you can configure Liberty to use Online Certificate Status Protocol (OCSP) to check the revocation state of the client certificates. For more information about OCSP, see Online Certificate Status Protocol.

About this task

If you follow this procedure in a deployment that provides high availability, you must complete each step on every Liberty server in your environment before you move to the next step.

Procedure

  1. In a text editor, open the i2analyze\deploy\wlp\usr\servers\opal-server\jvm.options file and add the following lines:

    -Dcom.sun.net.ssl.checkRevocation=true
    -Djava.security.properties=C:/i2/i2analyze/deploy/wlp/usr/servers/opal-server/java-security-ocsp.properties

    Where:

    • checkRevocation is set to true to instruct Liberty to check whether certificates have been revoked.

    • java.security.properties is the path to a properties file that contains the settings to configure OCSP.

  2. In a text editor, create the i2analyze\deploy\wlp\usr\servers\opal-server\java-security-ocsp.properties file and add the following lines:

    ocsp.enable=true
    ocsp.responderURL=

    Where:

    • ocsp.enable is set to true to enable OCSP.

    • ocsp.responderURL is the URL of the OCSP service that is used to check the status of a certificate. When this value is specified, it overrides the value in the Authority Information Access extension on the certificate.

  3. Restart Liberty:

    setup -t restartLiberty

What to do next

Log in to your deployment to test that revoked certificates are identified successfully.

If a user attempts to log in with a revoked certificate, a message is displayed in the Liberty logs. For example:

java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: Wed Jan 20 17:13:35 UTC 2021, authority: CN=ocsp, OU=i2, O=IBM, ST=England, C=GB, extension OIDs: []

If your OCSP service is unavailable, a message is displayed in the Liberty logs. For example:

The extended error message from the SSL handshake exception is: PKIX path validation failed: java.security.cert.CertPathValidatorException: Unable to determine revocation status due to network error