Problem disactivate CRL checking
Article ID: 130649
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We unchecked the CRL control check box in each certificate mapping
under Infrastructure>directory> certificate mapping
Under Infrastructure> X509 certifictae management> OSCP configuration:
there's no OCSP configured. We did an authentication test but it
failed. In log file it look like policy server try to use CRL and OCSP
and we don't understand why.
How can we fully disable CRL and OCSP from the Policy Server ?
under Infrastructure>directory> certificate mapping
Under Infrastructure> X509 certifictae management> OSCP configuration:
there's no OCSP configured. We did an authentication test but it
failed. In log file it look like policy server try to use CRL and OCSP
and we don't understand why.
How can we fully disable CRL and OCSP from the Policy Server ?
Environment
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:
Component:
Resolution
First make sure that all CertMap have the option 3 set to 0, which
mean "CRL Check" disabled :
- On the Policy Server, open a command line windowm, and start
XPSExplorer;
- XPSExplorer, navigate to CertMap objects (115) or look for the exact
number in tool;
- List the certmaps : S
- Select the certmap to edit by selecting number
Enter Option (#, +, -, B, X, Y, M, Q): 1
- Get a writable copy by selecting W
Enter Option (MJLRPWDAX+Q): w
- Select the option # (for which we want change the value of the
property)
03:*Flags = 8(0x8): for CRL Check
we need to change this value to 0 to disable the CRL Check.
- Validate the Record
Enter Option (# or MJLRPBVUDAX+Q): V
- Update the Record
Enter Option (# or MJLRPBVUDAX+Q): U
Enter Option (# or MJLRPBVUDAX+Q): Q
Enter Option (# or MJLRPBVUDAX+Q): Q
Enter Option (#,F,B,X,P, or Q): P
- On each Policy Server :
- Go the Policy_Server_home/config folder;
- Rename SMocsp.conf to SMocsp.conf.orig;
- Restart the Policy Server;
mean "CRL Check" disabled :
- On the Policy Server, open a command line windowm, and start
XPSExplorer;
- XPSExplorer, navigate to CertMap objects (115) or look for the exact
number in tool;
- List the certmaps : S
- Select the certmap to edit by selecting number
Enter Option (#, +, -, B, X, Y, M, Q): 1
- Get a writable copy by selecting W
Enter Option (MJLRPWDAX+Q): w
- Select the option # (for which we want change the value of the
property)
03:*Flags = 8(0x8): for CRL Check
we need to change this value to 0 to disable the CRL Check.
- Validate the Record
Enter Option (# or MJLRPBVUDAX+Q): V
- Update the Record
Enter Option (# or MJLRPBVUDAX+Q): U
Enter Option (# or MJLRPBVUDAX+Q): Q
Enter Option (# or MJLRPBVUDAX+Q): Q
Enter Option (#,F,B,X,P, or Q): P
- On each Policy Server :
- Go the Policy_Server_home/config folder;
- Rename SMocsp.conf to SMocsp.conf.orig;
- Restart the Policy Server;
Feedback
Yes
No
Powered by
