How to enable OCSP Check in TIBCO BE
Article ID: KB0071635
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessEvents Enterprise Edition | 6.X |
Description
How to enable the OCSP (Online Certificate Status Protocol) check in TIBCO BE? Please refer to resources below for details on OCSP and it's significance
https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
Environment
All Operating systems
Resolution
To enable revocation checking using OCSP, add the following properties to the be-engine.tra file under BE_HOME/bin:-
In addition, uncomment the following property in TIBCO_HOME/tibcojre64/11/lib/security/java.security file.
When we start the application after making changes above, we can see the below entries related to OCSP in BE application log:-
certpath: RevocationChecker.check: checking cert
SN: 39252e20 e18cd90c 0a000000 00e8323f
Subject: CN=*.abc.com
Issuer: CN=ABC, O=ABC LLC, C=US
certpath: connecting to OCSP service at: http://ocsp.pki.abc/abc
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder ID: byKey: 8A747FAF85CDEE95CD3D9CD0E24614F371351D27
certpath: OCSP response produced at: Thu Jul 15 15:34:33 EDT 2018
certpath: OCSP number of SingleResponses: 1
certpath: thisUpdate: Thu Jul 15 15:34:32 EDT 2018
certpath: nextUpdate: Thu Jul 22 14:34:31 EDT 2018
certpath: Status of certificate (with serial number 75959046339453363611227911452581444111) is: GOOD
certpath: OCSP response is signed by the target's Issuing CA
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: Verified signature of OCSP Response
java.property.jdk.tls.server.enableStatusRequestExtension=true
java.property.com.sun.net.ssl.checkRevocation=true
java.property.com.sun.security.enableCRLDP=true
java.property.java.security.debug=certpath
In addition, uncomment the following property in TIBCO_HOME/tibcojre64/11/lib/security/java.security file.
ocsp.enable=true
When we start the application after making changes above, we can see the below entries related to OCSP in BE application log:-
certpath: RevocationChecker.check: checking cert
SN: 39252e20 e18cd90c 0a000000 00e8323f
Subject: CN=*.abc.com
Issuer: CN=ABC, O=ABC LLC, C=US
certpath: connecting to OCSP service at: http://ocsp.pki.abc/abc
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder ID: byKey: 8A747FAF85CDEE95CD3D9CD0E24614F371351D27
certpath: OCSP response produced at: Thu Jul 15 15:34:33 EDT 2018
certpath: OCSP number of SingleResponses: 1
certpath: thisUpdate: Thu Jul 15 15:34:32 EDT 2018
certpath: nextUpdate: Thu Jul 22 14:34:31 EDT 2018
certpath: Status of certificate (with serial number 75959046339453363611227911452581444111) is: GOOD
certpath: OCSP response is signed by the target's Issuing CA
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: Verified signature of OCSP Response
Issue/Introduction
How to enable OCSP (Online Certificate Status Protocol) Check in TIBCO BE
Feedback
Yes
No
Powered by
