Layer 7 Access Management

Expand all | Collapse all

Tech Tip : CA Single Sign-On : Problem disactivate CRL checking

  • 1.  Tech Tip : CA Single Sign-On : Problem disactivate CRL checking

    Posted 04-09-2019 05:42 AM

    Issue:

     

    We unchecked the CRL control check box in each certificate mapping
    under Infrastructure>directory> certificate mapping

     

    Under Infrastructure> X509 certifictae management> OSCP configuration:
    there's no OCSP configured. We did an authentication test but it
    failed. In log file it look like policy server try to use CRL and OCSP
    and we don't understand why.

     

    How can we fully disable CRL and OCSP from the Policy Server ?

     

    Resolution:

     

    First make sure that all CertMap have the option 3 set to 0, which
    mean "CRL Check" disabled :

     

    - On the Policy Server, open a command line windowm, and start
    XPSExplorer;

    - XPSExplorer, navigate to CertMap objects (115) or look for the exact
    number in tool;

    - List the certmaps : S

    - Select the certmap to edit by selecting number

    Enter Option (#, +, -, B, X, Y, M, Q): 1

    - Get a writable copy by selecting W

    Enter Option (MJLRPWDAX+Q): w

    - Select the option # (for which we want change the value of the
    property)

    03:*Flags = 8(0x8): for CRL Check

    we need to change this value to 0 to disable the CRL Check.

    - Validate the Record

    Enter Option (# or MJLRPBVUDAX+Q): V

    - Update the Record

    Enter Option (# or MJLRPBVUDAX+Q): U
    Enter Option (# or MJLRPBVUDAX+Q): Q
    Enter Option (# or MJLRPBVUDAX+Q): Q
    Enter Option (#,F,B,X,P, or Q): P

     

    - On each Policy Server :

    - Go the Policy_Server_home/config folder;
    - Rename SMocsp.conf to SMocsp.conf.orig;
    - Restart the Policy Server;

     

    KB : KB000130649



  • 2.  Re: Tech Tip : CA Single Sign-On : Problem disactivate CRL checking

    Posted 04-09-2019 11:43 AM

    Thank you for sharing this tip with the community Patrick!

    Tech Tip : CA Single Sign-On : Problem disactivate CRL checking