Default OCSP configuration
This article is valid for Nexus OCSP responder 6.1 and later.
This article describes the ocsp.conf file installed with Nexus OCSP Responder, that is, the default configuration.
Scramble sensitive configuration parameters
To scramble any configuration parameter in the configuration file, add the keyword encrypted to the parameter definition in the configuration. The next time the application starts, it scans the configuration file for unscrambled values and scrambles the value. The updated configuration file is saved to disk.
For example: *.pin = 1234 is considered to be sensitive and should therefore be scrambled.
To scramble the parameter, replace the parameter with
*.pin.encrypted = 1234.The server will find the unscrambled value and scramble it.
In the resulting configuration file the parameter is rewritten to
*.pin.encrypted = encrypted:MCa12==for example.
Providers
The order of cryptographic providers used by the Nexus OCSP Responder.
ocsp.providers.1=org.bouncycastle.jce.provider.BouncyCastleProvider
ocsp.providers.2=com.id2tech.security.provider.ID2
ocsp.providers.3=com.id2tech.security.store.ID2StoreValidators
For more information, see Validation section.
CRL Validator
ocsp.validation.1.type=crl
ocsp.validation.1.cacheDir=crls
ocsp.validation.1.provider.1.type=push
ocsp.validation.1.provider.1.listen.url=http://*:8081/CIL Validator
ocsp.validation.2.type=cil
ocsp.validation.2.cacheDir=cils
ocsp.validation.2.provider.1.type=push
ocsp.validation.2.provider.1.listen.url=http://*:8082/Responders
For more information, see OCSP responder section.
Basic Responder
;responder.1.type=basic
;responder.1.url=http://*:8080/basic
;responder.1.workers=5
;responder.1.signer.1.issuerdn=cn=Root CA,c=SE
;responder.1.signer.1.certificate=cn=OCSP-signer*
;responder.1.signer.1.signingalgorithm=SHA256withRSA
;responder.1.signer.1.pin=<PIN>Non Issued Basic Responder
;responder.2.type=non-issued-basic
;responder.2.url=http://*:8080/non-issued
;responder.2.workers=5
;responder.2.signer.1.issuerdn=cn=Root CA,c=SE
;responder.2.signer.1.certificate=cn=OCSP-signer*
;responder.2.signer.1.signingalgorithm=SHA256withRSA
;responder.2.signer.1.pin=<PIN>Fallback Responder
;responder.1.type=fallback
;responder.1.url=http://*:8080/fallback
;responder.1.workers=5
;responder.1.checkonhold=true
;responder.1.signer.1.issuerdn=cn=Root CA,c=SE
;responder.1.signer.1.certificate=cn=OCSP-signer*
;responder.1.signer.1.signingalgorithm=SHA256withRSA
;responder.1.signer.1.pin=<PIN>Key Stores
For more information, see Key management section.
:key.store.store.1=ocsp_signer.p12
:key.store.store.1.pin=<PIN>Log file
For more information, see System management section.
Java Util Logging level
ocsp.java.util.logging.level - The Java Util Logging level that should be redirected to OCSP agent to be captured.
Possible values: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST.
SEVERE, WARNING, INFO, CONFIG are redirected with class=oper.
FINE, FINER, FINEST are redirected with class=trace.
Output printed to system err/out is printed with level FINE. For example when enabling debugging of TLS connections with the Java VM parameter: - Djavax.net
.debug=ssl:handshake
Default value
;ocsp.java.util.logging.level = INFOGlobal log parameters
agent.log.loggerdef.encoding = ISO-8859-1
agent.log.loggerdef.format.date = [yyyy/MM/dd:HH:mm:ss.SSS]
agent.log.loggerdef.filedate = yyMMdd
;agent.log.loggerdef.offset = T0H
agent.log.loggerdef.period = P1D
agent.log.loggerdef.format.fields\
= {date} {class} {severity} {transactionid:5,,28} {message}
agent.log.loggerdef.filter = !class=auditagent.log.1.type = file
agent.log.1.prefix = log/ocsp
agent.log.2.type = file
agent.log.2.prefix = log/audit
agent.log.2.filter = class=audit.pkiStateAltered
;agent.log.3.type = file
;agent.log.3.prefix = log/audit-req-resp
;agent.log.3.filter = class=audit.ocspQuery | class=audit.ocspResponse
;agent.log.3.format.fields\
= {date} {class} {severity} {transactionid:5,,28} {message} %sConfigurations for cmsdk-connection
cmsdk-connection.conf
Configuration parameters in this file are used for connecting to a CF service when using a responder of type fallback. Relative paths specified below are relative the <config-root>.
CM connection parameters
cmhost
Must be set to the network id of the machine that hosts the CF that should be used.
cmhost = localhostcmconnectiontimeout
Number of milliseconds the connector will wait trying to connect to the CF server. Default value is 0, meaning infinite.
;cmconnectiontimeout = 0cmreadtimeout
Number of milliseconds the connector will wait trying to receive data from the CF server. Default value is 3600000, meaning one hour.
;cmreadtimeout = 3600000cmconnections
The maximum amount of concurrent officer connections to CF to allocate to the officer pool.
cmconnections = 20cmclientretries
How many times sending a request should be retried if the connection to CM is unexpectedly closed. Default value is 0.
;cmclientretries = 0CM officer
The CM officer is specified by either the keyfile or the subject parameter. These parameters specifies the CM officer to be used when establishing a connection to the CM Server and to create signatures for requests. Required when using the fallback responder type.
officer.keyfile contains the file path of the soft token (.p12 file) containing the key(s) and certificate(s) of the CM officer.
officer.certificate.subject contains the name or part of the name (subject DN) of the CM officer. This parameter is used to select a certificate from those provided by the configured PKCS11 libraries.
;officer.keyfile = protocol-gateway-vro.p12
;officer.certificate.subject = Protocol Gateway VROofficer.password contains the password/PIN code needed to access the token holding the officer's identity.
;officer.password = abcd1234officer.pkcs11 specifies a PKCS#11 library that should be searched for the CM officer certificate when it is loaded from the PKCS#11 key store.
;officer.pkcs11 =TLS parameters
ssl.rootfilename contains the path of the file or directory that contains the trusted root CA's. The file or directory must contain one of the certificates in the chain that CF will use to identify itself.
ssl.rootfilename = certdir