Enabling OCSP

(Optional) Enable Online Certificate Status Protocol (OCSP) to check if a certificate has been revoked.

A CA may issue a certificate to a user that would remain valid for a months or perhaps even years. If the certificate becomes compromised (for example, due to a lost device or unauthorized access to the private key) the CA system can be notified to revoke that certificate. Unless SAP Mobile Platform explicitly checks for revocation, the certificate appears valid.

In the X.509 User Certificate of your security profile, set the property to enable revocation checking in addition to setting up OCSP in the java.security file.

Enable OCSP.

  1. Edit the SMP_HOME\sapjvm_7\jre\lib\security\java.security file.
    #
# Properties to configure OCSP for certificate revocation checking
#

# Enable OCSP
#
# By default, OCSP is not used for certificate revocation checking.
# This property enables the use of OCSP when set to the value "true".
#
# Note: SocketPermission is required to connecto to an OCSP responder.
#
# Example,
#   ocsp.enable=true

#
# Location of the OCSP responder
#
# By default, the location of the OCSP responder is determined implicitly
# from the certificate being validated. This property explicitly specifies
# the location of the OCSP responder. The property is used when the
# Authority Information Access extension (defined in RFC 3280) is absent
# from the certificate or when it requires overriding.
#
  2. Uncomment and configure your required OCSP properties. For more information, see Java documentation at http://docs.oracle.com/cd/B28196_01/idmanage.1014/b28168/toc.htm
Parent topic: Application Security
Related concepts
X.509 User Certificate Provider
Related tasks
Creating and Configuring Security Profiles
Mapping a Logical Role to a Physical Role
Related reference
X.509 User Certificate Configuration Properties