Access Control
The OCSP access control module allows you to restrict the access of OCSP service based on the following options:
- Open access for everyone
- Using TLS client certificates to authenticate clients
- Using OCSP request signing to authenticate clients
- Using IP address checking to authenticate clients
The last three options above can be used simultaneously if required.
The following screen shows the configurations which can be made:
The configuration items are as follows:
Items |
Description |
Allow open access |
If this option is enabled, it allows open access and all requests are accepted. |
Allow access based on TLS client certificates |
This option has two sub-filters:
|
Allow access based on requests being signed |
This option is used when the OCSP request message is signed by the requestor (OCSP client). It has two sub-filters:
|
Allow access based on IP addresses |
This option allows you to include the list of IP addresses to allow or deny. Wildcards * can be used.
|
Choosing the option Allow access based on TLS Client Certificates or Allow access based on requests being signed and clicking Add/Editbutton will show the following screen where filtering can be performed based on Issuer or Subject DN Attributes:
Also, choosing the option Allow access based on IP addresses and clicking Add/Edit button will show the following screen where filtering can be performed based on IP Address:
Please note at least one include entry is must before an exclude entry can be made in all above cases. Also, it is necessary to restart OCSP service whenever any change is made in OCSP Service >> access control settings. |
See also
Support for Multiple Trust Models
Multiple CA and Unique Certificate Validation Policies
Configuring the OCSP Service
Advanced Settings
Forwarding Modes
Transactions Log Viewer
Logs Archiving
Alerts
Management Reporting
Optimising ADSS OCSP Server Performance
Operating OCSP Service in FIPS 201 Compliant Mode
OCSP Service Interface URLs