11-30
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
11






Configuring

SSL
Configuring
SSL

OCSP

Service
and
provides

this

information

when

requested

by

OCSP

clients.

OCSP

can

pr

ovide

latest

information
about
the

revocation

status

of

the

certificate.

Use

of


OCSP

removes

the

need

to

download

and

cache

the
CRLs
which

could

be

very

l

arge

i

n

sizes

and

i

mpose

large

memory

requirements

on

systems.
You
can

configure

a

ma

ximum

of

64


OCSP

ser

ver

configurations

syst

em-wide

on

the

ACE.

You

can
configure
all

of

these

servers

in

a

single

or

multiple

contexts.
Use
this

procedure

to

define

the

attributes

that

the

ACE

appliance

is

to

use

during

SSL

handshakes

so
that
it

can

act

as

an

SSL

server.
Assumption
Configure
OCSP

on

a

n

associated

pr

oxy

service.
You
can

configure

both

OCSP

and

CRLs

for


authentication.
Procedure
Step
1
Select
Config
>

Devices

>

context

>

SSL

>

OCSP

Service.

The

OCSP

Service

table

appears.
Step
2
Click
Add
to

add
a
new
OCSP

service,

or

select

an

existing

service,

then

click
Edit
to

modify

it.

The
OCSP
Service

configuration

screen

appears.
Step
3
In
the
Name
field,
enter
a

unique

name
for

this

OCSP

service.

Valid

entries

are

alphanumeric

strings

with
a
maximum

of

64

characters.

This

name

is

used

when

you

apply

this

configuration

to

an

SSL

proxy
service.
Step
4
In
the

URL

field,
enter
an

HTTP

based

URL

for

the

OCSP

host

name

and

optional
port
ID

in

the

form
of
http:// ocsp_hostname .com: port_id .

If

you

do

not

specify

a

port

ID,

the

ACE

uses

the

default

value

of
2560.
Step
5
Optionally,
in

the

Request

Signer’s

Certificate

field,

you

can

select

a

filename

for

the

signer

certificate
to
sign

the

requests

to

the

server.

By

default,

the

request

is

not

signed.
Step
6
Optionally,
in

the

Response

Signer’s

Certificate

field,

you

can

select

a

filename

for

the

signer
certificate
to
verify

the

signature

on

the

server

responses.

By

default,

the

responses

are

not

verified.
Step
7
Check
the

Enable

Nonce

check

box

to

enable

the

inclusion

of

the

nonce

in

the

requests

to

the

server.

By
default,
nonce

is

disabled.
Clear
the

checkbox

to

disable

the

inclusion

of

the

nonce

in

requests

to

the

server.
Step
8
In
the
TCP
Connection

Inactivity
Timeout
field,

enter
an

integer

fr

om

2

to
3600
to
specify
the
TCP
connection
inactivity

timeout

in

seconds.

The

default

is

300

seconds.
Step
9
Do
one

of

the

following:


Click

Deploy

Now

to

deploy
this
configuration

on

t

he
ACE
appliance.


Click

Cancel
to
exit

this

procedure

without
saving
your

entries

and

to

return

to

the
OCSP
Service
table.


Click

Next

t

o
save
your

entries

and

to
add
another

proxy

service.
Related
Topics


Configuring
SSL,

page
11-1


Configuring
SSL

Proxy

Service,

page
11-27