beautypg.com

Enabling or disabling certificate revocation check, Offline mode, Alert on crl file expiration – HP Systems Insight Manager User Manual

Page 106: Online mode, Ways of enabling online mode, Crl distribution points, Offline mode online mode

background image

Enabling or disabling certificate revocation check

HP SIM enables you to disable certificate revocation check for both server and client certificates.
Disabling revocation check for client certificate does not affect Two-Factor authentication, where
the client certificate (called as user certificate) is always checked for revocation.

Enabling certification revocation check might affect the performance of the system as it downloads
the Certificate Revocation List (CRL) file from the certificate server during the processing of revocation
check. The downloading of the CRL file happens only if a CRL file associated with the certificate
is not already cached in the server, or CRL file that is cached is expired.

Enabling or disabling certificate revocation check does not require restart of HP SIM.

Offline and online mode of certificate revocation check

The certificate revocation check is performed offline and/or online.

Offline mode

The offline mode is set as the default mode of checking the revocation. The offline mode expects
the CRL files to be cached in the system. You must regularly populate the CRL files associated with
the certificates in a directory maintained by HP SIM. In Windows, the directory is \data\crl,
and in Linux/HPUX, this directory is /var/opt/mx/data/crl.

Alert on CRL file expiration

If any of the CRL files present in this directory are expired, then HP SIM will send an alert to the
System. These alerts could be seen in "All Events" page.

The intent of this alert is to inform User to update the CRL directory with the latest CRL files.

Please see below to configure few of the CRL alert related settings.

Online mode

The online mode can optionally be enabled. Enabling online mode does not bypass the offline
mode of CRL check.

If the CRL file associated with a certificate is not present in the above directory, or if the cached
CRL file is expired, then HP SIM checks if online mode has been enabled. If online mode is enabled,
HP SIM tries to download the CRL file from the certificate server. After downloading the CRL file,
HP SIM caches the file in the above directory.

Ways of enabling online mode

There are two ways of enabling online mode. One is through Proxy settings, and the other is
directly.

In the former method, you must save the host address and the port of the proxy server.

The latter method assumes that the certificate server is reachable from the CMS server without the
need for the proxy settings. Example, the certificate server is located in the same intranet as the
CMS server.

In the future, the proxy settings will be configured in a common location in HP SIM.

CRL distribution points

HP SIM expects the CRL distribution points to be present in the certificate and the CRL distribution
point URLs are valid. There is a possibility that revocation check might fail if any of the distribution
points contains an invalid URL.

HP SIM processes only HTTP distribution point URLs. If a certificate does not contain a HTTP
distribution point URL, then the CRL check for the certificate will fail.

106 Understanding HP SIM security