Document toolboxDocument toolbox

OCSP Authentication Configuration

Owned by Viktoryia Varapayeva (Deactivated)
Last updated: Aug 24, 2022
2 min read

For OCSP authentication, you configure the service and authorization servers. This service does not use remote groups. You can add only one OCSP service instance.

Prerequisites for configuring OCSP authentication:

  • The IP address of the OCSP server.

  • The OCSP server port must be allowed.

  • A valid pre-uploaded CA certificate for the OCSP server. You upload certificates to NetMRI in the Settings icon > General Settings > Security > CA Certificates. For more information see NetMRI Security Settings.

To configure an OCSP authentication service, complete the following:

  1. Go to the Settings icon > General Settings  > Authentication Services.

  2. Click New (the plus icon). The Add Authentication Service dialog opens.

  3. Name: Enter a meaningful name for the OCSP authentication service.

  4. Description: Enter a textual description for the OCSP authentication service.

  5. Timeout: Specify the server response timeout.

  6. Service Type: Choose OCSP.

  7. Disable service: By default, this setting is turned on. When you turn it off, the configured service becomes available on the NetMRI login form. NetMRI validates that the user certificate is compliant with the CA certificate. It also performs a certificate revocation check using the OCSP server.

  8. Click Save.

You can now proceed to configure servers as described in the next procedure.

To configure the OCSP authentication service's servers, complete the following:

  1. In the Edit Authentication Service dialog, click the Servers tab.

  2. Click New (the plus icon). The Add OCSP responder dialog appears.

  3. Enter the Host/IP Address.

  4. Priority: Choose the priority for the new server in the authentication service. In this context, the priority value determines the order in which servers are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.

  5. OCSP Certificate: Select a previously imported CA certificate that will be used with the request to the OCSP responder server. You can import certificates in the Settings icon > Security > CA Certificates.

  6. Port: Specify the OCSP server port.

  7. Disable server: By default, this setting is turned off to allow NetMRI to check the user certificate for validity.

  8. Certificates: Select the required certificate chain.

  9. Click Save.

  10. Test: Click to test the connection to the authentication servers.
    To additionally check the certificate for revocation, make sure to turn off the Disable service option in the Add Authentication Service dialog described in the previous procedure.

  11. Click Close.