Cisco Systems CSACS3415K9 Creating, Duplicating, and Editing OCSP Servers

7-22

User Guide for Cisco Secure Access Control System 5.4

OL-26225-01

Chapter7 Managing Network Reso urces

Working with OCSP Services

•Unknown —The certificate status is unknown.

The status of the certificate is unknown if the OCSP is not configured to handle the given certificate

CA. In this case, the certificate is handled as an unknown certificate; that is, the validation process

checks the Reject the request if no status flag. If the flag is set in such a way that the request should

not be rejected, then OCSP continues to CRL to check whether the certificate is configured in ACS.

ACS caches all OCSP responses. This is to maximize the performance and reduce the load in the OCSP

servers. At the time of OCSP verification, ACS looks for the relevant information in the cache first. If

the relevant information is not found, then ACS establishes a connection to the OCSP server. ACS

defines a lifetime for all OCSP records in each OCSP service. In addi tion, each OCSP response has a

Time to Live that defines the interval after which a new request should be made. Each c ache entry is

retained for either the Time to Live or the cache lifetime, whichever is shorter. Click Clear Cache to

clear all the cached records that are associated with this OCSP service. Clear Cache also clears the

records in the secondary ACS servers in a distributed system.

ACS does not support replicating the cached responses database. The caches are not persistent; therefore,

the cached responses are cleared after you restart the ACS application.

This section contains the following topics:

•Creating, Duplicating, and Editing OCSP Servers, page 7-22

•Deleting OCSP Servers, page 7-24

Creating, Duplicating, and Editing OCSP Servers

To create, duplicate, or edit an OCSP server:

Step1 Choose Network Resources > OCSP Services.

The OCSP Services page appears with a list of configured OCSP s ervers.

Step2 Do one of the following:

•Click Create.

•Check the check box next to the OCSP server that you want to duplicate, then click Duplicate.

•Click the OCSP server name that you want to edit, or check the check box next to the name and click

Edit.

The OCSP Servers page appears.

Step3 Edit fields in the OCSP Servers page as shown in Table 7-8.

Table7-8 OCSP Servers Page

Option Description

Name Name of the OCSP server.

Description (Optional) The description of the OCSP server.

Server Connection

Enable Secondary

Server

Check this check box to enable the secondary server configuration, such as Always Access Primar y

Server First and Failback options.

Always Access

Primary Server First

Enable this option to check the primary server first before moving on to the secondary server, even if

there was no previous response from the primary server.