Hi Tarik,

thanks for your reply.

Unfortunately we haven't had a successful attempt so far, meaning that the cache is empty. Nonetheless, I've tried to clear it, but to no avail.

The exact log message sequence is as follows:

12568  Lookup user certificate status in OCSP cache

12569  User certificate status was not found in OCSP cache

12550  Sent an OCSP request to the primary OCSP server for the CA

12562  OCSP server response is invalid

12552  Conversation with OCSP server ended with failure

12572  OCSP response not cached

12556  OCSP status of user certificate is unknown

12571  ACS will continue to CRL verification if it is configured for specific CA

Do you know which application debug log contains OCSP related information:

(config-acs)# debug-log ?

    Set debug level for the specified component.

                 ( all

                   mgmt

                   mgmt-aac

                   mgmt-acsview

                   mgmt-audit

                   mgmt-bl

                   mgmt-bus

                   mgmt-changepassword

                   mgmt-cli

                   mgmt-common

                   mgmt-dbal

                   mgmt-distmgmt

                   mgmt-gui

                   mgmt-import-export

                   mgmt-license

                   mgmt-notification

                   mgmt-performancemonitoring

                   mgmt-pi

                   mgmt-replication

                   mgmt-rest

                   mgmt-ssl-support

                   mgmt-system

                   mgmt-validation

                   runtime

                   runtime-acslogs

                   runtime-admin

                   runtime-authenticators

                   runtime-authorization

                   runtime-configmanager

                   runtime-confignotificationflow

                   runtime-crypto

                   runtime-dataaccess

                   runtime-dbpassword

                   runtime-eap

                   runtime-eventhandler

                   runtime-idstores

                   runtime-logging

                   runtime-loggingnotificationflow

                   runtime-messagebus

                   runtime-messagecatalog

                   runtime-radius

                   runtime-ruleengine

                   runtime-statemanager

                   runtime-statistics

                   runtime-tacacs

                   runtime-xmlconfig

                   )

Regards,

Josef

Hi Tarik,

Your assumption was perfectly right. Setting the logging level for runtime-crypto to debug did the trick.

Following this, I've got one more question. The debug output contains a reference to another log file named 'customer log' containing more detailed information:

Crypto,18/03/2013,16:10:22:650,ERROR,3050167184,NIL-CONTEXT,Crypto::Result=0, Crypto.OcspClient::performRequest - Failed to get response from OCSP server,OcspClient.cpp:236

Crypto,18/03/2013,16:10:22:651,WARN ,3050167184,NIL-CONTEXT,Crypto::Result=0, CryptoLib.CSSL.OCSP Callback - report detailed error to customer log,SSL.cpp:888

Do you know which file this exactly is and where it is to be found?

Thanks a lot,

Josef

Josef,

I do not know where this is located or if this exists, however I havent worked with this integration yet (too much ISE). You may want to pull a support bundle and see if the file is present.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Sergey,

thanks for the hint with the OpenSSL utility.

Apparently there seems to be an issue with our OCSP responders:

30545:error:27070072:OCSP routines:OCSP_sendreq_bio:server response error:ocsp_ht.c:147:Code=405,Reason=Method Not Allowed

After some research I've come across a Microsoft Technet dealing with problems when using POST method for HTTP requests, which pretty much hits the nail on the head.

I'm already in contact with the guys responsible for the OCSP servers and will keep you in the loop.

Best regards,

Josef

I have right now the same problem

Did you find out what was the cause of the issue ?

Hi,

In my case it turned out that the OCSP responder URL was incorrect. In fact I was missing the /ocsp suffix.

ACS logs can be somewhat ambiguous, so best try to query the OSCP responder with openssl and look for any hints in the response:
openssl ocsp -issuer "path to issuing ca certificate" -cert "path to certificate you want to verify" -url "OSCP responder URL"

Cheers,
Josef