OCSP certificates validation failed. User not authenticated.

Document ID : KB000051382
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Siteminder by default checks whether OCSP certificates has been signed by CA certificate authority or not, for this it checks for DN of the responder certificate with issuer DN of CA certificate, if they don?t match OCSP validation failed message is logged. Now if OCSP certificates are not signed by CA certificate there DNs are different, something like this:
OCSP responder certificate is issued by "CN = dod ocsp ss ,OU = PKI, OU=DoD,O = U.S. Government,C = us"
While the issuer DN for CA certificate is "CN = DoD Root CA 2,OU = PKI,OU = DoD,O = U.S. Government,C = US"
Because of the root check of OCSP certificates, authentication check is failing for user.

Solution:

IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create a back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on support.microsoft.com.

A new registry key is introduced (OcspResponderRootCheck) to decide upon whether OCSP certificates root check is required or not. This registry key has to be added in SiteMinder\PolicyServer. As this key does not exist, this key has to be added manually.
The default behavior of PS is to check the root of the ocsp responder certificates. Set the value of this registry key to 0 makes sure PS will not check the root of the OCSP certificates.

With the latest release of Siteminder R12 SP2 CR1 and 6.0 SP6 customer can decide whether OCSP certificate root check is required or not.