Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

IDENTRUS_OCSP_COMPLIANCE_FAILED

Avatar

Former Community Member

Hi All,

Pdf signature verification service is giving "IDENTRUS_OCSP_COMPLIANCE_FAILED" as a failure reason.

In PDF signature verification result, i am getting "ALC-DSS-111-004 - must sign ocsp request" as status message.

This process was giving proper verification output before purging operation.

I have change the signature service settings in AdminUI of adobe live cycle. I have purge certificate cache as well as ocsp cache. Is this reason why i am getting the error.

Will anybody explain the solution to overcome this issue?

Regards

Abhishek

3 Replies

Avatar

Former Community Member

Abhishek

Clearly your OCSP responder is expecting that the OCSP request be digitally signed.  You will need to configure the Digital Signature service (as I showed you in previous e-mails) to sign the OCSP request.

As I mentioned in my e-mail, I believe there is an issue with your PKI and or Identrus credential.  I don't think that you will be able to resolve this issue through the forum.  You should continue to work with Adobe Technical Support and your PKI administrator.

Regards

Steve

Avatar

Level 2

Were there any resolution to this issue?

We got the OCSP Signing certificate from Identrust, stored the Certificate in HSM with FIPS standards prescribed by Identrust and configured ALC to use the OCSP Signing certificate from the HSM but still we are not able to do a revocation check on the Identrust cards.

The Request Parameters have:

<ser:OCSPOptionSpec>

               <ser:URLtoConsultOption>UseAIAInCert</ser:URLtoConsultOption>

               <ser:allowOCSPNoCheck>false</ser:allowOCSPNoCheck>

               <ser:doSignRequest>true</ser:doSignRequest><!-- Set to Sign the OCSP Request -->

               <ser:ignoreValidityDates>false</ser:ignoreValidityDates>

               <ser:maxClockSkew>3</ser:maxClockSkew>

               <ser:ocspServerURL/>

               <ser:requestSignerCredentialAlias>TAOCSPSIGNER</ser:requestSignerCredentialAlias><!-- Credential Stored in HSM Device -->

               <ser:requireOCSPCertHash>false</ser:requireOCSPCertHash>

               <ser:responseFreshness>5</ser:responseFreshness>

               <ser:revocationCheckStyle>AlwaysCheck</ser:revocationCheckStyle>

               <ser:sendNonce>true</ser:sendNonce>

            </ser:OCSPOptionSpec>

Response we get is:

<status xsi:type="xsd:string">Trouble</status>

                              <statusMessage xsi:type="xsd:string">ALC-DSS-111-009: OCSP transport error: Exception from transport package   (in the operation : internalSendReceive)

Caused By: Exception from transport package  Unexpected failure: {0} (in the operation : internalSendReceive)</statusMessage>

Checked the Proxy settings in SignatureService and it was good. We could see in the Proxy logs that the request to Identrust are passing through. We also checked at the Firewall end and there were no issues reported there as well. What might be missing? Raised a ticket with LiveCycle Enterprise Support but its been two weeks that we are hearing from them. [ud-185151363]

Avatar

Level 2

Please find the Solution to this Issue here;

1. TrustAssured will Reject all Unsigned OCSP requests and so you would need an OCSP Signer Credential for Signing your OCSP URL.

2. TrustAssured Policy (Based on Identrust policy) that the Credentials to be stored in an HSM.

3. TrustAssured requires the relying party to buy a certificate (Approx. 1100 GBP / 3Years).

4. The HSM Needs to Comply with FIPS Level 3, which means it rules out storing the Signing Credential inside ALC.

Now to the Solution:-

Once you have purchased the OCSP Signer Credential and moved it to the HSM, Configure the same in Admin Console under the HSM Settings.

FIPS Settings Should be UNCHECKED in the SignatureService Configuration as well.

While doing a Revocation Check on the PDF signed with a TrustAssured Signature, have the Following Settings in place for OCSP Option Spec.

<ser:OCSPOptionSpec>

               <ser:URLtoConsultOption>UseAIAInCert</ser:URLtoConsultOption>

               <ser:allowOCSPNoCheck>true</ser:allowOCSPNoCheck><!-- This Needs to be True as well -->

               <ser:doSignRequest>true</ser:doSignRequest><!-- Set to Sign the OCSP Request -->

               <ser:ignoreValidityDates>false</ser:ignoreValidityDates>

               <ser:maxClockSkew>3</ser:maxClockSkew>

               <ser:ocspServerURL/>

               <ser:requestSignerCredentialAlias>OCSPSIGNERCREDENTIAL</ser:requestSignerCredentialAlias><!-- Credential Stored in HSM Device -->

               <ser:requireOCSPCertHash>false</ser:requireOCSPCertHash>

               <ser:responseFreshness>5</ser:responseFreshness>

               <ser:revocationCheckStyle>AlwaysCheck</ser:revocationCheckStyle>

               <ser:sendNonce>true</ser:sendNonce>

</ser:OCSPOptionSpec>

This would Solve your Issue with the IDENTRUS_OCSP_COMPLIANCE_FAILED Error.

PS: You have to Configure the Chain Certificates as well on the ALC TrustStore.

Cheers

Mahesh Krishnan