16. Configure OCSP

The VidyoPortal, VidyoRouter, and VidyoGateway support Online Certificate Status Protocol (OCSP) verification. OCSP verification can be enabled on the following pages:

  • VidyoPortal and VidyoRouter vr2conf
  • VidyoPortal Super Admin
  • VidyoPortal User portal (only supported in an environment with no VidyoRooms)
  • VidyoPortal Tenant Admin
  • VidyoGateway Admin

Before enabling OCSP, you must do the following:

  • Ensure that HTTPS is configured and enabled.
  • Ensure that a valid CA Root has been uploaded. All Certificate Authorities and Intermediates for the certificates presented must be present in the CA Root.
  • Ensure that a valid Certificate Bundle has been uploaded.

Note

For a Certificate to be verified, its entire Certificate Authority Chain must be verifiable via the configured OCSP responder. If it is not, verification will fail even if the certificate is valid.

Enable and configure OCSP

OCSP must be enabled in the VidyoGateway, VidyoPortal, and VidyoRouter. OCSP must then be enabled for VidyoGateway and VidyoRouter on the VidyoPortal.

Enable OCSP in the VidyoPortal and VidyoRouter and configure OCSP in the VidyoPortal

Enabling OCSP is done the same way for VidyoPortal and VidyoRouter. For the VidyoPortal, you must enable OCSP and then perform some additional configuration to enable OCSP for VidyoGateway and VidyoRouter.

To enable OCSP in the VidyoPortal or VidyoRouter:

  1. Log in to the Super Admin portal or your VidyoRouter.
  2. Click the Settings tab. The License page displays by default.
  3. Click the plus sign to the left of Security on the left menu
  4. Click Advanced from the submenu. The Advanced page displays.
  5. Select the Enable OCSP checkbox.
  6. Select the Override CA OCSP Responder checkbox and enter the IP or FQDN address of the new responder in the Responder URL field if you want to override the OCSP responders specified in the Client, Intermediate, and Root certificate.
  7. Click Save OCSP Settings.

    8. Note

    The server must have access to the OCSP Responders specified in the certificates or the overridden Responder. Also, be sure that the configured DNS server can resolve the FQDNs of all the OCSP Responders.

To configure OCSP for your applications in the VidyoPortal:

  1. Log in to the Super Admin portal using your Super Admin account. See Log in to the Super Admin portal. The Components page displays by default.
  2. Click the Settings tab. The License page displays by default.
  3. Click the plus sign to the left of Security on the left menu.
  4. Click Applications from the submenu. The Applications page displays.
  5. Look in the Applications column for the application for which you want to enable OCSP, and then select the checkbox in the OCSP column for that application.

    6. Note

    OCSP should not be enabled for the User portal. If it is enabled, VidyoRooms will no longer function correctly.
  6. Click Save.

    7. Changes are applied immediately; therefore, if OCSP verification is required for the Super application, you will be immediately prompted for your client certificate.

Enable OCSP in the VidyoGateway

To enable OCSP in the VidyoGateway:

  1. Log in to the Admin portal using your System Console account. See Log in as a Tenant Admin. The GENERAL > VidyoPortal page displays by default.
  2. Navigate to MAINTENANCE > SECURITY. The MAINTENANCE > SECURITY > Private Key page displays by default.
  3. Click the Advanced subtab.
  4. Click the Configure Client Certificate Authentication button in the Client Certificate Authentication section.

    5. The Client Certificate Authentication pop-up displays.

  5. Select the Enable client certificate authentication and OCSP revocation check.
  6. Select the Override OCSP Responder checkbox and enter the IP or FQDN address of the new responder in Default Responder (optional) field if you want to override the OCSP responders specified in the Client, Intermediate, and Root certificate.
  7. Select Enable None if necessary.
  8. Click Save.
  9. Click Apply Settings in the Client Certificate Authentication section.

    10. The Configure Client Certificate Authentication button changes to the Disable Client Certificate Authentication button.

    For VidyoGateway, this will immediately require OCSP certificate verification for the VidyoGateway Admin Pages.

    Note

    The server must have access to the OCSP Responders specified in the certificates or the overridden Responder. Also, be sure that the configured DNS server can resolve the FQDNs of all the OCSP Responders.

Disable OCSP from the System Console

Only when at least one application (VidyoGateway, VidyoPortal, or VidyoRouter) is enabled for OCSP are you then able to globally disable OCSP from the System Console. Otherwise, the menu option only shows 3. OCSP Information allowing you to view configuration data.

To disable OCSP from the System Console:

  1. Log in to the System Console. See Log in to the System Console of your server and change the default password.

    2. Note

    Press the Enter key after each prompt.
  2. Enter m for more options.
  3. Enter A for Advanced Options.
  4. Enter 3 to select the Disable OCSP option.
  5. Enter y to save the configuration.

    6. Note

    OCSP can be disabled using the System Console option O if it was not set up correctly.