Once working with digital certificates you should take into consideration they might be revoked by the CA at any time. Therefore, PKIX and dates validation isn't enough.
DataPower can check certification revocation either by using CRL or OCSP techniques. The OCSP method is working fine on firmware v7.0.0.2. However, after upgrading to v7.1.0.4 the dp:ocsp-validate-certificate() query takes near 2 minutes to get a result. The problem was tested on XI52 physical appliance and IDG virtual appliance.
APAR IT12248 has been opened to track the resolution of this defect.
UPD - a fix was provided in 7.0.0.13, 7.1.0.10, 7.2.0.6 and 7.5.0.0.
This APAR has been fixed and is included in the latest DataPower fix packs and releases > 7.5
ReplyDeleteActually, it was already fixed in 7.0.0.13. We've received a special build with ifix to continue our development.
Delete