Notifications

191 views

Description

From Orlando an enhanced security feature was added for certification revocation verification. If OCSP protocol is blocked from Firewall/proxy server then the MID Server will not be able to successfully connect with the instance and the following similar message will be displayed in the MID Server agent log:
 
02/03/20 15:12:19 (059) File sync worker: ecc_agent_jar OCSPCheck adding BouncyCastle provider at -1
02/03/20 15:12:19 (066) File sync worker: ecc_agent_jar OCSPCheckedCertificateCache build with max capacity 32
02/03/20 15:12:19 (066) File sync worker: ecc_agent_jar OCSPRevokedCertificateCache build with max capacity 16
02/03/20 15:12:19 (171) File sync worker: ecc_agent_jar WARNING *** WARNING *** Socket error
02/03/20 15:12:19 (174) File sync worker: ecc_agent_jar WARNING *** WARNING *** OCSP revoke check IOException for *.service-now.com
02/03/20 15:12:19 (175) File sync worker: ecc_agent_jar WARNING *** WARNING *** org.apache.commons.httpclient.HttpException: Connection reset

Release or Environment

From Orlando

Cause

The MID Server does not have connectivity with the OCSP responder.

Resolution

Configure Firewall or Proxy Server to allow OCSP traffic from/to the MID Server. OCSP connectivity can be validated by running Wireshark on the MID Server host and filter for the ocsp protocol as per the screenshot below. OCSP runs over HTTP and it should return a response with certStatus = good, meaning that the certificate is valid for the SSL transaction between the MID Server and the instance.

 

Additional Information

https://tools.ietf.org/html/rfc6960

https://www.wireshark.org/docs/dfref/o/ocsp.html

Article Information

Last Updated:2020-04-29 15:05:52
Published:2020-04-29