The test-code is available on github here (also contains WS-Security OCSP tests):
- cxf-ocsp: This project contains a number of tests that show how a CXF service can validate client certificates using OCSP.
First we'll look at enabling OCSP for web service clients. The TLSOCSPTest shows how this can be done. Two Java security properties are set in the test-code to enable OCSP:
- "ocsp.responderURL": The URL of the OCSP service
- "ocsp.enable": "true" to enable OCSP
- openssl ocsp -index ca.db.index -port 12345 -text -rkey wss40CAKey.pem -CA wss40CA.pem -rsigner wss40CA.pem
The second test shows a new and alternative way of enabling OCSP if you want to configure your TLS keys in spring. This feature is only available from CXF 3.1.11 onwards. The spring configuration file for the client contains a tlsClientParameters Element with the attribute "enableRevocation="true"". Once the "ocsp.enable" security property is set, then this will enable revocation checking on the certificate presented by the server during the TLS handshake.
2) Enabling OCSP for web service servers
We also show via the TLSOCSPClientAuthTest how to enable OCSP for web service servers that use CXF's Jetty transport. Openssl should be started as per the client tests. The server requires client authentication and then uses OCSP to verify the revocation status of the certificate presented by the client during the TLS handshake. The TLS configuration for the server is done in code. However it can also be done in spring using the "enableRevocation" attribute as per the client above.