To test if OCSP is working, you need to have a certificate with OCSP information included. This is only available for certificates emitted AFTER the service was installed, configured and activated on the CA. Therefore, you`ll need to first create a new certificate for your tests. Depending on your CA configuration, you can use OpenSSL to create a request or will have to use the Windows integrated tools. I will show here how to use a CSR created by OpenSSL and a Windows Enterprise CA.
After having OCSP installed, configured and having CA include OCSP information in newly emitted certificates, the basic configuration is done and you are ready to use OCSP in your environment. To make better use of OCSP, some additional configuration steps should be done, like enabling NONCE. Microsoft test client isn`t using NONCE and their test will pass, while OpenSSL uses NONCE and that test will fail. Generally, enabling it ensures you`ll have less problems with a wide range of clients.
Edit OCSP configuration properties.
Go to tab Signing and enable NONCE.
In case you get a signing certificate not available for the array controller, do a refresh of the node.
The status should be empty.
In the CA, an OCSP signing certificate must appear in the list of issued certificates.
After having the OCSP service installed and configured, the CA must be made aware of the service. Only after this, new emitted certificates by the CA will include the OCSP information. This means that you can run a OCSP service without having it included in the client certificates. In that case, clients can be configured to use a static OCSP address to validate the status of the certificate, while other clients won`t be able to do this.
To configure a CA to support an Online Responder or OCSP responder services
Open the Certification Authority snap-in.
Open the properties of the CA.
Open the extensions tab. By default, the CRL distribution point (CDP) list is shown.
Change from CDP to Authority Information Access (AIA)
Click on Add to add a new location.
Specify the locations from which users can obtain certificate revocation data. This is the URL under which the OCSP service is installed.Make sure that the clients can resolve the DNS name and communicate with the service.
Select “Include in the online certificate status protocol (OCSP) extension”. This makes the OCSP URL available in the certificate.
You will have to restart the CA service to make the new configuration effective.
Next, you will have to include the OCSP certificate in the list of available certificates of the CA.
Open the CA snap-in, select Certificate Templates, right click and choose “New Certificate Template to Issue”
Select the OCSP Response Signing certificate.
To check that it worked, select the certificate and open its properties.
Our 4th SIT at São Leopoldo occurred a few days after the SAP internal DKOM event. Therefore we lost some of our momentum, as some participants can only justify going to one event, and for many, DKOM was higher on the priority list. Overall, the event was once more a success, attracting a diverse crowed from local SAP employees, local Porto Alegre market and some even travelling from Sao Paulo and Rio de Janeiro to attend the event.
I will really miss the “old” SAP Notes search available on support.sap.com. Eventually. There are several reasons, like: the new Fiori type replacement looks to be made primarily to be Fiori and not to offer easy usage to its users. Or: it`s slower, first versions contained only a fraction of features (PDF download, direct link, download content), a confusing user interface (first level you have to click on the arrow to navigate, second level you can click on the whole item to navigate, back navigation not really working, filter not working as expected). However, to be honest, I liked that the old app was honest. Honest? Just try it, and search for some (disclaimer: you must 18+, US: 30+ or give a damn about PC to continue reading) swear words, like, well, let`s take the classic: FUCK.
OLD SAP Notes search
NEW SAP Notes search
Yep, the new version returns no search results for the same key word, compared to four SAP Notes in the old version.
It seems that this has little to do with a PC filter in place. The new version does not return the content of the SAP Notes (ABAP code); therefore, the key word may not part of the index and a search for it returns no hits. I guess this is going to be implemented soon. Looking at the number of changes released to the new Fiori SAP Notes app, the people responsible are very well aware that features are missing. How much time is left for the old SAP Notes search? The app will be retired 15. August 2016.
In the meantime, you can still search for other linguistic gems left by the developers. If you do so, you`ll notice that the index is sometimes updated and returns some of the SAP Notes listed by the old search. Seems like in the back work is done to ensure that the old and new version return the same results, aka: search index is updated. I am confident that at august 15th the new SAP Notes search will offer the same or better functionality than the old search. Did you expected something else from SAP?
Our third event in Rio de Janeiro and the second Meetup in Rio. This event was also located at INFNET. Once again, INFNET sponsored the event by providing the location, and I was able to offer the event once more in the downtown area, close to some of the biggest SAP customers in Rio and close to partner offices. INFNET is also a SAP University Alliance partner, so great initiative from them to help us.