Discovery fail because of OCSP revocation check (Azure and other APIs)

Summary

Please use this information, if for some reason, you have issues with OCSP. I faced this issue with Azure Monitor connectivity.

Issue

• By default, when connecting to APIs, and certificates are used, the MID Server will check an OCSP URL to check if certifiacte as been revoked
  
  • OCSP URL will tell if the certificate as been revoked or not
    • https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
  • This URL is reached directly from the MID Server, to check if the server is revoked
    • If firewall is not open, the certificate check will fail, the connection to the API will be refused
  • This URL is configured in the OCSP certificate itself
• ServiceNow documentation propose to open firewall to reach a common OCSP URL, but is not exhaustive
  
  • Documented URL is "ocsp.entrust.net (or other OCSP CA)"
  • https://docs.servicenow.com/bundle/utah-servicenow-platform/page/product/mid-server/reference/r_MIDS...

How to know OCSP URL for a certificate?

• Choice 1 : Looking at the error logs
• Choice 2 : It is possible to check using online tools (if certificate is reachable from internet)
  
  • https://www.ssllabs.com/ssltest/analyze.html?d=login.microsoftonline.com&s=20.190.190.196&hideResult...

• Choice 3 : It is also possible to use command line on certificate :

openssl x509 -in cert.pem -noout -ocsp_uri 

Example of logs :

• From the logs of the MID, Example of logs.

2023-05-17T07:34:17.046+0000 DEBUG (Worker-Interactive:ConnectorProbe-ea703de21bb2e910255c964b9b4bcbfa) [MIDTLSPolicy:77] MIDSecPolicy: Certificate revocation check for host[login.microsoftonline.com] is true
2023-05-17T07:34:17.078+0000 WARN  (Worker-Interactive:ConnectorProbe-ea703de21bb2e910255c964b9b4bcbfa) [OCSPCheck:539] OCSPCheck authority: http://ocsp.digicert.com, error: java.net.SocketException: Connection reset
2023-05-17T07:34:17.078+0000 WARN  (Worker-Interactive:ConnectorProbe-ea703de21bb2e910255c964b9b4bcbfa) [HTTPClient:830] Socket error
2023-05-17T07:34:17.078+0000 WARN  (Worker-Interactive:ConnectorProbe-ea703de21bb2e910255c964b9b4bcbfa) [GlideSSLProtocolSocketFactory:509] OCSP revoke check IOException for stamp2.login.microsoftonline.com

• Here we can see that the MID refused to connect to "login.microsoftonline.com", as it was not able to reach the OCSP URL (http://ocsp.digicert.com)

Resolution of the issue

• Choice 1 : Allow OCSP URL to be reached from the MID (Firewall)
• Choice 2 : Disable the certificate revocation check on specific URLs or hosts by modifying “MID Certificate Policy”
  • https://docs.servicenow.com/bundle/utah-servicenow-platform/page/product/mid-server/concept/mid-secu...
• Choice 3 : Disable all OCSP checks on MID
  
  • Possible, but not recommended