3.1.5.2 Processing an HCEP Response

  • Article

If the HCEA receives an HTTP response other than HTTP OK, it MUST perform the error handling as specified in section 3.1.8. On receiving an HTTP OK response, HCEA MUST perform the validation as follows:

  1. HCEA MUST validate that all the HCEP response header fields are present in the response, as specified in section 2.2.1.2, and MUST discard the response if the validation fails.

  2. HCEA MAY<23> validate the values of all the HCEP response header fields, as specified in sections 2.2.2.1 and 2.2.2.2 and MUST discard the response if the validation fails.

  3. HCEA SHOULD <24>compare the value of the HCEP-correlation-Id header to the value stored in the CorrelationId ADM element as specified in section 3.1.1; if the values do not match, HCEA MAY <25> discard the HCEP response.

  4. HCEA MUST validate the format of the health certificate response that is present in the HCEP response, as specified in section 2.2.2.4. If the health certificate response is invalid, the HCEA MUST discard the HCEP response.

  5. When the validation checks are complete, the HCEA processes the HCEP response and MUST extract the base64-encoded SoHR from the HCEP-SoHR HTTP header (which is described in section 2.2.2.2) and decode it. The decoded SoHR MUST be passed to the system health entity, which SHOULD be done by calling INapEnforcementClientConnection::SetSoHResponse, which is part of the NAP EC API, and passing the SoHR as an opaque buffer; and then calling the INapEnforcementClientBinding::ProcessSoHResponse, which is part of the NAP EC API.

  6. HCEA MUST extract the certificate and place it in the PersistedComputerCertificates ADM element specified in section 3.1.1. If the specific implementation of this ADM element supports associating metadata with the certificate, the HCEA SHOULD store values of HCEP-AFW-Zone and HCEP-AFW-Protection-Level headers of the HCEP Response in the metadata associated with the certificate. The certificate is shared with the intended consumers (see section 1.6) by means of the PersistedComputerCertificates ADM element. The intended consumers SHOULD use the specific implementation of ADM in order to retrieve the certificate. <26>