3.2.5.3 Creating and Sending an HCEP Response

  • Article

  1. The HCEP response MUST be created as follows. (The logical values of the headers are specified.  The values MUST be formatted and encoded as specified in sections 2.2.2.1 and 2.2.2.2.)

    • Set the value of the HCEP-Correlation-Id header to the value of the HCEP-Correlation-Id header in the HCEP request.

    • Set the value of the HCEP-SoHR header to the SoHR parameter of the SetSoHR abstract interface.

    • Set the value of the HCEP-AFW-Zone header to the Zone parameter of the SetSoHR abstract interface.

    • Set the value of the HCEP-AFW-Protection-Level header to the Protection Level parameter of the SetSoHR abstract interface.

    • Set the constant value of the HCEP-Version header as specified in section 2.2.2.2.

    • Set the constant values of the Content-Type and Cache-Control headers as specified in section 2.2.2.1.

    • If the compliance decision was positive, the HRA MUST request a health certificate from a CA. The HRA SHOULD communicate with the CA using the [MS-WCCE] protocol.<36> The technology and the protocols used for communication between HRA and the CA are implementation specific.

      If the compliance decision was negative, the HRA can request a health certificate from the CA.<37>

      The processing steps for obtaining a health certificate from the CA are:

      1. HRA reads the remote CA name List ADM element specified in section 3.2.1 from the beginning, and gets the first CAToConnect ADM element specified in section 3.2.1.

      2. HRA constructs the request to the CA (as specified in section 3.2.5.4).<38>

      3. HRA initiates the CAConnectionDuration timer specified in section 3.2.2.

      4. HRA submits a certificate request by invoking the local event, "submitting certificate request", described in [MS-WCCE] section 3.1.1.6.2, with the following parameters:

        • CAName: The value of the CAToConnect.Name.

        • ServerName: The value of the CAToConnect.EndPoint.

        • Flags: The flag value 0x402 indicates that the request is a CMC request in binary format.

        • Request: The certificate request generated in step 2.

          The response is a PKCS #7 response (as specified in section 2.2.2.4).

          If the CA responds with an error (nonzero value) or the Disposition output parameter value (as specified in [MS-WCCE] section 3.1.1.6.2) is not "Issued" the HRA gets the next CAToConnect ADM element from the remote CA name List and performs step 4 again until a CA responds with a PKCS #7 response or all of the CAs in the remote CA name List have been tried.

      5. If all of the CAs in the remote CA name List cannot be contacted or return an error (nonzero value), the HCEP Request processing must be aborted and HRA must respond with an error as specified in section 3.2.8.

    • If the health certificate was obtained, then the HRA MUST do the following:

      • Set the HTTP message body of the HCEP Response to the ASN.1 DER encoded PKCS #7 response of the CA.

      • Set the Content-Length header of the HCEP Response message to the size of the ASN.1 DER encoded PKCS #7 response of the CA in bytes.

    • If the health certificate was not obtained then the HRA MUST do the following:

      • Leave the HTTP message body of the HCEP Response empty.

      • Set the Content-Length header of the HCEP Response message to 0.

  2. The HCEP response MUST then be sent to the client.