OCSP Validation Hub

There is a powerful policy engine at the heart of ADSS OCSP Server. A single instance of Validation Authority server can respond for an unlimited number of CAs (limited only by the capacity of the server and the license purchased). The benefits of using a single hub solution for multiple CAs can be measured in terms of reduction in software, hardware and operational costs. It provides a single, coherent interface with which to control validation policy details, resolve support issues and to provide management reporting. To the outside world it appears as if a dedicated validation server is servicing each CA. screenshot

Split Functionality

The core services within Ascertia's Validation Authority can be split to allow separate back-end servers to process multiple CA CRLs and thus allowing front-end servers to focus on handling high OCSP transaction loads.  This approach optimises the performance of high-end infrastructure servers.

Multiple Input Feeds

ADSS OCSP Server can retrieve certificate status information from CAs using multiple approaches. For example CRLs retrieved using HTTP/S and LDAP/S protocols, or via direct access to CA’s real-time certificate status database, or via peer Validation Authority servers. Each CA registered on the Validation Authority server can be configured with its own method. A primary and a fall-back method can be configured to ensure that no single point of failure exists. screenshot

Advance CRL Support

ADSS OCSP Server handles both Indirect CRLs and Delta CRLs. The CRL Monitor module supports multiple validation policies and complex trust infrastructures. screenshot | screenshot 1 | screenshot 2 | screenshot 3

Wizard-based Installation & Configuration

A simple wizard based installer application enables operators to quickly configure Validation Authority server, the database, initial operator account, trust anchors and other service details.  Without any training an initial test system can be configured and running in 15 minutes.

Centralised Management

Multiple Validation Authority servers running on different machines can be configured and monitored from one central console.

Automated Database Logs Archiving

ADSS OCSP Server logs all OCSP transactions and also CRL retrieval information. The database size can grow over time and to avoid this an automated log archiving option is provided to keep the database size manageable. The logs are HMAC secured inside Validation Authority server and are automatically signed when archived.

Validation Authority - Clustering

ADSS OCSP Server has been designed to be highly scalable and resilient to meet the most demanding infrastructure needs. Multiple servers can work concurrently using standard network load-balancers and resilient secondary sites can also be established. Various network HSMs, system platforms and database management systems can be used as required to meet existing IT strategies. Standard database techniques are used to replicate data from one ‘processing site’ to another. Screenshot

CRL Watchdog Process

When operating multiple Validation Authority server instances it is not necessary to retrieve CRL information on each instance since each server will be pulling the same information. However a mechanism is need to ensure if the master server goes down then a slave instance will continue with the CRL retrieval process. This is essential to ensure no single point of failure for this crucial process! screenshot

Group Keys

ADSS OCSP Server can group cryptographic signing keys into logical high availability groups. Therefore if one particular key is not available (e.g. It is not unavailable on the local HSM) then the next key within the group can be used. This ensures that the availability of a cryptographic key does not cause system failure. screenshot | screenshot 1

CRL Streaming

ADSS OCSP Server include a high-performance CRL streaming service that imports and quickly processes large CRLs ensuring that the latest revocation information is always available.

CRL Republishing

Optionally Validation Authority server can also republish a retrieved CRL to a defined location, e.g. on the internal network for local users as a fallback option. Auto-archiving of old CRLs is also provided.

Compliance

ADSS OCSP Server meets RFC 2560 and has been certified by the US Defense Information Systems Agency, Joint Interoperability Test Command (JITC) (under its old marketing name of TrustFinder OCSP). It also meets the extended requirements of financial trust schemes such as IdenTrust and EU project requirements such as CWA 14167-1. In addition Ascertia's Validation Authority server complies with these PKI standards: SSL/TLS, PKCS#7, PKCS#10. PKCS#11. PKCS#12, RFC5280.

Interoperability

ADSS OCSP Server has been tested with Microsoft Certificate Server, CybertTrust UniCERT, Entrust Authority, RSA KEON and other CAs (even proprietary ones). In general any standards based CA can be used with ADSS OCSP Server and CRLs retrieved from HTTP/S or LDAP/S locations.

Hash algorithm Support

Laws in many countries now require the use of hash algorithms that are more advanced than SHA-1. Ascertia's Validation Authority server allows OCSP responses to be hashed and signed using the latest SHA-2 set of algorithms including SHA-512.

Validation Authority - Clients

The access control module allows operators to restrict client access based on the following options:

• Open access for all requesters
• Using SSL client certificates to authenticate clients
• Using OCSP request signing to authenticate clients
• Using IP address checking to authenticate clients

Validation Authority - Operators

Validation Authority server operators are identified and authenticated using SSL/TLS Client certificates before being allowed access to the console GUI. Full certificate path building, validation and revocation checking is performed on the operator’s certificate before allowing access. 

Large Key Sizes

Asymmetric keys up to 4096-bit are supported

Multiple Key Sets

Multiple Validation Authority key pairs can be gereated and used for different CAs from the same Validation Authority server instance. Keys can be certified using an internal CA or via an external CA server.

Auto Certificate Renewal

It is possible to automatically renew certificates using the internal ADSS CA module. This is an important feature which allows the Validation Authority server certificate to have a short lifetime (e.g. daily renewed) and thus not require revocation checking by clients.

Validation Authority - Identification & Authentication

Strong I&A for both ADSS Server operators and client business applications ensure that only trusted entities are allowed access. screenshot

Access control

Fine grain Role-Based Access Control (RBAC) ensures operators can access and see only authorised functionality. screenshot

Secure Logs

Detailed operator activity, system events and transaction logs which record everything on the system. Logs are protected using secure hash functions. Advanced log searching and filtering facility is provided.

Dual Control

Optionally turn on dual control feature to ensure two or more operators are required to make any changes to the ADSS Server configuration.

Auto System Integrity Checking

Automated verification and reporting of all system configurations and database records based on configurable heartbeat interval. screenshot

Auto Archiving

Automatically archives logs based on a configurable policy to keep the database size manageable. Log files are auto signed upon archiving. screenshot

Real-time alerts

Configurable emails and/or SMS and/or SNMP alerts can be sent for specific events to specific Validation Authority server operators. screenshot

HSM

ADSS Server can work with all popular PKCS#11 HSMs, e.g. from SafeNet and Thales/nCipher. ADSS Server supports multiple PKCS#11 devices at the same time, including use of smartcards and USB tokens. Cryptographic keys can be grouped for high availability reasons. screenshot

Certifications

ADSS Server has been independently evaluated by various government experts and is also undergoing CWA 14167-1 evaluation.

Transaction Viewers

One vitally important feature for operations staff is the ability of Validation Authority server to log all requests and responses and to allow an operator to review transactions in English language so that issues can be resolved in minutes. This is a must-have feature for any operations management team. screenshot

Service Reporting

ADSS OCSP Service comes with its own management reporting module. This provides the ability to create graphic and tabular reporting on all service requests within a particular date period. The management reports show the number of transactions processed, their results, who the main OCSP clients are, which end-entity (target) certificates were checked the most etc. Reports can be exported in PDF and CSV format. screenshot 1 | screenshot 2 | screenshot 3

Reduced Costs

Because of its OCSP hub architecture a single Validation Authority server can respond on behalf of multiple CAs, reducing hardware, software and operational costs.

Future Proof

It is inevitable that business requirements change over time, but is your security server able to cope with future demand in certificate validation services? With ADSS Server supporting the widest range of certificate validation and signature verification protocols, including OASIS DSS, XKMS and SCVP you can be assured we already have all the current and future options covered. Whenever you need a new licensed module, all you have to do is upgrade and apply an updated license file - its as simple as that !

Operating System independence

ADSS OCSP Server is a standard J2EE application and is supported on a range of platforms including Windows and Unix - see system requirements.

Database independence

All ADSS OCSP Server configurations and transaction logs are stored within a database.  A number of databases are supported thans to the use of Hibernate® technology.

HSM / Smartcard Independence

All popular PKCS#11 crypto devices (HSMs, smartcards or USB tokens) can work with Validation Authority server to generate cryptographic keys, store them and utilise them within the secure device.

PKI independence

ADSS OCSP Server supports open PKI standards so it can work with any CA, CRL issuer, Validation Authority server and LDAP repository. Ascertia has worked hard to remove all interoperability complexities !