ADSS CRL Monitor

Features

ADSS CRL Monitor is a unique solution for automatic and continuous testing of multiple CRL Issuers. It can poll for CRLs from HTTP/S and LDAP/S location based on configured validation policies on a per CA basis. It has been implemented fully in Java EE for multi-platform support, performance and high-availability.  

The following highlights just some of its main features.

Ease of use

  • All popular CRL formats
    CRL Monitor supports X.509 v1 and v2 CRLs, including direct and indirect CRLs, Entrust® partitioned CRLs, segmented CRLs, ARLs, delta CRLs, over-issued CRLs and emergency CRLs.
  • Local publishing of CRLs
    In some cases it is desirable to be able to download CRLs and then publish them locally to avoid a single point of failure, reduce network bandwidth for large enterprises and meet local security policies. CRL monitor allows such re-publishing of CRLs.
  • Easy configuration
    CRL Monitor has an advanced web-based GUI to help set-up trusted CAs and their CRL processing policies.
  • Selective alerting
    You can select which members of the operations and management teams receive which error reports and summary reports either by email or SMS. CRL Monitor provides a wide range of CRL-related events which can be monitored.

Monitoring

  • Automated monitoring
    Ascertia CRL Monitor provides an automated test service that enables an administrator to easily detect CRL publishing failures or irregularities. It is a must have product for any organisation providing PKI services. With CRL Monitor, you can identify issues and fix unexpected conditions before your users report them to you!
    CRL Monitor is also very useful for organisations that consume CRLs, i.e. relying party organisations. They can monitor the service and easily compare this with any Service Level Agreements (SLAs). Key management reports can be produced at any time for any registered CA.
  • Create detailed reports
    CRL Monitor maintains logs on all CRL operations completed so that detailed reports can be produced for specific dates. CRL Monitor also provides CRL retrieval statistics in tabular and graphical formats. The contents of any retrieved CRL can be easily viewed in tabular form, sorted and searched. 
  • Continuous monitoring
    CRL Monitor runs continuously and can operate in a high availability configuration using multiple CRL Monitor instances. When used like this if the current master CRL Monitor instance fails then the next available slave instance automatically assumes control and continues to retrieve and check the defined CRLs, ensuring that CRL monitoring is not affected by a single point of failure.

Security & scalability

  • CRL archiving
    It is often necessary to keep an archive of all the CRLs that have been issued, either for historical digital signature verification or to resolve disputes that may arise in future.
    CRL Monitor not only keeps an archived copy of each CRL it retrieves but also provides management and searching capability over the entire CRL dataset. This simply and easily allows administrators to determine within which CRL a particular certificate was first identified as revoked.
  • CRL integrity checking
    All production CRLs can be checked to verify their integrity and availability, i.e. that there is no file corruption either through a publishing failure or an operational/network issue or even an attack on the core trust services.
  • Perform full CRL checks
    CRL Monitor can be configured to generate alerts when a wide variety of events occur, including:

    • The CRL has expired
    • The CRL is too old for the defined CRL freshness policy
    • The CRL could not be fetched / downloaded
    • The structure or format of the CRL is incorrect
    • The CRL sequence number is incorrect 
    • The CA signature on the CRL fails to verify or is not trusted
    • The CRL was successfully downloaded, verified and written to the database

Performance

  • Performance monitoring
    Reports can be created from the CRL Monitor log viewer to provide evidence of SLA performance.
  • Maximise your CRL service uptime
    CRL Monitor provides immediate real-time feedback on CRL issues as they arise. Where PKI services are used it is often assumed that they are functioning correctly and will continue to do so - this is often not the case. Use CRL Monitor to check for expected and unexpected behaviors.
  • Perform real-time tests
    CRL Monitor tests the status of a CRL publishing service by downloading and checking the CRLs at predefined intervals. It can check that CRLs are updated as expected before their expiry date, giving service providers valuable hours in which to act to avoid trust issues. This is the only fully effective way to ensure a PKI is operating as it should. Multiple CAs can be monitored using specific CRL polling and validation policy settings.

Advance features

  • Additional CRL publishing
    CRL Monitor allows valid CRLs that it has downloaded to be re-published in a location where other systems and users can access them. This may be at a central location or a remote location. Used locally this enables remote systems to minimise network bandwidth and ensure maximum availability.
  • Multiple CRL resources per CA
    For high availability PKI environments, CRL Monitor can be configured to check multiple CRLs distribution points (LDAP or HTTP) for each CA, allowing it to ensure all alternate back-up locations are also operating as expected. 

Platform independence

  • Operating system independence
    CRL Monitor is a standard J2EE application and supported on Windows, Linux (RHEL, Centos, Suse) and Solaris (X86 and Sparc). Other UNIX flavours can be supported also upon request.
  • Database independence
    All CRL Monitor configurations and transaction logs are stored within a DBMS, however because of our use of Hibernate® technology, it is DBMS independent. We support SQL Server, Oracle, MySQL and PostgreSQL.
  • PKI independence
    CRL Monitor relies completely on open PKI standards so it can work with any CA and indirect CRL issuer. We have taken away all the complexities of interoperability!

Security & management

  • Easy to install & manage
    ADSS Server is feature rich to minimise time for operators. From the simple installation wizard to auto-integrity checking and auto-archiving help to ensure the system runs without daily operator involvement. Further the detailed transaction logs and request/response viewers reduce support desk time in resolving operational issues.
  • Strong operator authentication
    ADSS Server operators are authenticated using certificates over a mutually-authenticated TLS/SSL sessions. The operator's private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.
  • Role based access control
    Role-based access control system is provided with fine granularity. Ability to define new operator roles and assign read, write, edit, delete capability for each low-level module. Unavailable modules are hidden from view
  • Dual control
    This is where an operator's actions are queued for a Security Officer role-holder to review and then approve or reject the action. ADSS Server implements dual control in a flexible and practical way, i.e. either apply dual control feature to the complete system or selectively to the functionality which is most security sensitive (e.g. key generation, policy change etc).
  • Secure logging
    Cryptographic tamper-resistant logs are provided for service transactions (request/responses), all operator activity and system generated events. Advanced searching and filtering of log records (e.g. on date range) is possible to easily locate specific records.
  • Database integrity
    All ADSS Server configurations and settings in the database are also cryptographically protected to prevent record modification, deletion or re-ordering.
  • Auto system integrity checking
    Automated system integrity checking is available which can verify the entire system records for authenticity at pre-defined intervals or whenever required. Detailed report produced of any errors.
  • Strong crypto algorithm support
    Support for strong cryptographic algorithms is provided e.g. including SHA-2 family (SHA-256, SHA-384, SHA-512) and ECDSA and RSA key lengths up to 4096-bit.
  • Auto-archiving
    Ability to automatically trim the DB log records to avoid space issues. The created Archive Log files are digitally signed for long-term preservation before storing on specified disk location(s). The archived files can later be imported, verified and inspected.
  • NTP time monitoring
    Comes with an optional NTP monitor which can check system time against one or more configured NTP time servers to detect machine time shifts. Multiple clock drift threshold settings allow operator alerting and ultimately stop of all trust services.

Request Info

Submit

Sales Inquiries:
+44 (0)800 772 0 442

15

+
Years of Digital Signature
Innovation