ADSS OCSP Monitor

Features

ADSS OCSP Monitor is a unique solution for automatic and continuous testing of OCSP responders(s), it is fully conformant with IETF RFC 6960 and able to monitor any number of compliant OCSP servers. It has been implemented fully in Java EE for multi-platform support, performance and high-availability.  

The following highlights just some of its main features:

Easy continuous monitoring & alerting

  • Automated OCSP monitoring
    OCSP Monitor is an automatic audit management system that warns administrator about any OCSP service failures or irregularities.
  • Continuous monitoring
    OCSP Monitor runs continuously and can allow various Test Scenarios to be run to monitor performance and validation policy. Ascertia recommends:

    • Checking availability and response times by running a simple check on a valid certificate once every few minutes
    • Checking that a fresh CRL is being used by the OCSP responder – using a CRL freshness policy test run as required, e.g. every hour
    • Running a comprehensive policy check twice a day to ensure that the defined validation policy is being enforced, e.g. correct trusted, not trusted results issued, valid OCSP signatures, checking nonce and unauthorised request handling
    • Running checks on disaster recovery systems to ensure they are operational

  • Client based testing
    CSP Monitor actually tests the status of an OCSP server by making real OCSP calls. This is the only real way to measure server performance rather than by deducing the status of the service from generated system events.
  • Email and/or SMS
    OCSP Monitor can send end of day summary reports using emails. Warning alerts can also be sent immediately by email and/or SMS message gateways.
  • Easy configuration
    OCSP Monitor has an intuitive interface to help set-up test scenarios and the required test cases within these. Each test scenario can be set to run between specific start and stop times. Reports can be customised per test scenario.

Advance features

  • Detailed monitoring checks and alerts
    OCSP Monitor has been designed by security experts to provide high quality management information, for example:

    • Each test scenario can have several test cases to perform multiple positive and negative checks
    • Each test scenario can have its own trust anchors defined for accurate trust checking
    • When a test scenario fails a customisable failure report is sent to a defined list of operations staff - each scenario can have different staff identified
    • Customisable reports can be sent using SMS or email or both as required - both internal and external staff can be notified - useful when using managed services
    • When a scenario completes a summary report can be sent to selected service management staff showing the minimum, average and maximum response delay statistics observed as well as a summary of the successful and failed tests observed during the period
    • At the end of day a summary report for all scenarios can be sent to service management staff detailing the main statistics for all scenarios

  • Enterprise architecture
    OCSP Monitor has been designed to provide high quality management information, for example: Each test scenario can have multiple test cases with multiple checks. When a test scenario fails a customisable failure report is sent to a configurable list of operations staff. Different scenarios can have different operations staff identified.
    When a scenario completes a summary report can be sent to service management staff showing the minimum, average and maximum response delay statistics observed as well as a summary of the failures observed during the period. At the end of day a summary report for can be sent to service management staff detailing the results for all the configured scenarios.
  • Maximise your OCSP server uptime
    OCSP Monitor provides near real-time feedback on OCSP responder issues as they arise. When OCSP services are used it is often assumed that they are functioning correctly and will continue to do so. OCSP Monitor enables multiple test scenarios to run each with a defined set of positive and negative tests to check for correct behaviour and to report on server performance.
  • Clear reporting
    OCSP Service Level Agreements can now be accurately checked and reported on. The identification and reporting of OCSP service issues identification has always been rather hit and miss until now. OCSP Monitor provides for easy change of test policies so that a selected level of detailed testing can be carried as required to suit the business demands. History data is maintained and detailed English language analysis of OCSP request and response data is available as a standard feature.

Security & management

  • Easy to install & manage
    ADSS Server is feature rich to minimise time for operators. From the simple installation wizard to auto-integrity checking and auto-archiving help to ensure the system runs without daily operator involvement. Further the detailed transaction logs and request/response viewers reduce support desk time in resolving operational issues.
  • Strong operator authentication
    ADSS Server operators are authenticated using certificates over a mutually-authenticated TLS/SSL sessions. The operator's private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.
  • Role based access control
    Role-based access control system is provided with fine granularity. Ability to define new operator roles and assign read, write, edit, delete capability for each low-level module. Unavailable modules are hidden from view
  • Dual control
    This is where an operator's actions are queued for a Security Officer role-holder to review and then approve or reject the action. ADSS Server implements dual control in a flexible and practical way, i.e. either apply dual control feature to the complete system or selectively to the functionality which is most security sensitive (e.g. key generation, policy change etc).
  • Secure logging
    Cryptographic tamper-resistant logs are provided for service transactions (request/responses), all operator activity and system generated events. Advanced searching and filtering of log records (e.g. on date range) is possible to easily locate specific records.
  • Database integrity
    All ADSS Server configurations and settings in the database are also cryptographically protected to prevent record modification, deletion or re-ordering.
  • Auto system integrity checking
    Automated system integrity checking is available which can verify the entire system records for authenticity at pre-defined intervals or whenever required. Detailed report produced of any errors.
  • Strong crypto algorithm support
    Support for strong cryptographic algorithms is provided e.g. including SHA-2 family (SHA-256, SHA-384, SHA-512) and ECDSA and RSA key lengths up to 4096-bit.
  • Auto-archiving
    Ability to automatically trim the DB log records to avoid space issues. The created Archive Log files are digitally signed for long-term preservation before storing on specified disk location(s). The archived files can later be imported, verified and inspected.
  • NTP time monitoring
    Comes with an optional NTP monitor which can check system time against one or more configured NTP time servers to detect machine time shifts. Multiple clock drift threshold settings allow operator alerting and ultimately stop of all trust services.

Request Info

Submit

Sales Inquiries:
+44 (0)800 772 0 442

15

+
Years of Digital Signature
Innovation