Features & Benefits

ADSS CRL Monitor is a unique solution for automatic and continuous testing of multiple CRL Issuers.

It can poll for CRLs from HTTP/S and LDAP/S location based on configured validation policies on a per CA basis. It has been implemented fully in Java EE for multi-platform support, performance and high-availability. The following highlights just some of its main features.

Ease of use

All popular CRL formats

CRL Monitor supports X.509 v1 and v2 CRLs, including direct and indirect CRLs, Entrust® partitioned CRLs, segmented CRLs, ARLs, delta CRLs, over-issued CRLs and emergency CRLs.

Local publishing of CRLs

In some cases it is desirable to be able to download CRLs and then publish them locally to avoid a single point of failure, reduce network bandwidth for large enterprises and meet local security policies. CRL monitor allows such re-publishing of CRLs.

Easy configuration

CRL Monitor has an advanced web-based GUI to help set-up trusted CAs and their CRL processing policies.

Selective alerting

You can select which members of the operations and management teams receive which error reports and summary reports either by email or SMS. CRL Monitor provides a wide range of CRL-related events which can be monitored.

Monitoring

Automated monitoring

Ascertia CRL Monitor provides an automated test service that enables an administrator to easily detect CRL publishing failures or irregularities. It is a must have product for any organisation providing PKI services. With CRL Monitor, you can identify issues and fix unexpected conditions before your users report them to you!

Create detailed reports

CRL Monitor maintains logs on all CRL operations completed so that detailed reports can be produced for specific dates. CRL Monitor also provides CRL retrieval statistics in tabular and graphical formats. The contents of any retrieved CRL can be easily viewed in tabular form, sorted and searched.

Continuous monitoring

CRL Monitor runs continuously and can operate in a high availability configuration using multiple CRL Monitor instances. When used like this if the current master CRL Monitor instance fails then the next available slave instance automatically assumes control and continues to retrieve and check the defined CRLs, ensuring that CRL monitoring is not affected by a single point of failure.

Security & scalability

CRL archiving

It is often necessary to keep an archive of all the CRLs that have been issued, either for historical digital signature verification or to resolve disputes that may arise in future.

CRL Monitor not only keeps an archived copy of each CRL it retrieves but also provides management and searching capability over the entire CRL dataset. This simply and easily allows administrators to determine within which CRL a particular certificate was first identified as revoked.

CRL integrity checking

All production CRLs can be checked to verify their integrity and availability, i.e. that there is no file corruption either through a publishing failure or an operational/network issue or even an attack on the core trust services.

Perform full CRL checks

CRL Monitor can be configured to generate alerts when a wide variety of events occur, including:

The CRL has expired
The CRL is too old for the defined CRL freshness policy
The CRL could not be fetched / downloaded
The structure or format of the CRL is incorrect
The CRL sequence number is incorrect
The CA signature on the CRL fails to verify or is not trusted
The CRL was successfully downloaded, verified and written to the database

Performance

Performance monitoring

Reports can be created from the CRL Monitor log viewer to provide evidence of SLA performance.

Maximise your CRL service uptime

CRL Monitor provides immediate real-time feedback on CRL issues as they arise. Where PKI services are used it is often assumed that they are functioning correctly and will continue to do so – this is often not the case. Use CRL Monitor to check for expected and unexpected behaviors.

Perform real-time tests

CRL Monitor tests the status of a CRL publishing service by downloading and checking the CRLs at predefined intervals. It can check that CRLs are updated as expected before their expiry date, giving service providers valuable hours in which to act to avoid trust issues. This is the only fully effective way to ensure a PKI is operating as it should. Multiple CAs can be monitored using specific CRL polling and validation policy settings.

Advance features

Additional CRL publishing

CRL Monitor allows valid CRLs that it has downloaded to be re-published in a location where other systems and users can access them. This may be at a central location or a remote location. Used locally this enables remote systems to minimise network bandwidth and ensure maximum availability.

Multiple CRL resources per CA

For high availability PKI environments, CRL Monitor can be configured to check multiple CRLs distribution points (LDAP or HTTP) for each CA, allowing it to ensure all alternate back-up locations are also operating as expected.

Platform independence

Operating system independence

CRL Monitor is a standard J2EE application and supported on Windows, Linux (RHEL, Centos, Suse) and Solaris (X86 and Sparc). Other UNIX flavours can be supported also upon request.

Database independence

All CRL Monitor configurations and transaction logs are stored within a DBMS, however because of our use of Hibernate® technology, it is DBMS independent. We support SQL Server, Oracle, MySQL and PostgreSQL.

PKI independence

CRL Monitor relies completely on open PKI standards so it can work with any CA and indirect CRL issuer. We have taken away all the complexities of interoperability!

Security & management

Easy to install & manage

ADSS Server is feature rich to minimise time for operators. From the simple installation wizard to auto-integrity checking and auto-archiving help to ensure the system runs without daily operator involvement. Further the detailed transaction logs and request/response viewers reduce support desk time in resolving operational issues.

Strong operator authentication

ADSS Server operators are authenticated using certificates over a mutually authenticated TLS/SSL sessions. The operator’s private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.

Role based access control

Role-based access control system is provided with fine granularity. Ability to define new operator roles and assign read, write, edit, delete capability for each low-level module. Unavailable modules are hidden from view

Dual control

This is where an operator’s actions are queued for a Security Officer role-holder to review and then approve or reject the action. ADSS Server implements dual control in a flexible and practical way, i.e. either apply dual control feature to the complete system or selectively to the functionality which is most security sensitive (e.g. key generation, policy change etc)

Secure logging

Cryptographic tamper-resistant logs are provided for service transactions (request/responses), all operator activity and system generated events. Advanced searching and filtering of log records (e.g. on date range) is possible to easily locate specific records.

Database integrity

All ADSS Server configurations and settings in the database are also cryptographically protected to prevent record modification, deletion or re-ordering.

Auto system integrity checking

Automated system integrity checking is available which can verify the entire system records for authenticity at pre-defined intervals or whenever required. Detailed report produced of any errors.

Strong crypto algorithm support

Support for strong cryptographic algorithms is provided e.g. including SHA-2 family (SHA-256, SHA-384, SHA-512) and ECDSA and RSA key lengths up to 4096-bit.

Auto-archiving

Ability to automatically trim the DB log records to avoid space issues. The created Archive Log files are digitally signed for long-term preservation before storing on specified disk location(s). The archived files can later be imported, verified and inspected.

NTP time monitoring

Comes with an optional NTP monitor which can check system time against one or more configured NTP time servers to detect machine time shifts. Multiple clock drift threshold settings allow operator alerting and ultimately stop of all trust services.

Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.
Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.