ADSS OCSP Monitor is a unique solution for automatic and continuous testing of OCSP responders(s), it is fully conformant with IETF RFC 6960 and able to monitor any number of compliant OCSP servers.

It has been implemented fully in Java EE for multi-platform support, performance and high-availability.The following highlights just some of its main features:

Easy continuous monitoring & alerting

Automated OCSP monitoring

OCSP Monitor is an automatic audit management system that warns administrator about any OCSP service failures or irregularities.

Continuous monitoring

OCSP Monitor runs continuously and can allow various Test Scenarios to be run to monitor performance and validation policy. Ascertia recommends:

Checking availability and response times by running a simple check on a valid certificate once every few minutes
Checking that a fresh CRL is being used by the OCSP responder – using a CRL freshness policy test run as required, e.g. every hour
Running a comprehensive policy check twice a day to ensure that the defined validation policy is being enforced, e.g. correct trusted, not trusted results issued, valid OCSP signatures, checking nonce and unauthorised request handling
Running checks on disaster recovery systems to ensure they are operational

Client based testing

CSP Monitor actually tests the status of an OCSP server by making real OCSP calls. This is the only real way to measure server performance rather than by deducing the status of the service from generated system events.

Email and/or SMS

OCSP Monitor can send end of day summary reports using emails. Warning alerts can also be sent immediately by email and/or SMS message gateways.

Easy configuration

OCSP Monitor has an intuitive interface to help set-up test scenarios and the required test cases within these. Each test scenario can be set to run between specific start and stop times. Reports can be customised per test scenario.

Advance features

Detailed monitoring checks and alerts

OCSP Monitor has been designed by security experts to provide high quality management information, for example:

Each test scenario can have several test cases to perform multiple positive and negative checks
Each test scenario can have its own trust anchors defined for accurate trust checking
When a test scenario fails a customisable failure report is sent to a defined list of operations staff – each scenario can have different staff identified
Customisable reports can be sent using SMS or email or both as required – both internal and external staff can be notified – useful when using managed services
When a scenario completes a summary report can be sent to selected service management staff showing the minimum, average and maximum response delay statistics observed as well as a summary of the successful and failed tests observed during the period
At the end of day a summary report for all scenarios can be sent to service management staff detailing the main statistics for all scenarios

Enterprise architecture

OCSP Monitor has been designed to provide high quality management information, for example: Each test scenario can have multiple test cases with multiple checks. When a test scenario fails a customisable failure report is sent to a configurable list of operations staff. Different scenarios can have different operations staff identified.

When a scenario completes a summary report can be sent to service management staff showing the minimum, average and maximum response delay statistics observed as well as a summary of the failures observed during the period. At the end of day a summary report for can be sent to service management staff detailing the results for all the configured scenarios.

Maximise your OCSP server uptime

OCSP Monitor provides near real-time feedback on OCSP responder issues as they arise. When OCSP services are used it is often assumed that they are functioning correctly and will continue to do so. OCSP Monitor enables multiple test scenarios to run each with a defined set of positive and negative tests to check for correct behaviour and to report on server performance.

Clear reporting

OCSP Service Level Agreements can now be accurately checked and reported on. The identification and reporting of OCSP service issues identification has always been rather hit and miss until now. OCSP Monitor provides for easy change of test policies so that a selected level of detailed testing can be carried as required to suit the business demands. History data is maintained and detailed English language analysis of OCSP request and response data is available as a standard feature.

Security & management

Easy to install & manage

ADSS Server is feature rich to minimise time for operators. From the simple installation wizard to auto-integrity checking and auto-archiving help to ensure the system runs without daily operator involvement. Further the detailed transaction logs and request/response viewers reduce support desk time in resolving operational issues.

Strong operator authentication

ADSS Server operators are authenticated using certificates over a mutually authenticated TLS/SSL sessions. The operator’s private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.

Role based access control

Role-based access control system is provided with fine granularity. Ability to define new operator roles and assign read, write, edit, delete capability for each low-level module. Unavailable modules are hidden from view

Dual control

This is where an operator’s actions are queued for a Security Officer role-holder to review and then approve or reject the action. ADSS Server implements dual control in a flexible and practical way, i.e. either apply dual control feature to the complete system or selectively to the functionality which is most security sensitive (e.g. key generation, policy change etc)

Secure logging

Cryptographic tamper-resistant logs are provided for service transactions (request/responses), all operator activity and system generated events. Advanced searching and filtering of log records (e.g. on date range) is possible to easily locate specific records.

Database integrity

All ADSS Server configurations and settings in the database are also cryptographically protected to prevent record modification, deletion or re-ordering.

Auto system integrity checking

Cryptographic tamper-resistant logs are provided for all service transaction logs that contain details of requests and responses, all operator activity logs and all system event logs. Advanced reporting, reviewing including searching and filtering of log records is provided. All database log records are cryptographically protected to prevent record modification, deletions or additions.

Strong crypto algorithm support

Support for strong cryptographic algorithms is provided e.g. including SHA-2 family (SHA-256, SHA-384, SHA-512) and ECDSA and RSA key lengths up to 4096-bit.

Auto-archiving

Ability to automatically trim the DB log records to avoid space issues. The created Archive Log files are digitally signed for long-term preservation before storing on specified disk location(s). The archived files can later be imported, verified and inspected.

NTP time monitoring

Comes with an optional NTP monitor which can check system time against one or more configured NTP time servers to detect machine time shifts. Multiple clock drift threshold settings allow operator alerting and ultimately stop of all trust services.

Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.
Ascertia is a global leader in delivering functionally rich, easy to deploy e-security solutions. We pride ourselves in being easy and efficient to deal with.