It has been implemented fully in Java EE for multi-platform support, performance and high-availability.The following highlights just some of its main features:
OCSP Monitor runs continuously and can allow various Test Scenarios to be run to monitor performance and validation policy. Ascertia recommends:
OCSP Monitor can send end of day summary reports using emails. Warning alerts can also be sent immediately by email and/or SMS message gateways.
OCSP Monitor has been designed by security experts to provide high quality management information, for example:
OCSP Monitor has been designed to provide high quality management information, for example: Each test scenario can have multiple test cases with multiple checks. When a test scenario fails a customisable failure report is sent to a configurable list of operations staff. Different scenarios can have different operations staff identified.
When a scenario completes a summary report can be sent to service management staff showing the minimum, average and maximum response delay statistics observed as well as a summary of the failures observed during the period. At the end of day a summary report for can be sent to service management staff detailing the results for all the configured scenarios.
OCSP Monitor provides near real-time feedback on OCSP responder issues as they arise. When OCSP services are used it is often assumed that they are functioning correctly and will continue to do so. OCSP Monitor enables multiple test scenarios to run each with a defined set of positive and negative tests to check for correct behaviour and to report on server performance.
OCSP Service Level Agreements can now be accurately checked and reported on. The identification and reporting of OCSP service issues identification has always been rather hit and miss until now. OCSP Monitor provides for easy change of test policies so that a selected level of detailed testing can be carried as required to suit the business demands. History data is maintained and detailed English language analysis of OCSP request and response data is available as a standard feature.
ADSS Server is feature rich to minimise time for operators. From the simple installation wizard to auto-integrity checking and auto-archiving help to ensure the system runs without daily operator involvement. Further the detailed transaction logs and request/response viewers reduce support desk time in resolving operational issues.
ADSS Server operators are authenticated using certificates over a mutually authenticated TLS/SSL sessions. The operator’s private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.
Role-based access control system is provided with fine granularity. Ability to define new operator roles and assign read, write, edit, delete capability for each low-level module. Unavailable modules are hidden from view
This is where an operator’s actions are queued for a Security Officer role-holder to review and then approve or reject the action. ADSS Server implements dual control in a flexible and practical way, i.e. either apply dual control feature to the complete system or selectively to the functionality which is most security sensitive (e.g. key generation, policy change etc)
Cryptographic tamper-resistant logs are provided for service transactions (request/responses), all operator activity and system generated events. Advanced searching and filtering of log records (e.g. on date range) is possible to easily locate specific records.
All ADSS Server configurations and settings in the database are also cryptographically protected to prevent record modification, deletion or re-ordering.
Cryptographic tamper-resistant logs are provided for all service transaction logs that contain details of requests and responses, all operator activity logs and all system event logs. Advanced reporting, reviewing including searching and filtering of log records is provided. All database log records are cryptographically protected to prevent record modification, deletions or additions.
Support for strong cryptographic algorithms is provided e.g. including SHA-2 family (SHA-256, SHA-384, SHA-512) and ECDSA and RSA key lengths up to 4096-bit.
Ability to automatically trim the DB log records to avoid space issues. The created Archive Log files are digitally signed for long-term preservation before storing on specified disk location(s). The archived files can later be imported, verified and inspected.
Comes with an optional NTP monitor which can check system time against one or more configured NTP time servers to detect machine time shifts. Multiple clock drift threshold settings allow operator alerting and ultimately stop of all trust services.