It has been implemented fully in Java EE for multi-platform support, performance and high-availability.ADSS OCSP Server is the marketing name for ADSS Server when licensed for OCSP services only. The following highlights just some of its features.
Respond for multiple CAs from a single ADSS OCSP Server instance. Configure separate validation policy for each CA, including unique OCSP signing keys and certificates. OCSP server certificates can be issued using a built-in CA and auto-renewed.
Retrieve certificate status information from CAs using multiple methods, e.g. HTTP/S CRLs, LDAP/S CRLs, peer OCSP responders and real-time revocation information using the CA’s database. Configure which input feed to use on a per CA basis.
Meet latest RFC 6960 and CAB Forum white-list checking requirements. The OCSP Server can check if the certificate was actually issued by the CA (supports the Extended Revoked Definition extension of RFC 6960). This offers a countermeasure against recent attacks on some CAs where the result was the issuing of fake certificates.
ADSS OCSP Server is FIPS 201 certified and is on the GSA Approved Products List #1411. ADSS Server is also certified to meet the CWA 14167-1 requirements for trustworthy systems making it suitable for use by Qualified Certificate Service Providers (CSPs). Various HSMs are supported that meet Common Criteria EAL4 and FIPS 140-2 levels 2, 3 and 4.
Provides CRL streaming for the efficient import of very large CRLs, provides flexible CRL polling including the ability to detect over-issued CRLs, multiple CRL sources can be monitored, with the ability to have watched-dog process for high availability ensuring no CRL is missed. Indirect CRLs, Delta CRLs and Partitioned CRLs are fully supported.
ADSS OCSP Server comes with our sophisticated ADSS CRL Monitor module for automated monitoring of multiple CRL issuers, fully verifying and validating the imported CRLs and real-time alerting of operators on any faults, e.g. unavailability of CRLs. See the CRL Monitor page for full details. Optionally ADSS OCSP Server can also republish a retrieved CRL to a defined location, e.g. on the internal network for local users as a fallback option. Auto-archiving of old CRLs is also provided.
The ADSS OCSP Server access control module allows operators to restrict client access based on TLS/SSL client certificates, OCSP request signing and/or using IP address filtering. Multiple rules can be set up to detect specific client certificate fields and range of IP addresses to accept/reject.
Supports unique “manual routing” of OCSP messages for interoperability with 1st Generation PKI (which contain no OCSP address information).
The popularity, reliability and trustworthiness of ADSS OCSP Server is attested by the number of PKIs that use it for its validation services. Customers who rely on ADSS OCSP Server range from many governments typically using it as part of their national eID or defence projects, to qualified CA service providers, major banks and global enterprises.
ADSS Server is built using Java EE architecture to provide high performance and scalability. It supports virtualised environments, where CPU and memory can be increased for performance gains. Even on a single server ADSS OCSP Server can provide several hundred OCSP transactions per second, furthermore the use of a hardware load-balancer with multiple ADSS OCSP Server instances can satisfy any demanding performance requirements.
The core services within ADSS OCSP Server can be split to allow separate back-end servers to import CRLs, thereby allowing front-end OCSP servers to focus solely on handling high OCSP transaction loads, ensuring maximum performance.
Multiple ADSS Servers can be used in load-balanced mode to maximise availability across one or more live sites (also use DB replication/clustering and HSM replication for complete infrastructure resilience).
ADSS OCSP Service comes with its own management reporting module. This provides the ability to create graphic and tabular reporting on all service requests within a particular date period. The management reports show the number of transactions processed, their results, who the main OCSP clients are, which end-entity (target) certificates were checked the most etc. Reports can be exported in PDF and CSV format.
All OCSP request/response transactions are securely logged in the ADSS OCSP Server database. To support an administrators review of these transactions, viewers are provided which automatically convert the OCSP binary transactions into human-readable form, thus allowing easy analysis of reported trust issues or interoperability checking.
FIPS and Common Criteria certified HSMs from SafeNet, Thales and Utimaco can be used to stored and protect all cryptographic keys. Support for other PKCS#11 compliant HSMs can also be provided if required. HSMs can be network, PCIe or USB connected. One or more HSMs, smart cards or USB tokens can be connected to ADSS Server. Another key feature of ADSS Server is the sophisticated auto-reconnect feature that prevents a network issue requiring operator intervention to reconnect a network HSM.
Support for the common cryptographic algorithms is provided including SHA1, SHA-2 (SHA-256, SHA-384, SHA-512), RSA keys up to 4096 bits and ECDSA up to 521 bits.
ADSS Server operators are authenticated using certificates over a mutually authenticated TLS/SSL sessions. The operator’s private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.
ADSS Server enables multiple operator roles to be defined. Each operator registered within the system is assigned a role. The role-based access control system enables fine control over specific service modules that an operator can see and whether they have read, write, edit or delete capability for specific areas of functionality.
ADSS Server implements dual control in a flexible and practical way, i.e. dual control can be applied selectively to important aspects of functionality that are considered most sensitive (such as key generation, policy change etc). When used, an operator’s actions are queued for a Security Officer role-holder to review and then approve or reject the action.
Business applications are authenticated using TLS/SSL client certificates that are pre-registered in ADSS Server. The application’s access to specific profiles and/or keys is checked as part of the ADSS Server authorisation process when service requests are received.
Cryptographic tamper-resistant logs are provided for all service transaction logs that contain details of requests and responses, all operator activity logs and all system event logs. Advanced reporting, reviewing including searching and filtering of log records is provided. All database log records are cryptographically protected to prevent record modification, deletions or additions.
All ADSS Server configurations and settings held in the database are cryptographically protected to prevent record modification, deletion or addition. The system automatically checks these records at pre-defined intervals or on demand to ensure system integrity. A detailed report is produced for any issues that are found.
Selected system operators can be alerted when certain event conditions occur using email or SMS messages. Management systems can be alerted using SNMP messages or via Syslog (log4j) messages.
ADSS Server is feature rich to minimise IT operations time. The simple installation wizard, the automatic checking of system integrity and auto-archiving and alerting ensure the system runs without daily operator involvement. The detailed transaction logs and detailed request/response viewers reduce support desk time in resolving operational issues. ADSS CA Server is also able to run an automatic upgrade process for its settings and data to run the latest version of software.
To prevent database bloating ADSS Server can be configured to automatically archive database log records. As the archive log files are created and written to disk, they are digitally signed to provide authentication and integrity. The archived files can later be imported, verified and viewed within the transaction log viewer.
ADSS Server features an optional NTP Time Monitor service that regularly checks the operating system time and compares this with one or more configured NTP time servers to detect unacceptable time drift or IT operational errors. Configured time thresholds allow ADSS Server operators to be alerted to time issues and ultimately all trust services can also be stopped automatically.