Home

OCSP Monitor - User Manual

1. A 355 OCSP Monitor 2 About OCSP Monitor Service Status m Create Test Scenario Create a best scenario and set its reporting schedule OCSP Monitor Service is stopped Create Test Case Configure test cases and assign them to a test scenario Edit Scenarios and Test Cases Review and edit your existing test scenarios and test case settings Live Report History Viewer Email SMS Contacts Manage contacts that receive OCSP Monitor Show Last Warning Report reports settings Configure Ehe general settings Far OCSP monitor applicable to all test scenarios Show Last Daily Summary Report IMPORTANT Changes to OCSP Monitor can only be applied when the service is stopped Version 2 2 0 1 Commercial in Confidence Page 5 of 42 OCSPMontorUserManal 1 amp Steffla 3 1 1 Trust Anchor The OCSP Monitor Trust Anchor list stores trusted certificates The list is used to store self signed Root CA certificates which are the final trust points for the certificates used by OCSP Monitor in its test scenarios When OCSP Monitor receives an OCSP response it will attempt to verify it by building a certificate chain from the OCSP responder s certificate to a Root CA certificate in the Trust Anchor list If a chain can be successfully built then the OCSP responder is authenticated and trusted If not the OCSP response cannot be trusted The intermediate CA certificates can be retrieved by OCSP Monitor from th
2. Now set the scenario Start Time and Stop Time also specify the time interval at which to run the test scenario e g run scenario every 5 minutes If the scenario is not to be run at weekends click on the Do not run at week ends checkbox If the results of this scenario are to be included in the end of day summary report click the Include in Daily Summary Report checkbox 5 nscertia OCSP Monitor 395 OCSP Monitor i gt mf Create Test Scenario EY Scheduler DN General OQCSP Responder ro Run Scenario after every Scheduler Do nat run at week ends Start Time Stop Time Include in End of Day Summary Report f Trust Anchors Version 2 2 0 1 Commercial in Confidence Page 20 of 42 OCSPMontorUserManal 1 1 1 G amp Steffla 3 3 4 Warning amp Summary Reports Warning reports are only generated when the actual results of a test case do not match the expected results that we configured Summary reports on the other hand are optional which can be configured to be sent at the test scenario stop time These summary reports are sent regardless of what results were actually achieved In this section of the wizard you can define the format of the Warning reports and Summary reports and to whom they should be sent In the Warning Reports tab enter the Warning Report email Subject Initial email body text SMS body text and number of previous warning reports to be sent with this alert
3. Report X General SSR Warning Reports Summary Reports sr Send Summary Report ak Scenario Stop Time OCSP Responder Subject Summary Report Initial email body text KP The test scenario summary report Follows Scheduler Recipients List Display Mame Email Address E Ascertia Support supporti ascertkia cam Trust Anchors The Summary Report will be sent once the scenario has stopped and the time interval mentioned in Scheduler gt Run scenario after every field has elapsed e g With a time interval of 5 mins and a scenario stops time of 11 53 PM the scenario summary report will be sent at 11 53 PM 5 mins i e 11 58 PM Version 2 2 0 1 Commercial in Confidence Page 22 of 42 OCSPMontorUserManal 1 amp Steffla 3 3 5 Trust Anchor All test scenarios by default use the OCSP Monitors default Trust Anchor list which is configured centrally in the main OCSP Monitor Settings section as described earlier However in addition to this each Test Scenario can refine the default Trust Anchor to specify exactly which Trust Anchor s are to be selected for this scenario Simply select a certificate from the Default Trust Anchor List and then move it to the Scenario s Trust Anchor list by using the gt gt button It will then be shown in the right hand box Ascertia OCSP Monitor Zh T OCSP Monitor About Edit Test Scenano Back to Home Trust Anchors amp Us
4. a OCSP Monitor af Home OCSP Monitor Service Status OCSP Monitor Service is stopped e Live Report History Viewer Show Last Warning Report Show Last Daily Summary Report Version 2 2 0 1 Commercial in Confidence a gt About Create Test Scenario Create a best scenario and set its reporting schedule Create Test Case Configure best cases and assign them to a test scenario Edit Scenarios and Test Cases Review and edit your existing test scenarios and test case settings Email SMS Contacts Manage contacts that receive OCSP Monitor reports Settings Configure the general settings Far OCSP monitor applicable to all test scenarios Page 39 of 42 OCSP Monitor User Manual The following is a screenshot of the OCSP Monitor History viewer Ascertia OCSP Monitor OCSP Monitor OCSP Monitor History Transaction ID Test Scenario Test Case bob revoked alice good alice aed Total number of transactions 406 Total number of Failed transactions 167 ES sig required T d alice qaad bab revaked Target Cert Alias Test Bob Test L2 l Test are Test L Test Alice Test as Test Alice Test L T TE Test Bob Test L2 Test Alice Test L Test Bob Test L2 ascertia Request Date Time 2008 09 24 10 30 25 4320 2008 09 24 10 30 25 4320 j eom 9 24 zum E 28 EET 2008 09 24 10 04 23
5. D Program Files 4scertiajOCsP Monitor v2 01Reports Creation Date Friday September 26 2008 13 02 30 Modified Date Friday September 26 2008 13 02 30 Em Access Date Friday September 26 2008 13 02 38 Email SMS Server Daily Report Scheduler Ensure that the Apply button is clicked once the default folder for the scenario reports has been specified Version 2 2 0 1 Commercial in Confidence Page 9 of 42 OcSPMontorUserMana Oaea 3 1 4 Email SMS Server Clicking on the Email SMS Server option in the left pane enables the email SMS server settings Configure the Email tab by specifying the Email format either as Plain Text or HTML Sender Name Sender Email Outgoing Mail Server SMTP and its port If the SMTP server requires authentication then provide the username password for the email account Ascertia OCSP Monitor mill z gt OCSP Monitor About al 5 ett n gs Back to Home Email SMS Server Trust Anchors da Email Format Plain Text Sender Mame Sscertia OCSP Monitor Sender Email ocsp monitorm ascertia com Outgoing email server SMTP requires authentication ee ts se Daily Report Scheduler Click the Test button to verify the email server settings are working Version 2 2 0 1 Commercial in Confidence Page 10 of 42 OCSP Monitor User Manual GSteflla Configure the SMS tab by specifying the SMS Server Address User Name
6. best scenario and set its reporting schedule OCSP Monitor Service is stopped Create Test Case Configure best cases and assign them to a test scenario Edit Scenarios and Test Cases Review and edit your existing test scenarios and test case settings Live Report History Viewer Email SMS Contacts i Manage contacts that receive OCSP Monitor Show Last Warning Report reports Settings Configure the general settings Far OCSP monitor applicable to all test scenarios Show Last Daily Summary Report The Create Test Scenario wizard will start up Version 2 2 0 1 Commercial in Confidence Page 16 of 42 OCSPMontorUserMana 1 amp a te fla 3 3 1 General Enter a Scenario Name e g OCSP Test Scenario 1 in the General section of the wizard and click right arrow button 5 nscertia OCSP Monitor mil ap OCSP Monitor m About Create Test Scenano Back to Home X General General Scenario Name OC SP Test Scenario 1 OCSP Responder Scheduler Trust Anchors Version 2 2 0 1 Commercial in Confidence Page 17 of 42 OcSPMontorUserMana GSteflla 3 3 2 OCSP Responder Configure the OCSP responder settings by entering the Host which is the OCSP responder address e g http ocsp globaltrustfinder com Port e g 80 connection Timeout e g 30 secs and OCSP Freshness Threshold limit e g 0 mins Click on the right a
7. by OCSP Monitor are sent by email or SMS to identified support staff or business managers OCSP Monitor allows administrators to e Create a Test Scenario which specifies o The OCSP responder being tested o he schedule for executing the test scenario o The settings for warning and summary reports i e the format of these reports and to whom these should be sent e Within a Test Scenario an administrator can create one or more Test Cases For each Test Case the administrator can define o The target certificate to be checked by the OCSP responder o The expected response from the OCSP responder for this test case i e good revoked unknown etc o The OCSP request configuration whether to add nonce service locator extensions whether requests should be signed and if so with which key certificate and how to process the OCSP responses received Before using OCSP Monitor to assess a particular OCSP service the administrator needs to perform some basic configurations e Set up the trust anchors which will be used to verify the OCSP response signature and certificate chain e Configure proxy settings specify default locations for scenario reports configure email server settings and daily report scheduler settings e Configure email contacts that are to receive reports from OCSP Monitor This manual describes how to perform these tasks OCSP Monitor also records all transactions within its database and provides a
8. generated Version 2 2 0 1 Commercial in Confidence Page 33 of 42 OCSP Monitor User Manual GSteffla 4 3 Live Report The status of the test cases currently running and their respective results can be viewed by clicking on the Live Report button 5 nscertia OCSP Monitor s g ah OCSP Monitor E 3 About d Home OcCSP Monitor Service Status Create Test Scenario Create a test scenario and set its reporting schedule OCSP Monitor Service is stopped Create Test Case Configure best cases and assign them to a test scenario Edit Scenarios and Test Cases Review and edit your existing test scenarios and test case settings Live Report History Viewer Email SMS Contacts a Manage contacts that receive OCSP Monitor Show Last Warning Report reports Settings Configure Ehe general settings Far OCSP monitor applicable to all test scenarios Show Last Daily Summary Report Version 2 2 0 1 Commercial in Confidence Page 34 of 42 OcSPMontorUserMana Oaea fO Live Report OCSP Monitor Test Scenario amp Cases QU SP Test Scenarial 01 00 25 50 Check Revocation Status 1 Check Revocation Statusz QCSP Test Scenariaz O1 02 2302 Check Revocation Status1 Check Revocation Statusz mE Note Please re launch Live Report when changes are made in any Test Scenario or Test Case This will show the active test scenarios and their respective test cases current
9. results e Recipients to whom the daily report will be sent e Generation Time this should be after the stop time of all test scenarios 5 nscertia OCSP Monitor 4s OCSP Monitor e i a About Xx 4 Back to Home zx Settings fit Daily Report Scheduler Trust Anchors Subject OCSF Monitor Daily Report Generation Time 11 59 PM e da Initial Message Initial Daily Report Message Scenario Reports Lacation Recipients Display Mame Email Address Email SMS Server Daily Report Scheduler Version 2 2 0 1 Commercial in Confidence Page 12 of 42 OCSP Monitor User Manual 3 2 Email SMS Contacts ascertia To manage email SMS contacts and specify who will receive OCSP Monitor reports go to the OCSP Monitor Home screen and click the Email SMS Contacts option in the right pane 5 nscertia OCSP Monitor gt T2 OCSP Monitor Home Live Report History Viewer Show Last Warning Report Show Last Daily Summary Report The following screen will be displayed Version 2 2 0 1 Commercial in Confidence a gt About Create Test Scenario Create a best scenario and set its reporting schedule Create Test Case Configure best cases and assign them to a test scenario Edit Scenarios and Test Cases Review and edit your existing test scenarios and test case settings Email SMS Contacts Manage contacts that receive OCSP Monitor reports Settings Configure Ehe general settin
10. sophisticated history viewer for viewing these past transactions A live status viewer provides live summary information on the tests configured and currently in progress and also provides details of the test case results Version 2 2 0 1 Commercial in Confidence Page 4 of 42 OCSP Monitor User Manual Stella 3 Configuring OCSP Monitor This section describes the initial configuration actions an administrator needs to make before creating and running test scenarios it is recommended that the list below is followed in order 1 Set up the default trust anchor list so that OCSP responses can be verified and trusted note the trust anchor selection can be defined on a per test scenario 2 Set up any proxy details that are needed to communicate with the OCSP responder s 3 Define the location where reports are to be saved 4 Define the email server and optional SMS server details so that OCSP Monitor can send reports to recipients via these 5 Seta schedule for the daily email reports and to whom these should be sent 6 Create email and SMS contacts for those people that need to receive email and or SMS reports from OCSP Monitor SMS is only used for warning reports because these are of urgent nature and are limited in size Email is used for all report types including end of scenario and end of day reports 3 1 Settings Launch OCSP Monitor and click the Settings option in the right pane 5 nscertia OCSP Monitor mil
11. to a test scenario Edit Scenarios and Test Cases Review and edit your existing test scenarios and test case settings Live Report History Viewer Email SMS Contacts LA Manage contacts that receive OCSP Monitor Show Last Warning Report reports Settings Configure the general settings Far OCSP monitor applicable to all test scenarios Show Last Daily Summary Report Version 2 2 0 1 Commercial in Confidence Page 27 of 42 OCSP Monitor User Manual 111 Steffla Double click on an existing Test Scenario and edit the details as required To remove a Test Scenario right click on a selected scenario and click on the Remove option 5 nscertia OCSP Monitor ah T2 OCSP Monitor OCSP Monitor Summary OCSP Monitor Summary HE m Or SP Test Scenario 1 3p Check Revocation SEakus Recipient Email Addresses Ascertia Sup supportiascertia com Recipient Email Addresses Ascertia Sup supportinascertia com Ensure that the OCSP Monitor service is restarted after editing these details so that the changed data is picked up by the running service Version 2 2 0 1 Commercial in Confidence Page 28 of 42 OCSPMontorUserManal 1 1 11 amp Steffla Double click on an existing Test Case and edit the details as required To remove a Test Case right click on a selected Test Case and click on Remove option 5 nscertia OCSP Monitor 2 as ELS T 2M OCSP Monitor About OCSP Moni
12. 7340 2008 09 24 10 01 02 7260 2005 09 24 10 01 02 7110 2006 09 24 10 00 25 3660 9 x Result pass _ Delete records older than davis o Transaction ID an The failed transactions are shown highlighted in yellow The transactions are shown in pages and these pages can be navigated using the forward and back buttons The current screen can be refreshed by clicking on the refresh La button A particular transaction can be searched for by entering the Transaction ID and pressing the Go button A filter can also be applied to all records by clicking on the configure filter Ei button F Transaction Status PASS F Test Case Name Request Date 18 05 09 day s Searching can be performed by applying a filter using different combinations of Transaction Status Test Scenario Name Test Case Name Target Cert Alias and Request Date If the Test Scenario Name is selected then make sure that the correct scenario name is given in order to match it against the records in the database It will result in a blank report in the History Viewer if an incorrect scenario name is given Once a correct scenario name is given then it will further filter the records based upon other selected search criteria Version 2 2 0 1 Commercial in Confidence Page 40 of 42 OCSP Monitor User Manual ET When applying a filter
13. Ascertia Limited 40 Occam Road Surrey Research Park Guildford ascertia Surrey GU2 7YG Tel 44 1483 685500 Fax 44 1483 573704 www ascertia com OCSP Monitor User Manual 2 52 ckqqg21111 2 Document Version 2 2 0 1 Document Issued January 2010 Copyright Ascertia Ltd 2010 This document contains commercial in confidence material It must not be disclosed to any third party without the written authority of Ascertia Limited Commercial in Confidence OCSP Monitor User Manual ET Contents 1 nelle RE EE 3 UNE GODE e A 3 12 Intended Readership cacaccccteccnscudssznasuesanandiacssosstectncnulaussnncisceenendeaacesanextuacseieeansediacseonstectesouesass 3 To MOVIN CVA ONS se ERE 3 We WSCC SU DOM ccascessracutcocanenciaanntaycnendatenstocudsaranoudieeteosaienndadisemuontesssnuntegdvandedisutucntievavcadineden 3 207 7 4 3 Configuring OCSP Monitor 1 111LLeeec eL LLL LLee ccce lleeeer reae ena a men eaa a mnnn nnna 5 SM ise Tem 5 92 Email SIMS GOmMACtS sounaran neiseis educ safest d genu Id Sus s RUSO TR did ones 13 3 3 Create Test Scenario sss eene eennnnnn nnn nnns snnna nnns rris sss a saa nra naa 16 34 Create TeSt Case EE 25 3 5 Edit Scenarios and Test Cases cccccccccsseseccceeeceeeeseeeceeeeeseaeseeeeeeeseseeaeeeeeeeeessaeeaeeeeeeeeesaaas 27 4 UsmgoCSPMOohILOEPu ic
14. Live Report History Viewer Email SMS Contacts EA Manage contacts that receive OCSP Monitor Show Last Warning Report reports Settings Configure Ehe general settings Far OCSP monitor applicable to all test scenarios Show Last Daily Summary Report Version 2 2 0 1 Commercial in Confidence Page 37 of 42 OCSPMontorUserManal 1 Oera 4 5 Show End of Day Report The last end of day summary report can be viewed by clicking the option Show End of Day Report on the OCSP Monitor Home page 5 nscertia OCSP Monitor OCSP Monitor lt gt About og Home OCSP Monitor Service Status Create Test Scenario Create a best scenario and set its reporting schedule OCSP Monitor Service is stopped Create Test Case Configure best cases and assign them to a test scenario e Live Report Edit Scenarios and Test Cases Review and edit your existing test scenarios and test case settings 1 a History Viewer Email SMS Contacts Manage contacts that receive OCSP Monitor reports Settings Configure Ehe general settings Far OCSP monitor applicable to all test scenarios Version 2 2 0 1 Commercial in Confidence Page 38 of 42 OCSP Monitor User Manual 4 6 History Viewer ascertia The History Viewer enables old OCSP request and response transaction details to be viewed and can be accessed by clicking on the History Viewer button on the OCSP Monitor Home page 5 nscertia OCSP Monitor
15. OCSP Monitor will retrieve the records from the database matching any character given in the text fields of the filter criteria Test Scenario Name Enter the scenario name Transaction Status Can be set to either PASS or FAIL Test Case Name Enter the test case name Target Cert Alias Enter the target certificate alias Request Time Enter the date from which all records starting from the selected date till the present are to be displayed A filter can be applied by clicking the Apply button and it can be cancelled by clicking on the Cancel button A filter can be removed from the records by clicking on the show all xd button Version 2 2 0 1 Commercial in Confidence Page 41 of 42 OCSPMontorUserManal Oera To view an actual OCSP request response transaction select a transaction and then click on the OCSP viewer button this will show the following Ascertia OCSP Viewer v1 0 395 OCSP Viewer OCSP Request amp Response Viewer About wer OCSP Response yewocse MEM 7 Request Im po rE Exp ore Field Value locsp Response Status successful FocsP Response Tvpe Basic GCSP Response Version l Responder Id CN GlobalTrustFinder OCSP Servi 5 Produced AE Wednesday September 24 z008 single Responses 1 E signature shalWithRSAEncrvption E BM Certificate Serial Mumberr HEX 05 w Revocation Status good m This Lipdate MT Friday May 16 2008 14 51 22 L Next Lipdate
16. Password API Id and the Phone Number The phone number is only required for testing purposes Use the test button to check the configuration and a test SMS will be sent to that phone Ascertia OCSP Monitor A Si OCSP Monitor T About al ett n gs e Back to Home f Email SMS Server Trust Anchors de ERN Prax 7 User Mame Password Scenario Reports Location API Id Note Only required For testing purposes Email SMS Server Daily Report Scheduler tested the service provided by www clickatel com Enter the username of the account created at the Clickatell website Enter the password of the account created API Id This specifies the application being used on the Clickatell website e g XML HTTP Phone Number Optionally enter the phone number which will receive the test warning messages SMS Server Address Enter the server address e g http api clickatell com Ascertia has The SMS Service only works with the Clickatell account Version 2 2 0 1 Commercial in Confidence Page 11 of 42 OCSP Monitor User Manual GSteffla 3 1 5 Daily Report Scheduler Clicking on the Daily Report Scheduler option in the left pane enables scheduling of the Daily Summary report for all test scenarios which have been selected for inclusion in this report The following details need to be specified e Subject of the email e Initial Message i e the email body text before including the
17. Response Expected Response Result Testing of Good Cert every 5 mins should 41 Good IGood Pass not fail Version 2 2 0 1 Commercial in Confidence Page 30 of 42 x OCSP MonitorUserManual GSteffla The example warning report in the text format one of your configured test cases has failed details are as follows scenario warning Report Scenario Name OCSP Test Scenraiol Scenario start Time 00 55 35 Scenario stop Time 23 55 35 Time Interval 5 mins OCSP Responder http www ocsp GlobaltrustfTinder com 8d Current warning Report warning Report Created At 2008 10 07 16 36 52 Serial Mo 1 Test Case Name Error condition test case should always fail Transaction ID 42 Received Response Good Expected Response Unknown Result adio Og la The example warning report in the SMS format Version 2 2 0 1 Commercial in Confidence Page 31 of 42 OcSPMontorUserManal GSteflla 4 2 2 Example Summary Report The following is an example Summary Report Such reports are only sent at the Test Scenario stop time if this option has been enabled The performance statistics are expected to be of significant value in monitoring service level agreements and also during capacity planning exercises A sample summary report in HTML format is shown here J OCSP Monitor Automated OCSP Responder Monitoring and Reporting Following is the summary of test cases executed for this
18. aMT Saturday February a 2009 aa mM gt Revocation Status good This viewer allows both the OCSP request and response message to be shown by pressing the relevant button from the viewer s toolbar The transaction can also be exported and saved as a file and later imported for viewing The details of each field within the request or response message can be viewed in detail by selecting the field from the top part of the viewer the bottom part of the viewer then expands on that field Version 2 2 0 1 Commercial in Confidence Page 42 of 42
19. and the email SMS Recipients who should receive the warning reports 5 nscertia OCSP Monitor ah OCSP Monitor E Help About Create Test Scenario NES General warning Reports Summary Reports we Subject Warning Report OCSP Responder Initial email body text 5M5 body text One of yaur configured test cases has Failed Scenario sname Test case tname has details are as Follows reported Failure at datetime Scheduler Recipients List Display Mame i Channel Report f Trust Anchors The Warning Report can be configured receive as either an email or SMS or both from the Channel option in the Recipient List In the Summary Reports tab configure the summary report details This is an optional report only sent at the test scenario stop time This report provides details of all the test cases that ran between the scenario s start and stop time together with the performance statistics and details of any failures Enter the Summary Report settings by selecting the option to Send Summary Report at Scenario Stop Time and then specifying the email Subject Initial email body text and the email Recipients who should receive summary reports Click the right arrow button to proceed with the wizard Version 2 2 0 1 Commercial in Confidence Page 21 of 42 de OCSP Monitor User Manual asceffla 5 Ascertia OCSP Monitor d Lem 3 OCSP Monitor About Create Test Scenano
20. creating the Test Scenario Performance statistics are shown as in the Test Scenario summary report The number of failures is shown and highlighted in yellow for easy viewing The sample daily summary report in the HTML format 3h OCSP Monitor Automated OCSP Responder Monitoring and Reporting Following 1s end of day summary report Scenario Summary Report Scenario Name OCSP Test Scenario 1 Scenario Start Time 09 00 00 Scenario Stop Time 16 00 00 Number of times scenario was run 438 Time Interval l mins OCSP Responder http etf Summary Report Created At Wednesday July 12 2006 17 00 00 Minimum Response Time 4 58 sec Average Response Time 4 58 sec Maximum Response Time 26 22 sec Total Test Cases Failed 46 Total Test Cases Passed 0 Test Case Name Number of Failures Scenario Summary Report Scenario Name OCSP Test Scenario 2 Scenario Start Time 09 00 00 Scenario Stop Time 16 00 00 Number of times scenario was run 21 Time Interval 1 mins OCSP Responder http etf Summary Report Created At Wednesday July 12 2006 17 00 00 Minimum Response Time 4 57 sec Average Response Time 4 57 sec Maximum Response Time 21 62 sec Total Test Cases Failed 18 Total Test Cases Passed Test Case Name Number of Failures If no scenario is selected to be included in the Daily Summary Report then an empty daily report will be
21. d in the Trust Anchor by clicking this link Export Trust Anchor All the certificates in the Trust Anchor can be exported as a single file with a pss extension by clicking this link Version 2 2 0 1 Commercial in Confidence Page 7 of 42 OCSPMontorUserManal 1 1 G amp Steffla 3 1 2 Proxy Settings If a proxy server is being used the proxy settings can be set by selecting the Proxy option from the left pane and then providing the proxy Address and Port Other configuration data such as authentication details can be defined Click the Apply button once the proxy settings have been configured 5 nscertia OCSP Monitor i ay M n OCSP Monitor About oad 5 ett n OS e Back Fn i E Proxy Trust 4nchors Use Proxy Yo Address proxy an Port Bypass proxy For local addresses Scenario Reports Location Authentication Username UserName E Email SMS Server Password m Daily Report Scheduler Version 2 2 0 1 Commercial in Confidence Page 8 of 42 z OCSP Monitor User Manual ET 3 1 3 Scenario Reports Location The Scenario Reports Location can be specified on the physical drive where the scenario reports are to be saved 5 nscertia OCSP Monitor 395 OCSP Monitor About oad Settings R scenario Reports Location Trust Anchors 12 Specify default folder for scenario reports Browse SCG Reports Scenario reports location Location Display Name Reports Path
22. d on what the responder is expected to return for this test case A test case must be associated with any existing test scenario so that whenever this test scenario is run the test case will be executed Enter a Test Case Name and select check revocation for individual certificates or a PKCS 7 certificate chain The browser can be used to identify the certificates or the certificate chain When importing individual certificates ensure the correct issuer certificate is selected for the target certificate l e the target certificate is the actual certificates whose status is being checked the issuer certificate is the CA certificate which issued the target certificate Both of these certificates are needed to generate the CertlD which is placed in the OCSP request message To configure the format of the OCSP request to be sent to the OCSP responder the following checkboxes can be checked e Add Nonce this extension helps prevent replay attacks the OCSP responder must return the same nonce value in the OCSP response message in order for the OCSP response to be trusted e Add Service Locator this extension allows OCSP relaying from one OCSP responder to some other authoritative OCSP responder The Service Locator extension takes the value from the AIA extension of the certificate Version 2 2 0 1 Commercial in Confidence Page 25 of 42 OcSPMontorUserMana GSteflla e Verify OCSP Signature if this is not selected OCSP Monit
23. e OCSP Monitor s default Trust Anchor list CO Configure Test Scenario own Trust Anchor list Default Trust Anchor List Scenario Trust Anchor List GlobalTrustFinder Demo C4 Ascerkia Rook CA OlSP Responder Scheduler Reports f Trust Anchors Click the save button to complete the wizard Version 2 2 0 1 Commercial in Confidence Page 23 of 42 OCSP Monitor User Manual Oaea 3 3 6 Configuring OCSP Responder Clock Tolerance The OCSP response tolerance can be configured in the OCSPMonitorScenarioManagement xml file This file is present in the following location Operating System Drive Program Files Ascertia OCSP Monitor XML The tolerance is checked by comparing the ProductedAt ThisUpdate and NextUpdate of OCSP response with a threshold value configured for each Scenario In case the threshold exceeds the response is not trusted and a warning report is generated The relevant tags are shown as below lt FriendlyName gt OCSP Test Scenario 1 lt FriendlyName gt UseCentralTrustAnchor 1 UseCentralTrustAnchor OCSPConfigurstiono lt Address gt http ocsp globaltrustfinder com lt Address gt Port BD Port lt Path gt lt Path gt lt Timeout gt 30 lt Timeout gt lt DigestAuthentication Enabled 0 gt lt UserName gt lt UserName gt lt Password gt lt Password gt lt DigestAuthentication gt lt OcspResponseTolerance gt ThisUpdate 120 ThisUpdate NextUpdate 120 Nex
24. e OCSP response message itself or alternatively they can also be added to the OCSP Monitor Trust Anchor list It does not matter which way OCSP Monitor obtains the intermediate certificates as long as a successful chain of certificates can be built to Root CA in the Trust Anchor list OCSP Monitor uses two cryptographic toolkits for resilience these are CML Certificate Management Library which is the primary mechanism for certificate path building and a fallback mechanism which uses Microsoft CAPI Cryptographic Application Programming Interface The reason for this is that CML follows PKI standards very closely and may reject some certificates which are not encoded precisely to these standards Microsoft CAPI is more tolerant of other certificate profiles When Microsoft CAPI is used for certificate path building then there is an additional requirement from Microsoft CAPI to install complete certificate chain including Root CA also in the Microsoft Windows keystore so that path building process can be initiated Note the final trust point a Root CA must be defined in the OCSP Monitor Trust Anchor list irrespective of whether CML or Microsoft CAPI is used during path building If OCSP Monitor fails to trust the OCSP responder then the OCSP responder certificate chain should be added to the Windows keystore for example by using Internet Explorer Ensure that the certificates are added to the system account as this the profile that OCSP M
25. esponder retrieves this and uses it for its responses Time 12 15PM CA issues CRL2 but for some reason OCSP responder fails to receive this and continue to use CRL1 Time 12 16PM OCSP responder receives a request to validate a certificate Now the OCSP response will have a thisUpdate showing 12 00PM since it is still using CRL1 but a producedAt time showing 12 16 i e this is the time at which the responder produced this response The difference between these two times is 16 mins So this allows OCSP Monitor to detect that the OCSP responder Version 2 2 0 1 Commercial in Confidence Page 18 of 42 a OCSP Monitor User Manual GSteflla is using a stale CHL as its back end revocation information provider since the producedAt time is beyond the defined threshold The difference between the thisUpdate and the ProducedAt time values should z be less than or equal to the configured Threshold value for the scenario in order for OCSP Monitor to accept the response as fresh The 0 threshold configured for a scenario means that the OCSP freshness will not be checked for this scenario If the OCSP responder requires digest Authentication then give a Username and Password for the relevant network proxy Click the Test Connection button to verify that the OCSP responder settings are valid Version 2 2 0 1 Commercial in Confidence Page 19 of 42 OCSPMontorUserManal 1 11 amp Steffla 3 3 3 Scheduler
26. gs Far OCSP monitor applicable to all test scenarios Page 13 of 42 OCSPMontorUserManal 111 G amp Steffla 5 nscertia OCSP Monitor mir 7 gh je OCSP Monitor About a Email SMS Contacts Email SMS Contacts Details Phone na Email Address pea Add a contact D Remove a contact Edit an email contact Click the Add an email contact option Version 2 2 0 1 Commercial in Confidence Page 14 of 42 OCSP Monitor User Manual GSteffla Enter the Name Phone Number and Email Address of the recipient who are to receive OCSP Monitor reports and click the Add button 5 nscertia OCSP Monitor ze he ah y OCSP Monitor About m F mai S MS C onta cts ec Back to Home Email SMS Contacts Details Mame Phone na Email Address E Ascertia Support 0441483685500 supporkimascertia com iE Sa Add a contact Remove a contact dd Edit an email contact 5 The Phone number is an optional field required only in when using SMS messages Name amp Email Address are compulsory fields Version 2 2 0 1 Commercial in Confidence Page 15 of 42 OCSPMontorUserManal amp Steffla 3 3 Create Test Scenario To create a test scenario and set its reporting schedule go to the OCSP Monitor Home screen and click the Create Test Scenario option 5 nscertia OCSP Monitor E T ah OCSP Monitor TH 2 About A Home Create Test Scenario Create a
27. io RYE cedkLur EE PEE e uE lex a VE ax QHE CUu CxFAKUEV FEN VP EFFUC Er nnmnnn nnn nnna 30 4 1 Importing the Commercial License File ssseeeeeeseeeseeeeeeennnnnennnnnnn nnn 30 42 Example COON sosser eani E a ETA AANSEN eaan 30 Ao ENGR ODO T onen T E anseotemaasaten 34 44 HOW Last Warming Repol icones a a a R neus ua ORE aE 37 Ao SBoWw Ed Ol DX REDON oos cease cass ctanlys amen eons qesietindadie Dese a pM SUME 38 AO uoa VIG W Cl a e E 39 Version 2 2 0 1 Commercial in Confidence Page 2 of 42 OCSP Monitor User Manual ET 1 Introduction 1 1 Scope This manual describes how to operate the OCSP Monitor application on Windows operating systems 1 2 Intended Readership This guide is intended for administrators operators who are responsible for monitoring an OCSP service within an organization or on behalf of an organization 1 3 Conventions The following typographical conventions are used in this guide to help locate and identify information e Bold text identifies menu names menu options items you can click on the screen file names folder names and keyboard keys e Courier font identifies code and text that appears on the command line e Bold courier identifies commands that you are required to type in 1 4 Technical support If Technical Support is required Ascertia has a dedicated support team providing debugging assistance integration assistance and general customer support services Ascertia Sup
28. ly running The statuses of the test scenarios are presented using green and red dots Green dots represent successful transactions and red dots represent failed transactions Clicking on the dots will provide summary details of that transaction e g Transaction ID Target Certificate Result Test Case Transaction Test Case Transaction Info Transaction Id bar Target Certificate Test Alice Test Le CAT Request Time 2008 10 07 18 12 05 3340 Response Time 2006 10 07 18 12 05 8810 Result SUCCESS View OCSP Hequest Hesponse The OCSP Request and Response window can be opened by clicking the View OCSP Request Response button Live Report will show the transactions for the current day only i e 24 hour when the next day starts the previous days details are cleared The Column frequency i e the time scale setting in the Live Report is automatically set to the minimum frequency of any active test scenario configured in the OCSP Monitor i e 2 minutes is the minimum frequency shown in the image above Version 2 2 0 1 Commercial in Confidence Page 35 of 42 OcSPMontorUserMana GSteflla The OCSP Monitor Live Report retrieves and displays the information of the transactions from the database after every 10 seconds Information about the Test Scenario and the Test Case can be retrieved in the form of a pop up by clicking on the respective option within the Live Report window When clicked on the test
29. onitor uses when validating OCSP responses Version 2 2 0 1 Commercial in Confidence Page 6 of 42 OCSPMontorUserManal G amp Steffla To add certificates in the OCSP Monitor Trust Anchor list you import them from a file or from Internet Explorer Ascertia OCSP Monitor P ar gt OCSP Monitor T About z e etti n OS Back to Home f Trust Anchors Trust Anchors Issued To Issued By Expiration Date m E Ascertia Root CA 4scertia Root CA oOs 04 2013 Ya EJ slobalTrustFinder Demo CA Ascertia Root CA 07 30 2012 a Scenario Reports Lacation E Email SMS Server Rh Add certificate From File P Add certificate chain g Import Trust Anchor Daily Report Scheduler P Add certificate From Internet Explorer A Remove certificate From Trust Anchor e Export Trust Anchor The six options at the bottom of this screen are explored Add certificate from file A certificate file can be added to the Trust Anchor by clicking this link Add certificate from Internet Explorer A certificate can be copied from Internet Explorer CAPI stores and added to the OCSP Monitor Trust Anchor list by clicking this link Add Certificate chain A complete certificate chain can be added to the Trust Anchor by clicking this link Remove certificate from Trust Anchor A defined certificate can be deleted from the Trust Anchor list Import Trust Anchor A file with a pss extension containing one or many certificates can be importe
30. or will automatically trust the OCSP response without any verification If it is selected OCSP Monitor will need to verify the signature on the OCSP response message and also build and validate the certificate chain for the OCSP responder certificate e Sign OCSP request this allows signing of OCSP request messages if this is enabled then select the signer key using the Browse button Keys in PFX and PKCS 12 format pfx extension can be used for signing purposes Click the save button to save the test case settings a Ascertia OCSP Monitor s p a i a OCSP Monitor T About Create Test Case Test Case Settings General Advance Test Case Status Active iw Expected Result Febre Add Nonce i Add Service Locator Test Case Name Dey os signature Individual Certificates 5ign OCSP Request Test Certificate Signer ia Tas Issuer Issuer Certificate Issue Date Certificate Chain Version 2 2 0 1 Commercial in Confidence Page 26 of 42 OCSPMontorUserManal 1 11 amp Steffla 3 5 Edit Scenarios and Test Cases To review and edit existing Test Scenarios and Test Case settings click on the Edit Scenarios and Test Cases option 5 nscertia OCSP Monitor E T a OCSP Monitor TH 2 About A Home Create Test Scenario Create a best scenario and set its reporting schedule OCSP Monitor Service is stopped Create Test Case Configure best cases and assign them
31. port can be accessed in the following ways Support Website https www ascertia com personalized support aspx Support Email support ascertia com Support MSN Messenger support ascertia com Skype ascertia support In addition to the free support service describe above Ascertia provides formal support agreements with all product sales Please contact sales ascertia com for more details A Product Support Questionnaire should be completed to provide Ascertia Support with further information about your system environment When requesting help it is always important to confirm e he operating system and any applied service packs e The logs DB and XML folders from the location lt Operating System Drive gt Program Files Ascertia OCSP Monitor e Any screenshots displaying error messages e Steps on how to reproduce any errors Version 2 2 0 1 Commercial in Confidence Page 3 of 42 OCSP Monitor User Manual HT 2 Overview OCSP Monitor is a product that runs as a service on a Windows server or desktop system to continually monitor the status of one or more OCSP responders Various types of tests can be setup ranging from simple availability checks to complex full policy checking with positive and negative test checking The OCSP responders being monitored must be compliant with the RFC 2560 specification The management and configuration of OCSP Monitor is handled via a user friendly GUI The warning or summary reports produced
32. rrow button to proceed Ascertia OCSP Monitor Fa it D 2 T OCSP Monitor T Help About T o C rea te Test Scena r O e Back bo Home OCSP Responder N General Host http Vocsp globalErustFinder com Li RS OCSP Responder Timeout Sec OCSP Freshness Threshold Scheduler Authentication mins Reports o O R a Trust Anchors Connection Timeout is the time that OCSP Monitor tries to connect with the OCSP responder If this Timeout is reached and OCSP responder cannot be contacted then OCSP Monitor will close the connection OCSP Freshness Threshold OCSP Monitor checks the freshness of an OCSP response by comparing the difference between the thisUpdate time and ProducedAt time with the value configured in OCSP Freshness Threshold field for this scenario If the OCSP response was produced using revocation info e g a CRL at a time which is in excess of this threshold setting then it implies that it is using stale information i e it is using a CRL which is now stale To illustrate how this works imagine the following scenario a CA issues CRL with a lifetime of 1 hour but a new CRL is actually issued every 15 mins these are often referred to as over issued CRLs So a CRL is issued every 15 mins with each having a lifetime of 1 hour Also assume that the threshold is configured as 15 mins in OCSP Monitor Now the following situation can arise Time 12 00PM CA issues CRL1 OCSP r
33. scenario a pop up appears providing the details of the scenario configured e g Responder address Port no Start Stop time Frequency Similarly when clicked on the test case a pop up appears providing the test case configured e g Test Certificate Expected Result Test Scenario Info Test Scenario Info Test Scenario Mame UCSP Test Scenario OCSP Configurations Responder htto ocep globaltrustinder com Fort Bn Timeout 3l 5 chedular Start Tine 01 00 Do niat run at weekends FALSE Stop Time 23 50 Frequency S E U 0 Summary TRUE Close Test Case Info Test Case Info Test Case Mame Check Revocation Status Expected Result Good Test Certificate Test Alice Test L2 CA1 Nonce Applied FALSE OCSF Request Signer M A Service Locator FALSE Very OCSP Signature FALSE Version 2 2 0 1 Commercial in Confidence Page 36 of 42 OCSPMontorUserManal 111 Steffla 4 4 Show Last Warning Report The last warning report can be viewed by clicking on the option Show Last Warning Report on the OCSP Monitor Home page 5 nscertia OCSP Monitor OCSP Monitor lt gt About OCSP Monitor Service Status Create Test Scenario Create a best scenario and set its reporting schedule OCSP Monitor Service is stopped Create Test Case Configure best cases and assign them to a test scenario Edit Scenarios and Test Cases Review and edit your existing test scenarios and test case settings
34. tUpdate ProducedAt 120 ProducedAt lt OcspResponseTolerance gt OCSPFreshnessThreshold 0 OCSPFreshnessThreshold OCSPConfiguration By default the tolerance is configured to 120 seconds for each scenario Version 2 2 0 1 Commercial in Confidence Page 24 of 42 OcSPMontorUserManal GSteflla 3 4 Create Test Case To configure test cases and assign them to a test scenario go to the OCSP Monitor Home screen and click the Create Test Case option in the right pane 5 nscertia OCSP Monitor J OCSP Monitor og Home OCSP Monitor Service Status Create Test Scenario Create a best scenario and set its reporting d schedule OCSP Monitor Service is stopped Ss Create Test Case be Configure test cases and assign them to a test scenario Edit Scenarios and Test Cases Review and edit your existing test scenarios and test case settings Live Report History Viewer Email SMS Contacts Manage contacts that receive OCSP Monitor Show Last Warning Report reports Settings Configure Ehe general settings Far OCSP monitor applicable to all test scenarios Show Last Daily Summary Report In the screen below first enable the test case by setting the Test Case Status to Active only the active test cases within a test scenario are executed Inactive test cases are ignored at the time of running the test scenario set the Expected Result as Good Revoked or Unknown etc base
35. test scenario Scenario Summary Report Scenario Name GTF every 5 mins must always pass scenario Start Time 00 05 35 Scenario Stop Time 23 55 35 Number of times scenario was run 95 Time Interval 5 mins OCSP Responder http ocsp globaltrustfinder com 80 Summary Report Created At Sunday July 09 2006 00 05 35 Minimum Response Time 1 18 sec Average Response Time 1 73 sec Maximum Response Time 2 28 sec Total Test Cases Failed 3 Total Test Cases Passed 91 The sample summary report in text format The test scenario summary report fal lows Scenario summary Report Scenario Name OCSP Test scenarial Scenario start Time 00 05 55 scenario stop Time 23 50 55 Number of times scenario was run 05 Time Interval 5 mins OCSP Responder http ocsp globaltrustfinder com 8 amp 0 summary Report Created At Saturday October 07 2008 23 55 55 Minimum Response Time 0 01 sec Average Response Time 1 75 sec Maximum Response Time 13 61 sec Total Test Cases Failed 73 Total Test Cases Passed 117 Check Reyocation Statusi 35 Check Rewocation Status 38 Version 2 2 0 1 Commercial in Confidence Page 32 of 42 OCSPMontorUserManal 1 1 G amp Steffla 4 2 3 Daily Summary Report The following is an example Daily Summary Report This report is only sent at the scheduled end of day and only for those Test Scenarios that have been selected for inclusion in this report set when
36. tor Summary 2 NEED OCSP Monitor Summary E m OCSP Test Scenario 1 NY Check Revocation Status Version 2 2 0 1 Commercial in Confidence Page 29 of 42 OcSPMontorUserMana Oaea 4 Using OCSP Monitor 4 1 Importing the Commercial License File After purchasing OCSP Monitor a commercial license file with an EKF file extension will be provided This allows OCSP Monitor to be used beyond the trial period This file needs to be saved at the following location Operating System Drive Program Files Ascertia OCSP Monitor License Note This assumes that OCSP Monitor has been installed on the C drive within the Program Files folder 4 2 Example Reports 4 2 1 Example Warning Report The following is an example Warning Report Such warning reports are only sent when the response from the OCSP responder does not match the specified expected result As shown below the failed Test Cases are highlighted in yellow The sample warning report in the HTML format Sh OCSP Monitor Automated OCSP Responder Monitoring and Reporting Please check your test cases one of these has failed for some reason Scenario Failure Report Scenario Name GTF every 5 mins must always pass Scenario Start Time 00 05 35 Scenario Stop Time 23 55 35 Time Interval 5 mins OCSP Responder http ocsp globaltrustfmder com 80 Warming Report Created At 2006 07 08 16 36 52 Serial No Test Case Name Transaction ID Received

OCSP Monitor - User Manual

Contents

Download Pdf Manuals

Related Search

Related Contents