Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor

This article describes how to set up access control and billing in Nexus OCSP Responder. Access control and billing can be derived either from TLS client authentication or from the signature on the requests.

...

Specify access control

Access control is performed in two steps, authentication and authorization:

  1. For authentication, the requestor must provide a signature by a trusted certificate or an authenticated TLS session to the Nexus OCSP Responder.

    1. To require OCSP requests to be signed, specify as follows in the Nexus OCSP Responder configuration file:

      Code Block
      responder.<r#>.incoming.signature.required=true
    2. To require client authentication during the TLS handshake, configure the responder to use HTTPS and add the following specification:

      Code Block
      responder.<r#>.ssl.clientauth=true
  2. To authorize requests to the Nexus OCSP Responder, configure a name matching filter (a) or trust store verification (b).

    1. To use a name matching filter, specify as follows

...

    1. in the Nexus OCSP Responder configuration file:

      Code Block
      responder.<r#>.incoming.authorization=bynamematch

      followed by the required table of rules.

    2. For trust store verification, use:

      Code Block
      responder.<r#>.incoming.authorization=byauthentication

      Replace <r#> with the responder sequence number.

Note

If client authentication is required and the requestor certificate (or the issuer) is revoked, access will be denied. The client certificate must chain to the trust store.

For more information, see Specify limitations on incoming requests in OCSP responder section.

...

Specify billing

To perform billing, Nexus OCSP Responder requires the following to be fulfilled:

  1. Sign the client request (a) or use TLS client authentication (b):

    1. To sign the client request, specify as follows in the Nexus OCSP Responder configuration file:

      Code Block
      responder.<r#>.incoming.signature.required=true
    2. Or, as an alternative, configure the Nexus OCSP Responder to require TLS client authentication:

      Code Block
      responder.<r#>.ssl.clientauth=true
  2. Enable billing, specify as follows in the Nexus OCSP Responder configuration file:

    Code Block
    responder.<r#>.billing.enabled=true

    Replace <r#> with the responder sequence number.

    For the syntax of available configuration parameters, see OCSP responder section, heading "Specify billing information".

...

Examples of log files for billing

Nexus OCSP Responder writes messages to the log file, classified as "billing". Every message will contain the following:

  • The URL to which the client has connected (that is, which OCSP responder is acting).

  • The IP address of the requesting client.

  • If available, the requestor name from the client certificate. Either the name from the certificate that signed the OCSP request, or the name from the TLS client certificate.

An OCSP request may include one or more single requests, each one asking for information about a certificate.

To count the number of OCSP requests, specify the following in the Nexus OCSP Responder configuration file:

  1. Specify in the configuration file:

    Code Block
    responder.<r#>.billing.perrequest=true
    1. The number of certificate requests included in the client request, will be added to the log message.

    2. Replace <r#> with the responder sequence number.

To count every requested certificate, specify:

  1. Specify in the configuration file:

    Code Block
    responder.<r#>.billing.percert=true
    1. The issuer and the serial number for every included certificate request will be added to the log message.

    2. Replace <r#> with the responder sequence number.

By default, certificates that get the response "unknown" are excluded from percert logging. To also log such certificates, specify:

  1. Specify in the configuration file:

    Code Block
    responder.<r#>.billing.countunknown=true
    1. Replace <r#> with the responder sequence number.

External tools can be used to summarize the logs.