Versions Compared

Old Version 5

changes.mady.by.user Ylva Andersson

Saved on

compared with

New Version Current

changes.mady.by.user Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Timestamp Server 2.3.0: Removed information about Apache Derby, added info regarding the Authenticode feature and added a new parameter to audit filter (audittimestampclientip). Updates also for OCSPValidationFilter.
Info

This article includes updates for Nexus Timestamp Server 2.3.0.

This article describes all filters that can be used in a timestamp service in Nexus Timestamp Server. A filter can be in either filters.properties (for global timestamp service settings) or service.properties (defined for each timestamp service), but a good rule is that any filter with its own defined parameters should be in the service.properties because of bigger flexibility when using more than one timestamp service.

Except where otherwise noted, the filters are defined in or under the package "com.nexussafe.nano.filters".

AuditFilter

This is a pre-processing filter.

These parameters define the audit log.

Parameter

Description

Possible values

Default value

logger.name

A unique name used for this logger.

String

${service}

handler.type

Optional. A logging handler type.

timerolling

-

handler.pattern

Optional. A log file name pattern. Can be used to introduce per timestamp service audit logging.

String

-

audittimestamprequest

Optional. Set to true if the timestamp request shall be logged.

true/false

false

audittimestampresponse

Optional. Set to true if the timestamp response shall be logged.

true/false

false

audittimestampclientip

Optional. Set to true if the client IP address shall be logged.

true/false

false

Example: AuditFilter

Code Block
[filter.AuditManager]
class=com.nexussafe.nano.filters.AuditFilter
#logger.name=${service}
handler.type=timerolling
handler.pattern=${var}/logs/%ty-%<tm-%<td/${service}.audit.log
audittimestamprequest=true
audittimestampresponse=true
audittimestampclientip=true

ClockFilter

This is a pre-processing filter.

This filter injects the clock into the context.

Parameter

Description

Possible values

Default value

clock.type

The type of clock to inject.

virtual, real

real

clock.time

Applicable only if clock.type=virtual. The number of milliseconds past since the epoch (seconds since midnight 1 jan 1970).

Number

-

Example: ClockFilter

Code Block
[filter.RealClock]
class=com.nexussafe.nano.filters.ClockFilter

TransactionMonitorFilter

This is a pre-processing filter.

This filter injects the transaction identification into the context.

This filter takes no extra parameters.

Example:TransactionMonitorFIlter

Code Block
[filter.TransactionMonitor]
class=com.nexussafe.nano.filters.TransactionMonitorFilter

timestamp.AccuracyFilter

This filter is optional.

Implements the type Accuracy as it is specified in the RFC3161 protocol, section 2.4.2.

The AccuracyFilter must be placed after the GeneralizedTimeFilter in the filter chain.

Parameter

Description

Possible values

Default value

seconds

Number of seconds.

Number

0

milliseconds

Number of milliseconds between 1-999.

Number

0

Example:timestamp.AccuracyFilter

Code Block
[filter.Accuracy]
class=com.nexussafe.nano.filters.timestamp.AccuracyFilter
seconds=10
millis=45

timestamp.TimestampRespFilter

This filter is mandatory.

Creates the Timestamp response from a signed timestamp token.

This filter takes no extra parameters.

Example:timestamp.TimestampRespFilter

Code Block
[filter.TimestampResponse]
class=com.nexussafe.nano.filters.timestamp.TimestampRespFilter

timestamp.GeneralizedTimeFilter

This filter is mandatory.

Add Generalized time to timestamp token as it is specified the RFC3161 protocol, section 2.4.2.

This filter takes no extra parameters.

Example:timestamp.GeneralizedTimeFilter

Code Block
[filter.GeneralizedTime]
class=com.nexussafe.nano.filters.timestamp.GeneralizedTimeFilter

timestamp.MessageImprintFilter

This filter is mandatory.

Checks the MessageImprint from the timestamp request. 

Parameter

Description

Possible values

Default value

digestalgorithm

The digest algorithm used to hash the message.

SHA-1, SHA-256, SHA-512

SHA-256

Example: timestamp.MessageImprintFilter

Code Block
[filter.MessageImprint]
digestalgorithm=SHA-256
class=com.nexussafe.nano.filters.timestamp.MessageImprintFilter

timestamp.NonceFilter

This filter is mandatory.

Copies the nonce, if exists in the timestamp request, to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.

This filter takes no extra parameters.

Example: timestamp.NonceFilter

Code Block
[filter.Nonce]
class=com.nexussafe.nano.filters.timestamp.NonceFilter

timestamp.OrderingFilter

This filter is optional.

Add ordering to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.

Parameter

Description

Possible values

Default value

ordering

Ordering as defined in RFC3161.

true/false

false

Example: timestamp.OrderingFilter

Code Block
[filter.Ordering]
class=com.nexussafe.nano.filters.timestamp.OrderingFilter
ordering=true

timestamp.SerialnumberFilter

This filter is mandatory.

Adds a generated serial number in the Timestamp response as it is specified the RFC3161 protocol, section 2.4.2.

This filter takes no extra parameters.

Example: timestamp.SerialnumberFilter

Code Block
[filter.Serialnumber]
class=com.nexussafe.nano.filters.timestamp.SerialnumberFilter

timestamp.timestamp.SetTSANameFilter

This filter is optional.

Add GeneralName to timestamp token as it is specified the RFC3161 protocol, section 2.4.2. This filter uses the Global Service Settings.

Parameter

Description

Possible values

Default value

usesubject

Used to decide if the Subject shall be used for GeneralName in the Timestamp. Only one of this and the following parameters shall be set at the same time or non of them.

true/false

false

usesubjectaltname

Used to define the SubjectAltName to use for GeneralName in the Timestamp

0=OtherName,

1=Rfc822Name,

2=DnsName,

3=X400Address,

4=DirectoryName,

5=EdiPartyName,

6=Uri,

7=IpAddress,

8=RegisteredId

-1, means that SubjectAltName is not used.

tsaname

Used to define a static name as GeneralName in the Timestamp.

true/false

-

Example: timestamp.SetTSANameFilter

Code Block
[filter.SetTSAName]
class=com.nexussafe.nano.filters.timestamp.SetTSANameFilter
usesubject=true
#usesubjectaltname=-1
#tsaname=http://timestamping.nexusgroup.com/

timestamp.StorageFilter

This filter is optional and disabled by default.

Sets where to store the timestamp information. The information can be stored in a database per timestamp service or in the same database as other timestamp services.

Excerpt
nametimestamp.StorageFilter

Parameter

Description

Possible values

Default value

storage 

Set this parameter if information shall be stored in the same database as other timestamp services. A value of "system" corresponds to use the same database as other timestamp services else this parameter shall not be set.

String

-

storage.database.jdbcDriver

The JDBC driver class.

String

-

storage.database.jdbcUrl

The JDBC URL or path to a file.

String

-

storage.database.jdbcUser

The user accessing the database.

String

-

storage.database.jdbcPassword

The users password.

String

-

Example: timestamp.StorageFilter - Same database as other services

Code Block
[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage=system

Example: timestamp.StorageFilter - Own database for this service

Code Block
# PostgreSQL settings
[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage.database.jdbcDriver=org.postgresql.Driver
storage.database.jdbcUrl=jdbc:postgresql://localhost:5432/timestamp
storage.database.jdbcUser=postgres
storage.database.jdbcPassword=postgres

It is important to check the order of the filters. See an example when using an external database here: Filter chains used in Nexus Timestamp Server, section "Order of filters".

timestamp.TimestampTokenFilter/AcTimestampTokenFilter

This filter is mandatory.

Handles the signing of a timestamp token. This filter is responsible for signing the timestamp token. It needs a keystore with the TSA signing key. This filter uses the Global Service Settings.

Parameter

Description

Possible values

Default value

digest

The digest algorithm used to hash the signature.

SHA-1, SHA-256, SHA-512

SHA-256

certIDHashAlgorithm

The hash algorithm used in the signer certificate to generate the identifier value. Uses ESSCertID according to  RFC3161 as default. If specified, it will use ESSCertIDv2 according to RFC 5816.

SHA-1, SHA-256, SHA-512 and more (ESSCertIDv2).

SHA-1 (ESSCertID)

Example: timestamp.TimestampTokenFilter

Corresponds to timestamp request

Code Block
[filter.TimestampToken]
class=com.nexussafe.nano.filters.timestamp.TimestampTokenFilter
digest=SHA-256
certIDHashAlgorithm=SHA-256

Example: timestamp.AcTimestampTokenFilter

Corresponds to authenticode timestamp request

Code Block
[filter.AcTimestampToken]
class=com.nexussafe.nano.filters.timestamp.AcTimestampTokenFilter
digest=SHA-256
certIDHashAlgorithm=SHA-1

timestamp.TSAPolicyFilter

This filter is mandatory.

Verifies the policy, as it is specified the RFC3161 protocol, section 2.4.2. Used when creating the Timestamp response.

Parameter

Description

Possible values

Default value

policy

Specifies the policy used to create a timestamp response.

String

-

Example: timestamp.TSAPolicyFilter

Code Block
[filter.TSAPolicy]
class=com.nexussafe.nano.filters.timestamp.TSAPolicyFilter
policy=1.2.3.4.5.6.7

timestamp.TSTInfoFilter

This filter is mandatory.

Create the timestamp token.

This filter takes no extra parameters.

Example: timestamp.TSTInfoFilter

Code Block
[filter.TSTInfo]
class=com.nexussafe.nano.filters.timestamp.TSTInfoFilter

ntp.NTPFilter

This filter is optional.

Verifies local time against NTP servers and denies timestamps if local clock is out of sync. An NTP time is considered valid if the server replies within a specified time and if the the time passes the accuracy test (if enabled). The NTP filter will also forward its valid time results (see ntpMinValid) to the timestamp.AccuracyFilter.

Parameter

Description

Possible values

Default value

ntpUrl.<N>

The NTP servers' URLs to compare against.

String

-

ntpMinValid

The minimum required NTP servers that has to pass in order for the timestamp to be considered valid. If set to 0, all NTP servers have to pass.

Number

0

ntpUpdateFreq

Specifies the time, in seconds, how frequently the NTP server times should be updated. If set to 0, the NTP server times are updated on demand (not recommended).

Number

30

ntpUpdateLog

Specifies which NTP server update status that should be logged during each update.

Mask (passed, failed, none)

passed | failed

ntpAccuracy

The accuracy, in milliseconds, to compare the NTP times against during each update. If set to 0 this accuracy check is disabled.

Number

1000

ntpTimeout 

Specifies the time out, in milliseconds, of an NTP request. If a server times out, it will be marked as failed during that sequence update (invalid).

Number

500

Example: ntp.NTPFilter

Code Block
[filter.NTPTimeManager]
class=com.nexussafe.nano.filters.ntp.NTPFilter
ntpUrl.0=10.75.28.15
ntpUrl.1=10.75.28.16
ntpMinValid=2
ntpUpdateFreq=30
ntpUpdateLog=passed|failed
ntpAccuracy=1000
ntpTimeout=500

validation.CertificateVerificationFilter

This filter is optional.

Verifies a certificate towards a trusted store specified in the service.properties file. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter

Description

Possible values

Default value

truststore

Path to the trusted store to verify towards.

Path

-

addissuers

The issuers found in the store should be added to the context so that they are available for filters executing after the certificate verification filter.

true/false

false

checktime

If set to false, disables the control of the certificate's validity time.

true/false

true

Example: validation.CertificateVerificationFilter

Code Block
[filter.CertificateVerifier]
class=com.nexussafe.nano.filters.validation.CertificateVerificationFilter
truststore=${ServiceDir}/certs
addissuers=true
checktime=true

validation.CrlValidationFilter

This filter is optional.

Validates a certificate using CRLs. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp ServerISO 8601 is a format for the representation of dates and times and intervals.

Parameter

Description

Possible values

Default value

validator.cache 

Name of the shared cache (defined in timestamp.properties).

Path

-

validator.cache.directory

Where downloaded CRLs are stored.

Path

-

validator.cache.truststore 

Where trusted CRL issuers are stored.

Path

-

validator.cache.maxAge

Defines the maximum age in seconds. A value of -1 corresponds to unlimited.

Number

-1

validator.cache.provider.<N>.type

Type of CRL provider.

pull

pull

validator.cache.provider.<N>.period

The time the thread should wait until it tries to fetch a new CRL.

ISO 8601 time expression, period.

PT1H

validator.cache.provider.<N>.margin

Specifies how long before "nextUpdate" to issue a new fetch.

ISO 8601 time expression, period.

PT3S

validator.cache.provider.<N>.fetcher.<M>.url

URL to fetch CRL from, <M> is the sequence number of possible URLs for this thread.

URL, no URL encoding needed.

-

Example: validation.CrlValidationFilter

Code Block
[filter.CrlValidator]
class=com.nexussafe.nano.filters.validation.CrlValidationFilter
validator.cache.directory=${ServiceDir}/crls
validator.cache.truststore=${ServiceDir}/certs
validator.cache.provider.1.type=pull
validator.cache.provider.1.period=PT30M
validator.cache.provider.1.margin=PT2S

validation.SimpleOcspValidationFilter

This filter is optional.

Validates a certificate using OCSP. Similar to “validation.OCSPValidationFilter” but simpler in the sense that it provides no configuration options for validation. It will use the default values for each “ocsp“-parameter listed under “validation.OCSPValidationFilter”, except for “propagateResponse” which is forced to “true”.

This filter expects a user certificate to be sent through the chain. This requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter

Description

Possible values

Default value

signer.password

The password for the key.

String

-

signer.store

Path to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename, separated by a colon.

Path

-

signer.store.pin

The PKCS#12 file password.

String

-

signer.alias

The name of the key in the store. If there is only one key in the store, it can be omitted.

String

-

truststore

Directory with trusted root certificates, or name of service wide or server wide shared trust store.

Path, String

-

responder.< N>.url

Responder url for responder N in a list of responders.

URL

-

Example: validation.SimpleOcspValidationFilter

Code Block
[filter.SimpleOcspValidation]
class=com.nexussafe.nano.filters.validation.SimpleOcspValidationFilter
truststore=default store
signer.password=1234
signer.store=${ServiceDir}/keys/OCSP.p12
signer.store.pin=1234
ocsp.responder.1.url=http://localhost:8080/basic

validation.OCSPValidationFilter

This filter is optional.

Validates a certificate using OCSP. This filter expects a user certificate to be sent through the chain. Requires that you have TLSconnector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter

Description

Possible values

Default value

ocsp.signRequest

Specifies if requests to the OCSP server should be signed.

true/false

true

ocsp.allowTrustedSigners

If true, enables “direct trust”, where an OCSP responder certificate is trusted if it is present in the trust store.

true/false

false

ocsp.allowCriticalExtensions

Specifies if OCSP responses with critical extensions should be accepted.

true/false

false

ocsp.compareNonce

Specifies whether to compare the nonce from the OCSP request in the OCSP response or not.

true/false

true

ocsp.responder.< N>.url

Responder URL for responder N in a list of responders. If URL has scheme https, the ocsp.ssl parameters need to be configured.

URL

-

propagateResponse

Enables returning of the OCSP response to the application.

true/false

false

ocsp.allowIndirectDelegation

Allows the responder certificate to be a delegate of a certificate in the trust store

true/false

false

ocsp.allowResponderRevocationCheck

If a responder is not in the trust store, or does not have the extension ocsp-nocheck in its responder certificate, enable this to allow checking the responder’s certificate for revocation.

true/false

false

ocsp.responsemaxage

Specifies the maximum interval in seconds that the “thisUpdate” attribute might differ from the system time. If set to-1 nocheck is performed.

Number, -1

-1

ocsp.producedatskew

Specifies the maximum interval in seconds that the “producedAt” attribute timestamp is allowed to differ from system time. If set to -1 no check is performed.

Number, -1

-1

ocsp.nextupdateskew

Specifies the maximum interval in seconds that the “nextUpdate” attribute might differ from the system time.

Number

120

ocsp.dontCheckResponderRevocation

Do not check the responder’s certificate for revocation, assume it is ok.

true/false

false

ocsp.useNonce 

Use nonce in the OCSP revocation request.

true/false

true

ocsp.signer.alias

The name of the key in the store; if there is only one key in the store, it can be left blank.

String

-

ocsp.signer.password 

The password for thekey.

String

-

ocsp.signer.store

Path to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename separated by a colon.

Path

-

ocsp.signer.store.pin

The PKCS#12 file password.

String

-

ocsp.truststore

Name of service wide or server wide shared trust store.

String

-

ocsp.doPost

If false, attempt to use HTTP GET. Uses POST anyway if the OCSP request is longer than 255 bytes.

true/false

true

ocsp.useAIA

Determines whether to use authority access information (AIA) for validation if it is defined in the certificate. Otherwise uses only the OCSP validation list.

true/false

true

ocsp.AIAFirst

Determines whether the request should be validated towards the AIA before the OCSP validation list.

true/false

true

checkResponderExpiration

Determines whether to check if the signer certificate of the OCSP response from the responder has expired.

true/false

true

ocsp.ssl.trust

Directory with trusted root certificates for the TLS handshake.

Path

-

ocsp.ssl.keys

Path to PKCS#12 file which holds the client key and certificate chain for the TLS handshake.

Path

-

ocsp.ssl.pin

The PKCS#12 file password.

String

-

ocsp.verifyHostname

Toggle hostname verification in the TLS handshake.

true/false

true

ocsp.socketTimeout

Determines the socket timeout value (seconds) for the connections.

Number

10

ocsp.connectTimeout

Determines the timeout (seconds) until a new connection is fully established.

Number

10

ocsp.validateAfterInactivity

Defines period of inactivity (seconds) after which persistent connections must be re-validated prior to being leased to the consumer.

Number

10

ocsp.timeToLive

Defines the total span of time (seconds) connections can be kept alive or execute requests.

Number

60

ocsp.maxTotalConnections

Defines the maximum number of connections that can be open simultaneously.

Number

30

ocsp.maxTotalConnectionsPerRoute

Defines the maximum number of connections per route in the connection pool.

Number

15

Example: validation.OCSPValidationFilter

Code Block
[filter.OcspValidator]
class=com.nexussafe.nano.filters.validation.OcspValidationFilter
ocsp.truststore=default store
ocsp.compareNonce=true
ocsp.signRequest=true
ocsp.signer.password=1234
ocsp.signer.store=${ServiceDir}/keys/OCSP.p12
ocsp.signer.store.pin=1234
ocsp.responder.1.url=http://localhost:8080/basic

validation.RevocationValidationFilter

This filter is optional.

Validates certificates against revocation using OCSP, CRLs or a combination. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter

Description

Possible values

Default value

validator.type

The validator type to use. first and roundrobin takes a list of validators to delegate to.

first, roundrobin, ocsp, crl

-

validator.validator.<N>.type

If validator.type=first. Will try the validators in this list in order until a definite answer is received. If validator.type=roundrobin. Will query the validators in a round robin fashion.

ocsp, crl

-

validator.validator.<N>.<param>

See the CrlValidationFilter or the ocsp parameter for the OcspValidationFilter (depending on type) for a specification of <param>s.

-

-

Example: validation.RevocationValidationFilter

Code Block
[filter.RevocationValidation]
class=com.nexussafe.nano.filters.validation.RevocationValidationFilter
validator.type=first
validator.validator.1.type=ocsp
validator.validator.1.signer.store=${ServiceDir}/keys/OCSP.p12
validator.validator.1.signer.store.pin=1234
validator.validator.1.signer.password=1234
validator.validator.1.responder.1.url=http://my.responder.com/...
validator.validator.1.truststore=default store
validator.validator.2.type=crl
validator.validator.2.cache.directory=${ServiceDir}/crls
validator.validator.2.cache.truststore=default store
validator.validator.2.cache.provider.1.type=pull
validator.validator.2.cache.provider.1.fetcher.1.url=ldap://...