Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Nexus OCSP Responder can work in an environment that includes a built-in system monitor – a supervisor. This article describes how to specify a Nexus OCSP Responder agent that sends signals to and receives signals from the supervisor. This is done in the "System management" section of the Nexus OCSP Responder configuration file.

 Specify agent

  1. In the OCSP configuration file, specify the agent as follows:

    agent.supervisor.host=<host>
agent.supervisor.port=<port>
agent.supervisor.connect=[true|false

    See this table for description of constants and values:

    Constants and ValuesDescription
    <host>

    Replace <host> with the name of the supervisor host.

    Default: localhost

    <port>

    Replace <port> with the number of the port the agent should listen to.

    Default: 9099

    true | false

    Enter true to connect, false not to connect Nexus OCSP Responder to the supervisor.

    Default: false

 Specify agent logging items

Locally, the agent listens to all log messages. You can separate different logging items into different output units.

  1. In the OCSP configuration file, specify a type for each logging item as follows:

    agent.log.<#>.type=[file|stderr|syslog]


    See this table for description of constants and values:

    Constants and ValuesDescription
    <#>Replace <#> with the log sequence number.

    file | stderr | syslog

    • Enter file to let all logging items be written to a file. You have to add certain specifications. See below.

    • Enter stderr to let all logging items be written to stderr. If Nexus OCSP Responder is started in a terminal window, the logging items will be displayed in this window.

      If Nexus OCSP Responder is started as a Windows service anything written to stderr will be lost.

    • Enter syslog to let all logging items be written to syslog. It is possible for Windows to log to syslog on a remote UNIX host. Remote syslog logging must be enabled on the syslog host.

  2. For each agent log with ...type=file, specify the following:

    agent.log.<#>.prefix=<directory>/<filename>
agent.log.<#>.period=<time expr>

    See this table for description of constants and values:

    Constants and ValuesDescription
    <#>Replace <#> with the log sequence number.

    <directory>

    		Replace <directory> with the directory path to the log file.
    <filename>Replace <filename> with the name of the log file. This name will be concatenated with a timestamp and get the extension log. You can see from the timestamp when the log file was created. Example: audit-010405-175936.log
    <time expr>

    Replace <time expr> with a time period expression (short form), specified according to ISO 8601 Representation of dates and times (see also section “Specify OCSP Client Request” in Back end client section). After this amount of time, the logger will create a new file.

    Default: P1D


    Example:

    agent.log.1.prefix=log/oper
agent.log.1.period=P1W

    This creates a file: <installdir>/log/oper-YYMMDD-HHMMSS.log. A new file is created each week.

  3. For each agent log with ...type=syslog, specify the following:

    agent.log.<#>.host=<host>
agent.log.<#>.port=<port>
agent.log.<#>.facility=<facility>

    See this table for description of constants and values:

    Constants and ValuesDescription
    <#>Replace <#> with the log sequence number.

    <host>

    Replace <host> with the name of the syslog host.

    Default: localhost

    <port>

    Replace <port> with the port to use on the syslog host.

    Default: 514

    <facility>

    Replace <facility> by the syslog facility to be used for the Nexus OCSP Responder logging.

    Default: local7

 Apply filters to logging items

You can apply filters to the logging items to further fine tune the output.

  1. To set up a filter for any log type, specify as follows in the OCSP configuration file:

    agent.log.<#>.filter=<log msg properties>

    See this table for description of constants and values:

    Constants and ValuesDescription
    <#>Replace <#> with the log sequence number.

    <log msg properties>

    		Replace <log msg properties> with the properties (that is, class and severity) to specify a filter for the log messages as described in Log messages and log filters. Use the operators & (And), | (Or) and ! (Not) to create the conditions.

Examples

agent.log.1.filter=class=oper & severity>3


To filter all requests that are for non-issued certificates, create a filter like this:

agent.log.2.type=file
agent.log.2.prefix=log/ocsp-warnings
agent.log.2.filter=class=oper & severity=3


This will filter out all warnings generated for the oper class of messages. Then any log scraper with search capabilities will be able to parse the logs for the message NON-ISSUED CERTIFICATE DETECTED and alert accordingly.

The parsing can also be done on all log files without any filter.

 Split audit logs into different log files

The Nexus OCSP responder supports three different audit logs, see Log messages and log filters. To filter out and split different audit logs into different log files, specify as follows in the OCSP configuration file:

agent.log.3.type=file
agent.log.3.prefix=log/audit-pkiStateAltered
agent.log.3.filter=class=audit.pkiStateAltered
agent.log.4.type=file
agent.log.4.prefix=log/audit-incoming-outgoing
agent.log.4.filter=class=audit.ocspQuery | class="audit".ocspResponse

If you only specify "audit" inside the class parameter, it will filter all audit log classes (that is, audit.pkiStateAltered, audit.ocspQuery, audit.ocspResponse).

 Configure fields to be displayed in a logger agent

You can configure which fields that should be displayed in a logger agent. In the OCSP configuration file, specify as follows:

agent.log.<#>.format.fields={<field>} {<field>} ... {<field>}

See this table for description of constants and values:

Constants and ValuesDescription
<v#>Replace <v#> with the log sequence number.

<field>

Replace <field> with any of the following supported fields:

date - log date (default yyyy-MM-dd:HH:mm:ss.SSS)
class - log class (for example, audit, trace)
severity - log severity
thread - log thread name
transactionId - log transaction ID of a client request
message - log message

You can also manipulate how a field will behave when used by the logger agent, for example, offset and length. To do this:

  1. Specify integers on defined positions separated by a comma after a colon inside the curly brackets, such as {field:width,offset,length:novalue}, where:
    field - [string] the field name, for example, date
    width - [integer] minimum width, default 1 or specified length
    offset - [integer] offset from start or offset from end if negative, default 0
    length - [integer] maximum length, default unlimited (0)
    novalue - [string] replacement string if no value exists for the provided field (default is ' - ')
  2. To insert a line break after a field, use the keyword %s.

Example:

agent.log.1.format.fields={date} {class} {transactionId:5,,28:{thread}} {message} %s
 Define default global configurations for all agent loggers

Set the loggerdef parameter to define default global configurations for all agent loggers configured in your system. This can be useful if you want to specify filters or a field format that should be applied globally across all agents. If a logger agent specify the same parameter but with an another setting, the global setting will be overridden for that agent.

Example:

;; Global settings
agent.log.loggerdef.encoding=ISO-8859-1
agent.log.loggerdef.format.date=[yyyy/MM/dd:HH:mm:ss.SSS]
agent.log.loggerdef.filedate=yyMMdd
agent.log.loggerdef.offset=T0H
agent.log.loggerdef.period=P1D
agent.log.loggerdef.format.fields={date} {class} {transactionid:5,,28} {message}
agent.log.loggerdef.filter=!class=audit

;; Ocsp log (no audit log)
agent.log.1.type=file
agent.log.1.prefix=log/ocsp

;; Audit log for crl/cil updates
agent.log.2.type=file
agent.log.2.prefix=log/audit
agent.log.2.filter.class=audit.pkiStateAltered

;; Audit log for query and responses
agent.log.3.type=file
agent.log.3.prefix=log/audit-incoming-outgoing
agent.log.3.filter=class=audit.ocspQuery | class="audit".ocspResponse
agent.log.3.format.fields={date} {class} {severity} {transactionid} {message} %s

Related information

Links

  • No labels

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions