Access control and billing

This article describes how to set up access control and billing in Nexus OCSP Responder. Access control and billing can be derived either from TLS client authentication or from the signature on the requests.

Access control is performed in two steps, authentication and authorization:

For authentication, the requestor must provide a signature by a trusted certificate or an authenticated TLS session to the Nexus OCSP Responder.
1. To require OCSP requests to be signed, specify as follows in the Nexus OCSP Responder configuration file:
  responder.<r#>.incoming.signature.required=true
2. To require client authentication during the TLS handshake, configure the responder to use HTTPS and add the following specification:
responder.<r#>.ssl.clientauth=true
To authorize requests to the Nexus OCSP Responder, configure a name matching filter (a) or trust store verification (b).
1. To use a name matching filter, specify as follows in the Nexus OCSP Responder configuration file:
  responder.<r#>.incoming.authorization=bynamematch
  followed by the required table of rules.
2. For trust store verification, use:
  Replace <r#> with the responder sequence number.

If client authentication is required and the requestor certificate (or the issuer) is revoked, access will be denied. The client certificate must chain to the trust store.

For more information, see Specify limitations on incoming requests in OCSP responder section.

To perform billing, Nexus OCSP Responder requires the following to be fulfilled:

Sign the client request (a) or use TLS client authentication (b):
1. To sign the client request, specify as follows in the Nexus OCSP Responder configuration file:
2. Or, as an alternative, configure the Nexus OCSP Responder to require TLS client authentication:
Enable billing, specify as follows in the Nexus OCSP Responder configuration file:
Replace <r#> with the responder sequence number.

For the syntax of available configuration parameters, see OCSP responder section, heading "Specify billing information".

Nexus OCSP Responder writes messages to the log file, classified as "billing". Every message will contain the following:

The URL to which the client has connected (that is, which OCSP responder is acting).
The IP address of the requesting client.
If available, the requestor name from the client certificate. Either the name from the certificate that signed the OCSP request, or the name from the TLS client certificate.

An OCSP request may include one or more single requests, each one asking for information about a certificate.

To count the number of OCSP requests, specify the following in the Nexus OCSP Responder configuration file:

Specify in the configuration file:
1. The number of certificate requests included in the client request, will be added to the log message.
2. Replace <r#> with the responder sequence number.

To count every requested certificate, specify:

Specify in the configuration file:
1. The issuer and the serial number for every included certificate request will be added to the log message.
2. Replace <r#> with the responder sequence number.

By default, certificates that get the response "unknown" are excluded from percert logging. To also log such certificates, specify:

Specify in the configuration file:
1. Replace <r#> with the responder sequence number.

External tools can be used to summarize the logs