-
Notifications
You must be signed in to change notification settings - Fork 141
OCSP Audit Events
OCSP audit events can be configured in log.instance.SignedAudit.events property.
When the PKI server is started, the OCSP subsystem will generate a signing info log to indicate which key is used for OCSP signing.
The OCSP_SIGNING_INFO indicates which key is used to sign OCSP responses.
[AuditEvent=OCSP_SIGNING_INFO][SubjectID=$System$][Outcome=Success][SKI=B4:D3:3D:4A:94:D7:A8:AD:65:E2:2B:F1:C5:49:EF:7B:2B:D5:62:93] OCSP signing info
OCSP_ADD_CA_REQUEST event will be generated when a CA is attempted to be added to the OCSP Responder.
OCSP_ADD_CA_REQUEST_PROCESSED event will be generated when an add CA request to the OCSP Responder is processed.
For example, go to OCSP Web UI, click '''Add Certificate Authority''', enter the CA certificate, then click '''Add'''. The server will generate the following logs:
[AuditEvent=OCSP_ADD_CA_REQUEST][SubjectID=ocspadmin][Outcome=Success][CA=MIID...S6I=] request to add a CA for OCSP Responder [AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED][SubjectID=ocspadmin][Outcome=Success][CASubjectDN=CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE] Add CA for OCSP Responder
OCSP_REMOVE_CA_REQUEST event will be generated when a CA is attempted to be removed from the OCSP Responder.
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS event will be generated when a remove CA request to the OCSP Responder is processed successfully.
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE event will be generated when a remove CA request to the OCSP Responder is processed and failed.
For example, go to OCSP Web UI, click '''List Certificate Authorities''', click '''Remove CA''', then click '''OK'''. The server will generate the following logs:
[AuditEvent=OCSP_REMOVE_CA_REQUEST][SubjectID=ocspadmin][Outcome=Success][CASubjectDN=CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE] request to remove a CA from OCSP Responder [AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS][SubjectID=ocspadmin][Outcome=Success][CASubjectDN=CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE] Remove CA for OCSP Responder is successful
In PKI 10.5 the OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS and OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE events are merged into OCSP_REMOVE_CA_REQUEST_PROCESSED event.
Since version 10.5 an OCSP_GENERATION event will be generated for each OCSP response generated by OCSP subsystem.
For example, use the OCSPClient to submit an OCSP request:
$ OCSPClient \
-d ~/.dogtag/pki-tomcat/ca/alias \
-h $HOSTNAME \
-p 8080 \
-t /ocsp/ee/ocsp \
-c ca_signing \
--serial 1
CertID.serialNumber=1
CertStatus=Good
The server will generate the following log when the OCSP response generation is complete:
[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Success] OCSP response generation
If the OCSP response generation fails, the server will log the failure reason:
[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureReason=<reason>] OCSP response generation
For example, if the CA has not published the CRL, the following log will be generated:
[AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureReason=Missing CRL data] OCSP response generation
See also OCSP_GENERATION in CA Audit Events.
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |