Features & Benefits
It can poll for CRLs from HTTP/S and LDAP/S location based on configured validation policies on a per CA basis. It has been implemented fully in Java EE for multi-platform support, performance and high-availability. The following highlights just some of its main features.
You can select which members of the operations and management teams receive which error reports and summary reports either by email or SMS. CRL Monitor provides a wide range of CRL-related events which can be monitored.
Ascertia CRL Monitor provides an automated test service that enables an administrator to easily detect CRL publishing failures or irregularities. It is a must have product for any organisation providing PKI services. With CRL Monitor, you can identify issues and fix unexpected conditions before your users report them to you!
CRL Monitor maintains logs on all CRL operations completed so that detailed reports can be produced for specific dates. CRL Monitor also provides CRL retrieval statistics in tabular and graphical formats. The contents of any retrieved CRL can be easily viewed in tabular form, sorted and searched.
CRL Monitor runs continuously and can operate in a high availability configuration using multiple CRL Monitor instances. When used like this if the current master CRL Monitor instance fails then the next available slave instance automatically assumes control and continues to retrieve and check the defined CRLs, ensuring that CRL monitoring is not affected by a single point of failure.
It is often necessary to keep an archive of all the CRLs that have been issued, either for historical digital signature verification or to resolve disputes that may arise in future.
CRL Monitor not only keeps an archived copy of each CRL it retrieves but also provides management and searching capability over the entire CRL dataset. This simply and easily allows administrators to determine within which CRL a particular certificate was first identified as revoked.
All production CRLs can be checked to verify their integrity and availability, i.e. that there is no file corruption either through a publishing failure or an operational/network issue or even an attack on the core trust services.
CRL Monitor can be configured to generate alerts when a wide variety of events occur, including:
Reports can be created from the CRL Monitor log viewer to provide evidence of SLA performance.
CRL Monitor provides immediate real-time feedback on CRL issues as they arise. Where PKI services are used it is often assumed that they are functioning correctly and will continue to do so – this is often not the case. Use CRL Monitor to check for expected and unexpected behaviors.
CRL Monitor tests the status of a CRL publishing service by downloading and checking the CRLs at predefined intervals. It can check that CRLs are updated as expected before their expiry date, giving service providers valuable hours in which to act to avoid trust issues. This is the only fully effective way to ensure a PKI is operating as it should. Multiple CAs can be monitored using specific CRL polling and validation policy settings.
CRL Monitor allows valid CRLs that it has downloaded to be re-published in a location where other systems and users can access them. This may be at a central location or a remote location. Used locally this enables remote systems to minimise network bandwidth and ensure maximum availability.
For high availability PKI environments, CRL Monitor can be configured to check multiple CRLs distribution points (LDAP or HTTP) for each CA, allowing it to ensure all alternate back-up locations are also operating as expected.
CRL Monitor is a standard J2EE application and supported on Windows, Linux (RHEL, Centos, Suse) and Solaris (X86 and Sparc). Other UNIX flavours can be supported also upon request.
All CRL Monitor configurations and transaction logs are stored within a DBMS, however because of our use of Hibernate® technology, it is DBMS independent. We support SQL Server, Oracle, MySQL and PostgreSQL.
CRL Monitor relies completely on open PKI standards so it can work with any CA and indirect CRL issuer. We have taken away all the complexities of interoperability!
ADSS Server is feature rich to minimise time for operators. From the simple installation wizard to auto-integrity checking and auto-archiving help to ensure the system runs without daily operator involvement. Further the detailed transaction logs and request/response viewers reduce support desk time in resolving operational issues.
ADSS Server operators are authenticated using certificates over a mutually authenticated TLS/SSL sessions. The operator’s private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.
Role-based access control system is provided with fine granularity. Ability to define new operator roles and assign read, write, edit, delete capability for each low-level module. Unavailable modules are hidden from view
This is where an operator’s actions are queued for a Security Officer role-holder to review and then approve or reject the action. ADSS Server implements dual control in a flexible and practical way, i.e. either apply dual control feature to the complete system or selectively to the functionality which is most security sensitive (e.g. key generation, policy change etc)
Cryptographic tamper-resistant logs are provided for service transactions (request/responses), all operator activity and system generated events. Advanced searching and filtering of log records (e.g. on date range) is possible to easily locate specific records.
All ADSS Server configurations and settings in the database are also cryptographically protected to prevent record modification, deletion or re-ordering.
Automated system integrity checking is available which can verify the entire system records for authenticity at pre-defined intervals or whenever required. Detailed report produced of any errors.
Support for strong cryptographic algorithms is provided e.g. including SHA-2 family (SHA-256, SHA-384, SHA-512) and ECDSA and RSA key lengths up to 4096-bit.
Ability to automatically trim the DB log records to avoid space issues. The created Archive Log files are digitally signed for long-term preservation before storing on specified disk location(s). The archived files can later be imported, verified and inspected.
Comes with an optional NTP monitor which can check system time against one or more configured NTP time servers to detect machine time shifts. Multiple clock drift threshold settings allow operator alerting and ultimately stop of all trust services.