Forum Discussion
bigipjr28_13978
Nimbostratus
NimbostratusOCSP health monitor
Hey Guys,
Sort of in a time crunch. I am looking for a way to create a health monitor the would monitor OCSP request instead of http/https. I've seen/read somewhere on the forums that is could be by an external script ? but not sure how that would be done.
I have a pool of OCSP validators which work for http health monitor but that's not what our sec team is looking to get monitored.
Any help is appreciated.
Thanks
Try 'openssl ocsp' (man ocsp). This is a full-fledged OCSP validator and responder. Once you get it working from the command line, adapt the commands for use as an external monitor. Keep in mind that external monitors are expensive (they fork new processes) and should be used sparingly.
bigipjr28_13978Thanks again. As of now to two ocsp nodes are on the gtm as a server object. With a wideip name that has the pool of nodes on the gtm. Would this work on the gtm ? I upload the the certs that are being used against the argurments as well as the external monitor. Here is what my external script looks like on the GTM: !/bin/bash cmd for ocsp responder openssl ocsp -url http://ocsp.staging.com -VAfile prodsigner.pem -issuer cetmanager.pem -cert good.pem Response verify OK exit 0 Thanks again- Assuming they operate in a fashion similar to bigip external monitors, _any_ output indicates the monitor succeeded. Silence indicates failure. I suspect you'll need a "| grep 'Response verify OK'" to accomplish this.
- bigipjr28_13978
great thanks for your reply..In order to implement this I am going to have to use an external monitor. Would anyone one know how to use add or mimick the recieve string in a script is looking for an HTTP 1.1 200 OK as a response ?
- bigipjr28_13978The setup for the ocsp nodes is that we have them as server objects on the GTM devices. I have imported certificates to run again the openssl ocsp command but the command still fails ? Is it possible to use the certificates on the GTMS ?. Do you have to use the full path to where there certificates resides /config/filestore/files_d/
- bigipjr28_13978The health monitor I should add *
Jer-OCirrus
bigipjr28, did you ever get a reply to your last question?