Forum Discussion

bigipjr28_13978's avatar
bigipjr28_13978
Icon for Nimbostratus rankNimbostratus
Oct 14, 2014

OCSP health monitor

Hey Guys,   Sort of in a time crunch. I am looking for a way to create a health monitor the would monitor OCSP request instead of http/https. I've seen/read somewhere on the forums that is could b...
health monitor
ocsp
pool
pools
responders
Ian_Mahuron_383's avatar
Ian_Mahuron_383
Historic F5 Account
Oct 15, 2014

Try 'openssl ocsp' (man ocsp). This is a full-fledged OCSP validator and responder. Once you get it working from the command line, adapt the commands for use as an external monitor. Keep in mind that external monitors are expensive (they fork new processes) and should be used sparingly.

 

  • bigipjr28_13978's avatar
    bigipjr28_13978
    Icon for Nimbostratus rankNimbostratus
    Nov 05, 2014
    Thanks again. As of now to two ocsp nodes are on the gtm as a server object. With a wideip name that has the pool of nodes on the gtm. Would this work on the gtm ? I upload the the certs that are being used against the argurments as well as the external monitor. Here is what my external script looks like on the GTM: !/bin/bash cmd for ocsp responder openssl ocsp -url http://ocsp.staging.com -VAfile prodsigner.pem -issuer cetmanager.pem -cert good.pem Response verify OK exit 0 Thanks again
  • Ian_Mahuron_383's avatar
    Ian_Mahuron_383
    Historic F5 Account
    Nov 05, 2014
    Assuming they operate in a fashion similar to bigip external monitors, _any_ output indicates the monitor succeeded. Silence indicates failure. I suspect you'll need a "| grep 'Response verify OK'" to accomplish this.