Forum Discussion
OCSP health monitor
Hey Guys,
Sort of in a time crunch. I am looking for a way to create a health monitor the would monitor OCSP request instead of http/https. I've seen/read somewhere on the forums that is could be by an external script ? but not sure how that would be done.
I have a pool of OCSP validators which work for http health monitor but that's not what our sec team is looking to get monitored.
Any help is appreciated.
Thanks
- Jer-OCirrus
bigipjr28, did you ever get a reply to your last question?
- bigipjr28_13978NimbostratusThe health monitor I should add *
- bigipjr28_13978NimbostratusThe setup for the ocsp nodes is that we have them as server objects on the GTM devices. I have imported certificates to run again the openssl ocsp command but the command still fails ? Is it possible to use the certificates on the GTMS ?. Do you have to use the full path to where there certificates resides /config/filestore/files_d/
- bigipjr28_13978Nimbostratus
great thanks for your reply..In order to implement this I am going to have to use an external monitor. Would anyone one know how to use add or mimick the recieve string in a script is looking for an HTTP 1.1 200 OK as a response ?
- Ian_Mahuron_383Historic F5 Account
Try 'openssl ocsp' (man ocsp). This is a full-fledged OCSP validator and responder. Once you get it working from the command line, adapt the commands for use as an external monitor. Keep in mind that external monitors are expensive (they fork new processes) and should be used sparingly.
- Ian_Mahuron_383Historic F5 AccountAssuming they operate in a fashion similar to bigip external monitors, _any_ output indicates the monitor succeeded. Silence indicates failure. I suspect you'll need a "| grep 'Response verify OK'" to accomplish this.
- bigipjr28_13978NimbostratusThanks again. As of now to two ocsp nodes are on the gtm as a server object. With a wideip name that has the pool of nodes on the gtm. Would this work on the gtm ? I upload the the certs that are being used against the argurments as well as the external monitor. Here is what my external script looks like on the GTM: !/bin/bash cmd for ocsp responder openssl ocsp -url http://ocsp.staging.com -VAfile prodsigner.pem -issuer cetmanager.pem -cert good.pem Response verify OK exit 0 Thanks again
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com