Forum Discussion

bigipjr28_13978's avatar
bigipjr28_13978
Icon for Nimbostratus rankNimbostratus
Oct 14, 2014

OCSP health monitor

Hey Guys,

 

Sort of in a time crunch. I am looking for a way to create a health monitor the would monitor OCSP request instead of http/https. I've seen/read somewhere on the forums that is could be by an external script ? but not sure how that would be done.

 

I have a pool of OCSP validators which work for http health monitor but that's not what our sec team is looking to get monitored.

 

Any help is appreciated.

 

Thanks

 

  • bigipjr28, did you ever get a reply to your last question?

     

  • The setup for the ocsp nodes is that we have them as server objects on the GTM devices. I have imported certificates to run again the openssl ocsp command but the command still fails ? Is it possible to use the certificates on the GTMS ?. Do you have to use the full path to where there certificates resides /config/filestore/files_d/
  • great thanks for your reply..In order to implement this I am going to have to use an external monitor. Would anyone one know how to use add or mimick the recieve string in a script is looking for an HTTP 1.1 200 OK as a response ?

     

  • Ian_Mahuron_383's avatar
    Ian_Mahuron_383
    Historic F5 Account

    Try 'openssl ocsp' (man ocsp). This is a full-fledged OCSP validator and responder. Once you get it working from the command line, adapt the commands for use as an external monitor. Keep in mind that external monitors are expensive (they fork new processes) and should be used sparingly.

     

    • Ian_Mahuron_383's avatar
      Ian_Mahuron_383
      Historic F5 Account
      Assuming they operate in a fashion similar to bigip external monitors, _any_ output indicates the monitor succeeded. Silence indicates failure. I suspect you'll need a "| grep 'Response verify OK'" to accomplish this.
    • bigipjr28_13978's avatar
      bigipjr28_13978
      Icon for Nimbostratus rankNimbostratus
      Thanks again. As of now to two ocsp nodes are on the gtm as a server object. With a wideip name that has the pool of nodes on the gtm. Would this work on the gtm ? I upload the the certs that are being used against the argurments as well as the external monitor. Here is what my external script looks like on the GTM: !/bin/bash cmd for ocsp responder openssl ocsp -url http://ocsp.staging.com -VAfile prodsigner.pem -issuer cetmanager.pem -cert good.pem Response verify OK exit 0 Thanks again