Sending the revocation status check results to a file

Ops Center Installation and Configuration Guide

Version
11.0.x
Audience
anonymous
Part Number
MK-99OPS001-23
Send the revocation status of a server certificate to a file as follows. Register a command in cron and send the check results to a file.
  1. Log in to the management server as the root user.
    If you log in as an ordinary user, use the sudo command to complete the following procedure as the root user.
  2. Modify the crontab file. Run the following command.
    For details on the command, see the crontab documentation.
    crontab -u root -e
  3. Add a command to the crontab file for each product for which you want to check revocation status.
    The command you set differs depending on how the server certificate of the product is referenced.
    If you check by downloading the certificate file from the URL of the Hitachi Ops Center product:

    Specify the time to download, the command to download the server certificate, and the command to query the OCSP responder in the following format.

    * * * * * command-to-download-the-server-certificate;command-to-query-the-OCSP-responder
    • Command syntax for downloading the server certificate:
      installation-directory-of-Common-Services/openssl/bin/openssl s_client -connect host-name-or-ip-address-of-product-URL:port-number-of-product-URL [-sigalgs Signature-Algorithm-list] < /dev/null 2> path-of-the-standard-error-output-file | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > path-of-download-destination-of-server-certificate
      

      For products that use both RSA and ECDSA server certificates, you must specify the command for RSA and again for ECDSA. For the -sigalgs option, specify the following signature algorithm list:

      For RSA: RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512

      For ECDSA: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512

    • Command syntax for querying the OCSP responder:
      installation-directory-of-Common-Services/openssl/bin/openssl ocsp -no_nonce -issuer issuer-certificate -cert path-of-server-certificate -url OCSP-Responder-URI [ -proxy [http[s]://][userinfo-of-proxy@]host-name-or-IP-address-of-proxy[:port-number-of-proxy] [/path-of-proxy] ] [-CAfile root-certificate-of-the-OCSP-responder-server] -text -out path-of-the-file-to-which-the-results-are-output 2>> path-of-the-standard-error-output-file
    If you check by referencing the certificate file set for the Hitachi Ops Center product:

    Specify the execution time and the command to query the OCSP responder in the following format.

    * * * * * command-to-query-the-OCSP-responder
    • Command syntax for querying the OCSP responder:
      installation-directory-of-Common-Services/openssl/bin/openssl ocsp -no_nonce -issuer issuer-certificate -cert path-of-server-certificate -url OCSP-Responder-URI [ -proxy [http[s]://][userinfo-of-proxy@]host-name-or-IP-address-of-proxy[:port-number-of-proxy] [/path-of-proxy] ] [-CAfile root-certificate-of-the-OCSP-responder-server] -text -out path-of-the-file-to-which-the-results-are-output 2> path-of-the-standard-error-output-file
    Note:
    • Specify the time to run each command. Specify a value for "* * * * *". If you want to run the command every day at 4:00 a.m., specify "0 4 * * *". For details, see the crontab documentation.
    • Specify different paths for path-of-the-file-to-which-the-results-are-output and path-of-the-standard-error-output-file for each command.
    • For the issuer-certificate for the command that queries the OCSP responder, either specify the root certificate or, if there is an intermediate certificate, specify the PEM-format certificate that combines the root and intermediate certificates.
    • To use a proxy for the command that queries the OCSP responder, specify the -proxy option.
    • If the Response Verify Failure error is output to standard-error-output-file, specify the -CAfile option.
    • For details on the openssl command, see the openssl documentation.
  4. Add a command for each product, specifying each command as described in step 3.

    Example settings:

    10 4 * * * command-for-product-1
    20 4 * * * command-for-product-2
    30 4 * * * command-for-product-3
  5. After you finish specifying the commands, save the crontab file.
  6. Run the following command to enable crond.service.
    systemctl enable crond.service
  7. Restart the service to apply the crond settings. Run the following command.
    systemctl restart crond
  • At the specified time, a file is output to the directory specified in path-of-the-file-to-which-the-results-are-output. Check the value of Cert Status in the output file.
    • If the value is good: The server certificate is valid.
    • If the value is revoked: The server certificate has been revoked.
    • If the value is unknown: The status is unknown.
  • If the output file does not include the Cert Status line, an error might have occurred. For details about the error, check the file output to the directory specified in path-of-the-standard-error-output-file.