OCSP Repeater

Property

Description

Response expiry period

Number of seconds for the client application to cache an OCSP response for a particular certificate. Default value: 0 (no cache)

  • RESPONSE_EXPIRY_PERIOD = 0

Storing limited data into the database to minimize the database size

If your database size grows too quickly because a lot of OCSP Repeater transactions are being logged then the size of log information can be reduced by removing some data columns from the database logs. The following are the attributes which manages the logging of specified column:

  • TRANSACTION_LOG_COLUMNS = RelyingPartyId,CertificationAuthorityId,Request,Response,RelyingPartyIp,RelyingPartySigningCert,RelyingPartySTlsCert,ErrorCode

If you remove any of the column in these properties then that column's value will not be stored as part of transaction logging. The columns consuming most resources are "Request" and "Response" and for very high volumes these should be removed. 

Usual logging for an OCSP Repeater

  • TRANSACTION_LOG_COLUMNS = Request,Response,RelyingPartyIp,ErrorCode 

Minimal logging for an OCSP Repeater

  • TRANSACTION_LOG_COLUMNS = RelyingPartyId,RelyingPartyIp,ErrorCode

Parameters Mapping with Transactions Log Viewer

  • RelyingPartyId: It represents the Signer's Subject Name, this parameter records the Subject DN of OCSP response signing certificate in case of signed OCSP request.  
  • CertificationAuthorityId: It represents the Signer's CA, this parameter records the User friendly name of the Issuer CA of the OCSP Response signing certificate in case of signed OCSP request.
  • Request: It represents the Requestthis parameter records the OCSP request.
  • Response: It represents the Response, this parameter records the OCSP response.   
  • RelyingPartyIp: It represents the IP Address, this parameter records the IP address of the requester.
  • RelyingPartySigningCert: It represents the Signing Cert, this parameter stores the OCSP request signing certificate in case of signed OCSP request.     
  • RelyingPartySslCert: It represents the TLS Cert,this parameter stores the TLS Client certificate in case of OCSP request over TSL channel.   
  • ErrorCode: It represents the Error Code, this parameter records the error message in case of any failure.

Transaction logs settings

Transactions can be stored either directly or delayed for better performance. The following properties are used for logging:

  • TRANSACTION_LOG_MODE = LAZY
    Used to decide whether the transactions are kept in memory before these are stored in the database (LAZY logging) or directly stored in the database (EAGER logging). Possible values: LAZY, EAGER
    In case of LAZY logging the transaction logs are kept in memory upto the number of seconds configured in TRANSACTION_LOG_LAZY_INTERVAL or number of transactions configured in TRANSACTION_LOG_LAZY_RECORD_COUNT whichever is reached first.
  • TRANSACTION_LOG_LAZY_INTERVAL = 2
    When LAZY logging is configured, transactions are kept in memory upto the configured time or if the configured TRANSACTION_LOG_LAZY_RECORD_COUNT is reached before it.
  • TRANSACTION_LOG_LAZY_RECORD_COUNT = 400
    When LAZY logging is configured, transactions are kept in memory until the configured number of transactions is reached or if the configured TRANSACTION_LOG_LAZY_INTERVAL is met before it.



See also

Signing Service

Verification Service
Certification Service
OCSP Service
OCSP Repeater
TSA Settings
XKMS Service

SCVP Service
LTANS Service
Decryption Service
OCSP Monitor
GoSign Service
RA Service
CRL Monitor
RAS Service
SAM Service
CSP Service
NPKD Service
SPOC Service