Systems - Ocsp
Basics
Purpose
Online Certificate Status Protocol Server, OcspResponder
Physical Location
Xen (Sun4)
Logical location
IP Internet
213.154.225.236
crl.cacert.org
IP Intranet
172.16.3.104
crl-medium.intra.cacert.org
IP Admin
172.16.50.104
crl.intra.cacert.org
IP Internet
213.154.225.237
ocsp.cacert.org
IP Intranet
172.16.3.103
ocsp-medium.intra.cacert.org
IP Admin
172.16.50.103
ocsp.intra.cacert.org
Applicable Documentation
This is it 
Administration
System Admin
E-mail
Critical System Administrators
Services
Listening services
System
Protocol
Port
Remarks
SSH
TCP/22
only from two hosts on internal admin network; remote system maintenance
crl
HTTP
TCP/80
webserver for CRL retrieval
crl
HTTPS
TCP/443
webserver for CRL retrieval in SSL mode
crl
RSYNC
TCP/873
rsync daemon for efficient CRL retrieval
ocsp
OCSP
TCP/80
OCSP responder (redirected by firewall to TCP/2560)
ocsp
OCSP
TCP/2560
OCSP responder
Running services
Service
Started from
apache2
autostart conf
ocspd
autostart conf
rsyncd
autostart conf
sshd
autostart conf
postfix
autostart conf
Connected Systems
Outbound network connections
Protocol
Port
Remarks
DNS
UDP/53 + TCP/53
DNS lookups to resolver on admin network only
SYSLOG
UDP/514
only to admin syslog server
boxbackup
TCP/2201
only to backup.intern.cacert.org; for on-line backups
Security
Board motion m20110501.2
- New critical systems
- That the systems Backup, CRL, Hopper, Logger (critical) are critical systems.
Non-distribution packages and modifications
- openca-ocspd-1.9.0 with local modifications
- boxbackup client v0.11rc8
local configuration maintained in http://svn.cacert.org/CAcert/SystemAdministration/ocsp/
Risk assessments on critical packages
Tasks
Critical Configuration items
Changes
Planned
System Future
Document Stuff
SystemAdministration team are responsible for the OCSP Responders. Here is the OCSP Procedure for running a responder.