. '''To [[SystemAdministration/Systems|Systems Overview]]'''

----

= Systems - Ocsp =

= Basics =

== Purpose ==

Online Certificate Status Protocol Server, [[OcspResponder]]


== Physical Location ==

Xen (Sun4)


== Logical location ==

 || IP Internet || 213.154.225.236 || crl.cacert.org ||
 || IP Intranet || 172.16.3.104    || crl-medium.intra.cacert.org ||
 || IP Admin    || 172.16.50.104   || crl.intra.cacert.org ||

 || IP Internet || 213.154.225.237 || ocsp.cacert.org ||
 || IP Intranet || 172.16.3.103    || ocsp-medium.intra.cacert.org ||
 || IP Admin    || 172.16.50.103   || ocsp.intra.cacert.org ||

== Applicable Documentation ==

This is it :-)

== Administration ==

 || System Admin || E-mail ||
 || Critical System Administrators || critical-admin@cacert.org ||
 ||                                || ocsp-admin@cacert.org ||

= Services =

== Listening services ==
 || System || Protocol || Port  || Remarks ||
 ||        || SSH   || TCP/22   || only from two hosts on internal admin network; remote system maintenance ||
 || crl    || HTTP  || TCP/80   || webserver for CRL retrieval ||
 || crl    || HTTPS || TCP/443  || webserver for CRL retrieval in SSL mode ||
 || crl    || RSYNC || TCP/873  || rsync daemon for efficient CRL retrieval ||
 || ocsp   || OCSP  || TCP/80   || OCSP responder (redirected by firewall to TCP/2560) ||
 || ocsp   || OCSP  || TCP/2560 || OCSP responder ||

== Running services ==

 || Service  || Started from   ||
 || apache2  || autostart conf ||
 || ocspd    || autostart conf ||
 || rsyncd   || autostart conf ||
 || sshd     || autostart conf ||
 || postfix  || autostart conf ||

== Connected Systems ==

=== Outbound network connections ===

  || Protocol  || Port            || Remarks ||
  || DNS       || UDP/53 + TCP/53 || DNS lookups to resolver on admin network only ||
  || SYSLOG    || UDP/514         || only to admin syslog server ||
  || boxbackup || TCP/2201        || only to backup.intern.cacert.org; for on-line backups ||

= Security =

 * Board motion [[https://community.cacert.org/board/motions.php?motion=m20110501.2|m20110501.2]]
  . New critical systems
  . That the systems Backup, CRL, Hopper, Logger (critical) are critical systems.

== Non-distribution packages and modifications ==

 * openca-ocspd-1.9.0 with local modifications
 * boxbackup client v0.11rc8
 * local configuration maintained in http://svn.cacert.org/CAcert/SystemAdministration/ocsp/
 
== Risk assessments on critical packages ==

= Tasks =

= Critical Configuration items =

= Changes =

== Planned ==

=== System Future ===

=== Document Stuff ===

SystemAdministration team are responsible for the OCSP Responders. Here is the [[SystemAdministration/Procedures/OcspResponder|OCSP Procedure]] for running a responder. 

----
 . CategorySystems