Audit and Account Logging

There are three types of logs that can be generated by the OCSP responder:

  • OCSP service logs

  • OCSP transaction log

  • OCSP audit log

OCSP service logs

The OCSP service logs using Log4j to the JBoss server.log. The JBoss server log is located in JBOSS_HOME/server/default/log/server.log and the logging is configured in JBOSS_HOME/server/default/conf/jboss-log4j.xml.

OCSP transaction log

The OCSP transaction log can be used to log various information about ocsp-requests. Transaction logging logs summary lines for all OCSP request/responses, which can be used for charging clients if you are running a commercial OCSP service.
To turn on transaction logs logs, copy ocsp.properties.sample to ocsp.properties and change:

#ocsp.trx-log = false

to

ocsp.trx-log = true

then uncomment the other lines below that starts with ocsp.trx-log. Change the ocsp.trx-log-log-date line if you want to change how the time recorded in logging should be output. The value should be on the same format as for javas DateFormat, information on valid configurations can be found here.

ocsp.trx-log-log-date = yyyy-MM-dd:HH:mm:ss

ocsp.trx-log-pattern is a pattern for use with ocsp.audit-order to replace constants with values during logging. For most purposes you will not need to change this string.

Use ocsp.trx-log-order to specify what information should be logged and in what order. You can also configure what characters you want in between. If you want your log to display all of the values available you only have to un-comment it.

Available values for the transaction log are:

Transaction Log Value

Description

LOG_ID

An integer identifying that starts from 1 and is increased for every received request.

SESSION_ID

A random 32 Byte long String generated when the OCSP-responder is started.

STATUS

The status of the OCSP-Request.

SUCCESSFUL = 0;
MALFORMED_REQUEST = 1;
INTERNAL_ERROR = 2;
TRY_LATER = 3;
SIG_REQUIRED = 5;
UNAUTHORIZED = 6;

CLIENT_IP

IP of the client making the request.

REQ_NAME

The BC normalized Distinguished Name of the client making the request.

REQ_NAME_RAW

The unnormalized Distinguished Name of the client making the request.

SIGN_ISSUER_NAME_DN

The BC normalized issuer Distinguished Name of the certificate used to sign the request.

SIGN_SUBJECT_NAME

The BC normalized Subject Distinguished Name of the certificate used to sign the request.

SIGN_SERIAL_NO

Certificate serial number of the certificate used to sign the request.

NUM_CERT_ID

The number of certificates to check revocation status for.

ISSUER_NAME_DN

The BC normalized issuer Distinguished Name of the requested certificate.

ISSUER_NAME_DN_RAW

The unnormalized issuer Distinguished Name of the requested certificate.

ISSUER_NAME_HASH

SHA1 hash of the issuer DN.

ISSUER_KEY

The public key of the issuer of a requested certificate.

DIGEST_ALGOR

Algorithm used by requested certificate to hash issuer key and issuer name.

SERIAL_NO

Serial number of the a requested certificate.

CERT_STATUS

The requested certificate revocation status. 0=good, 1=revoked, 2=unknown.

REV_REASON

The requested certificate revocation reason, or -1, if not revoked. Set to 6 (certificateHold) when certificate is unknown, even if status returned is good.

REPLY_TIME

The time measured between when the request is received by the responder and when the response is sent. This time includes the time it takes to read the request bytes.

PROCESS_TIME

The time measured between when the request has been read by the responder and when the response is sent. This time starts after the request bytes have been read.

CERT_PROFILE_ID

The integer identifier of the certificate profile that was used to issue the requested certificate.

FORWARDED_FOR

The HTTP X-Forwarded-For header value.

OCSP audit log

The OCSP audit log logs entire requests and responses. This can be useful when requests and responses are signed because the information can be used to verify requests and responses afterwards. Audit logging is configured in the same way as transaction logging.
Valid values for audit logging are:

Audit Log Value

Description

LOG_ID

An integer identifying that starts from 1 and is increased for every received request.

SESSION_ID

A random 32 Byte long String generated when the OCSP-responder is started.

OCSPREQUEST

The (hex encoded) byte[] ocsp-request that came with the http-request.

OCSPRESPONSE

The (hex encoded) byte[] ocsp-response that was included in the http-response.

Note that LOG_ID are of the same value in both trx log and audit log for any request. This means they can be cross referenced. You can retrieve information from the transaction log and verify that the information is valid by using the audit Log.

Configuring output files for OCSP logging

For JBoss you can configure JBOSS_HOME/server/default/conf/jboss-log4j.xml to put the transaction and audit logs in separate files.

<appender name="OCSPTRANSACTION" class="org.jboss.logging.appender.RollingFileAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="File" value="${jboss.server.log.dir}/transactions.log"/>
<param name="Append" value="false"/>
<param name="MaxFileSize" value="500KB"/>
<param name="MaxBackupIndex" value="1"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
</layout>
</appender>
 
<appender name="OCSPAUDIT" class="org.jboss.logging.appender.RollingFileAppender">
<errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
<param name="File" value="${jboss.server.log.dir}/audit.log"/>
<param name="Append" value="false"/>
<param name="MaxFileSize" value="500KB"/>
<param name="MaxBackupIndex" value="1"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%c] %m%n"/>
</layout>
</appender>
 
<category name="org.cesecore.certificates.ocsp.logging.TransactionLogger">
<priority value="DEBUG"/>
<appender-ref ref="OCSPTRANSACTION"/>
</category>
 
<category name="org.cesecore.certificates.ocsp.logging.AuditLogger">
<priority value="DEBUG"/>
<appender-ref ref="OCSPAUDIT"/>
</category>

For other application servers you can configure conf/log4j-appserver.xml. This configuration file will then be built into ejbca.ear.

If you are using JBoss EAP 6 you need to have the property 'org.jboss.as.logging.per-deployment=true' if you use an application specific log4j configuration. This can be configured in standalone.xml, or using the JBoss CLI.

<periodic-rotating-file-handler name="OCSPTRANSACTION" autoflush="true">
<formatter>
<pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="transactions.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
<periodic-rotating-file-handler name="OCSPAUDIT" autoflush="true">
<formatter>
<pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="audit.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
<logger category="org.cesecore.certificates.ocsp.logging.TransactionLogger" use-parent-handlers="false">
<level name="DEBUG"/>
<handlers>
<handler name="OCSPTRANSACTION"/>
</handlers>
</logger>
<logger category="org.cesecore.certificates.ocsp.logging.AuditLogger" use-parent-handlers="false">
<level name="DEBUG"/>
<handlers>
<handler name="OCSPAUDIT"/>
</handlers>
</logger>

Safer Log4j Logging

The default behavior when logging fails, such as when the destination disk is full or disconnected, is to continue responding as normal. If you prefer the responder not to send OCSP-responses when logging fails you can use the following configuration:

  1. From your EJBCA folder, run:
    ant jbosslog4jsafer

  2. On JBoss 7 / EAP 6 build and deploy a new ejbca.ear that includes jbosslog4jsafer.jar with:

    ant ejbca.ear
    ant deployear
  3. Set 'ocsp.log-safer = true' in ocsp.properties (and enable ocsp.trx-log and ocsp.audit-log of course).

  4. Modify your JBoss logging to use the SaferDailyRollingFileAppender and ProbableErrorHandler. For example:

    <appender name="OCSPTRANSACTION" class="org.cesecore.util.log.SaferDailyRollingFileAppender">
    <errorHandler class="org.cesecore.util.log.ProbableErrorHandler" />
    <param name="File" value="${jboss.server.log.dir}/transactions.log" />
    <param name="Append" value="true" />
    <!-- Rollover at midnight each day -->
    <param name="DatePattern" value="'.'yyyy-MM-dd" />
    <layout class="org.apache.log4j.PatternLayout">
    <!-- The default pattern: Date Priority [Category] Message\n -->
    <param name="ConversionPattern" value="%d %-5p [%c] %m%n" />
    </layout>
    </appender>
    <appender name="OCSPAUDIT" class="org.cesecore.util.log.SaferDailyRollingFileAppender">
    <errorHandler class="org.cesecore.util.log.ProbableErrorHandler" />
    <param name="File" value="${jboss.server.log.dir}/audit.log" />
    <param name="Append" value="true" />
     
    <!-- Rollover at midnight each day -->
    <param name="DatePattern" value="'.'yyyy-MM-dd" />
    <layout class="org.apache.log4j.PatternLayout">
    <!-- The default pattern: Date Priority [Category] Message\n -->
    <param name="ConversionPattern" value="%d %-5p [%c] %m%n" />
    </layout>
    </appender>
    <logger name="org.cesecore.certificates.ocsp.logging.TransactionLogger">
    <level value="DEBUG" />
    <appender-ref ref="OCSPTRANSACTION" />
    </logger>
    <logger name="org.cesecore.certificates.ocsp.logging.AuditLogger">
    <level value="DEBUG" />
    <appender-ref ref="OCSPAUDIT" />
    </logger>

    If you use category instead of logger Log4j will output warnings on startup.

  5. Start JBoss and you are ready.