Today I’m starting a series of blog posts where I will explore new features we have added to PowerShell PKI module, version 3.7. First post is dedicated to Online Responders.
The biggest part of this release is Microsoft OCSP Server, or Online Responder management feature. In this post, I will show general Online Responder server management features using PowerShell and PSPKI module.
Discover why seeing is securing with revolutionary PKI monitoring and alerting.
Learn More About PKI Spotlight®All kind of Online Responder management is started with connecting to OCSP server using Connect-OnlineResponder command which accepts only one parameter – OCSP host name. If the command is executed locally on Online Responder, this parameter is not required:
Schedule a DemoPS C:\> $ocsp = Connect-OnlineResponder -ComputerName hq-s-adcsws2
PS C:\> $ocsp
ComputerName IsRunning ArrayMembers
------------ --------- ------------
hq-s-adcsws2.sysadmins.lv True {hq-s-adcsws1.sysadmins.lv, hq-s...
PS C:\>
Unfortunately, there is no Online Responder autodiscovery functionality (like we have in Enterprise CAs), so you must know the address of at least one Online Responder. However, we can discover other online responders implicitly through array member list.
Microsoft designed OCSP server oriented to high-availability and scalability and added an Online Responder Array term, which is a pool of OCSP servers that automatically share and replicate revocation configurations within array. At any time, one Online Responder holds the Array Controller role that contains master configuration and replicates it to all array members.
Any revocation configuration setting is replicated and must be set on array controller. Other array members will automatically fetch new settings. If you make such changes on array member which is not array controller, these changes will be overridden from array controller. Server-specific settings described in this blog post *are not* replicated to array members and must be configured individually on each online responder.
We can explore properties of this particular OCSP server:
PS C:\> $ocsp | fl *
ComputerName : hq-s-adcsws2.sysadmins.lv
IsRunning : True
IsArrayController : False
ArrayController : SysadminsLV.PKI.Management.CertificateServices.OcspResponder
ArrayMembers : {hq-s-adcsws1.sysadmins.lv, hq-s-adcsws2.sysadmins.lv, hq-s-pkix.sysadmins.lv, pkix.sysadmins.
lv}
MaxNumOfRequestEntries : 1
MaxNumOfCacheEntries : 5000
NumOfThreads : 50
MaxRequestSize : 0
RequestFlags : None
AuditFilter : RequestReceive
LogLevel : Minimal
TraceDebugEnabled : False
PS C:\>
We see several properties, such as service status, whether the connected server is array controller, array controller information, array members and some server-specific settings. These properties are not replicated between array members and must be configured on each server separately. In a given example, we see that connected server is not array controller. We can get access to array controller via corresponding property:
PS C:\> $ocsp.ArrayController
ComputerName IsRunning ArrayMembers
------------ --------- ------------
hq-s-adcsws1.sysadmins.lv True {hq-s-adcsws1.sysadmins.lv, hq-s...
PS C:\> $ocsp.ArrayController | fl *
ComputerName : hq-s-adcsws1.sysadmins.lv
IsRunning : True
IsArrayController : True
ArrayController : SysadminsLV.PKI.Management.CertificateServices.OcspResponder
ArrayMembers : {hq-s-adcsws1.sysadmins.lv, hq-s-adcsws2.sysadmins.lv, hq-s-pkix.sysadmins.lv, pkix.sysadmins.
lv}
MaxNumOfRequestEntries : 1
MaxNumOfCacheEntries : 5000
NumOfThreads : 50
MaxRequestSize : 0
RequestFlags : None
AuditFilter : RequestReceive
LogLevel : Minimal
TraceDebugEnabled : False
PS C:\> }
}
Property description is provided in API documentation page for OcspResponder class. All properties below ArrayMembers property are writable. We can assign new values either by writing to properties directly, or use Set-OnlineResponderProperty command which specifies what properties we can set. For example, we can allow 5 OCSP request entries in a single OCSP request and limit request size to 2kb to avoid service abuse:
PS C:\> $ocsp | Set-OnlineResponderProperty -MaxRequestEntryCount 5 -MaxRequestSize 2kb | fl *
ComputerName : hq-s-adcsws2.sysadmins.lv
IsRunning : True
IsArrayController : False
ArrayController : SysadminsLV.PKI.Management.CertificateServices.OcspResponder
ArrayMembers : {hq-s-adcsws1.sysadmins.lv, hq-s-adcsws2.sysadmins.lv, hq-s-pkix.sysadmins.lv, pkix.sysadmins.
lv}
MaxNumOfRequestEntries : 5
MaxNumOfCacheEntries : 5000
NumOfThreads : 50
MaxRequestSize : 2048
RequestFlags : None
AuditFilter : RequestReceive
LogLevel : Minimal
TraceDebugEnabled : False
PS C:\>
Using ArrayMembers property, we can get the list of all array members:
PS C:\> $ocsp.ArrayMembers ComputerName IsRunning ------------ --------- hq-s-adcsws1.sysadmins.lv True hq-s-adcsws2.sysadmins.lv True hq-s-pkix.sysadmins.lv False pkix.sysadmins.lv False PS C:\>
We see all computer names and service status. In a given case, two array members are offline. We can connect to any online responder using this list.
We can add existing online responder to online responder array as member using Add-OnlineResponderArrayMember command. Both, existing array controller and new array member must be up and running.
When we add new array member, it is removed from existing array, demoted from array controller role (if necessary) and adds as member in destination array. Add-OnlineResponderArrayMember must be executed against destination array’s controller. All revocation configurations from array controller are replicated to new array member.
For demonstration purposes, I’ve removed “hq-s-adcsws2” server from array to its own array without any revocation configuration:
PS C:\> $NewMember = Connect-OnlineResponder hq-s-adcsws2
PS C:\> $NewMember
ComputerName IsRunning ArrayMembers
------------ --------- ------------
hq-s-adcsws2.sysadmins.lv True {hq-s-adcsws2.sysadmins.lv}
PS C:\> Connect-OnlineResponder hq-s-adcsws1 | Add-OnlineResponderArrayMember -ArrayMember $NewMember
ComputerName IsRunning ArrayMembers
------------ --------- ------------
hq-s-adcsws1.sysadmins.lv True {hq-s-adcsws1.sysadmins.lv, hq-s...
PS C:\> $NewMember | fl *
ComputerName : hq-s-adcsws2.sysadmins.lv
IsRunning : True
IsArrayController : False
ArrayController : SysadminsLV.PKI.Management.CertificateServices.OcspResponder
ArrayMembers : {hq-s-adcsws1.sysadmins.lv, hq-s-pkix.sysadmins.lv, pkix.sysadmins.lv, hq-s-adcsws2.sysadmins.
lv}
MaxNumOfRequestEntries : 5
MaxNumOfCacheEntries : 5000
NumOfThreads : 50
MaxRequestSize : 2048
RequestFlags : None
AuditFilter : RequestReceive
LogLevel : Minimal
TraceDebugEnabled : False
PS C:\>
In the first line, I’ve connected to new member in different array. We can see that server is the only member of array. In next line, I’m connecting to destination array’s controller and call Add-OnlineResponderArrayMember command and specify new member as parameter. After command execution we check new array member for changes – they are in place, it is now a part of new array and has replicated revocation configurations from array controller.
Similar technique we can remove array members from online responder array using Remove-OnlineResponderArrayMember command. We may want to do this in two cases:
Remove-OnlineResponderArrayMember command can remove only array members, not array controller.
We do extra work when existing array member is removed and it is up and running:
Array member to be removed is not required to be online and up. If it is dead, we just remove its reference from existing array.
PS C:\> Connect-OnlineResponder hq-s-adcsws1 | Remove-OnlineResponderArrayMember -ComputerName "hq-s-adcsws2.sysadmins.lv"
ComputerName IsRunning ArrayMembers
------------ --------- ------------
hq-s-adcsws1.sysadmins.lv True {hq-s-adcsws1.sysadmins.lv, hq-s...
PS C:\> (Connect-OnlineResponder hq-s-adcsws1).ArrayMembers
ComputerName IsRunning
------------ ---------
hq-s-adcsws1.sysadmins.lv True
hq-s-pkix.sysadmins.lv False
pkix.sysadmins.lv False
PS C:\> (Connect-OnlineResponder hq-s-adcsws2).ArrayMembers
ComputerName IsRunning
------------ ---------
hq-s-adcsws2.sysadmins.lv True
PS C:\>
as you see, we removed “hq-s-adcsws2” from array where “hq-s-adcsws1” is array controller. By the end of command execution we’ve got two online responder arrays: “hq-s-adcsws1” and “hq-s-adcsws2” as array controllers.
And the last piece for today – promoting array member to array controller. The rules are simple: existing array controller is demoted from its role and new array controller is promoted. We try to contact every online responder in array to update this information. Let’s say, we start from initial setup:
public class Class1 {
public Class1() {
var cert = new X509Certificate2(...);
var privateKey = (RSACryptoServiceProvider)cert.PrivateKey;
privateKey.Decrypt(...);
// or
privateKey.SignData(...);
}
}
PS C:\> (Connect-OnlineResponder hq-s-adcsws1).ArrayController.ComputerName hq-s-adcsws1.sysadmins.lv PS C:\> (Connect-OnlineResponder hq-s-adcsws2).ArrayController.ComputerName hq-s-adcsws1.sysadmins.lv PS C:\>
we have two running online responders in same array and “hq-s-adcsws1” as array controller. We have plans to decommission this server and promote “hq-s-adcsws2” as array controller. This is done by using Set-OnlineResponderProperty command:
PS C:\> Connect-OnlineResponder hq-s-adcsws2 | Set-OnlineResponderProperty -MakeArrayController
ComputerName IsRunning ArrayMembers
------------ --------- ------------
hq-s-adcsws2.sysadmins.lv True {hq-s-adcsws1.sysadmins.lv, hq-s...
PS C:\> (Connect-OnlineResponder hq-s-adcsws1).ArrayController.ComputerName
hq-s-adcsws2.sysadmins.lv
PS C:\> (Connect-OnlineResponder hq-s-adcsws2).ArrayController.ComputerName
hq-s-adcsws2.sysadmins.lv
PS C:\>
We connect to array member being promoted, call Set-OnlineResponderProperty with –MakeArrayController switch and we now have new array controller.
In next blog post, I will show how we can manage online responder revocation configurations.
Stay tuned!
Thanks for this very useful series of blogs on PSPKI tool and OCSP. I have just one issue:
After adding a new array member, there’s an error in the OCSP console “Revocation information is missing on Array member(s)”
When selecting the new array member in the console, the info is missing.
Same thing happens if I reverse the roles (Array manager).
The issue doesn’t occur when adding the new member using the console.
You may need to restart OCSP service after that and re-query OCSP server. This should do the trick.
Hasn’t helped, unfortunately. Assuming you can’t replicate the issue, likely something specific to my set up. Although, as I mentioned, it works fine via the console.
From what I’ve tested, when you add a new member to an array and commit changes, it immediately syncs with array controller by picking configurations from controller. Revocation data not always updated immediately and requires service restart which is added in code: https://github.com/PKISolutions/pkix.net/blob/34410729e4b21907cd8ba0ce1eeeb1adc7680032/PKI/Management/CertificateServices/OcspResponder.cs#L543
Though, there is no available API to forcibly refresh revocation data except OCSP service restart. It is available only in MMC UI.
Hello ,
when installing the OCSP from powershell , the server is not added to ArrayMembers and is not an Array Controller ,
Using the script , I cannot add it as ArrayController since this modification must be done from an existing ArrayController
there is a chance to add the server as ArrayController ?
Then you ?
Please post your question in GitHub (https://github.com/PKISolutions/pspki) and provide code you are using.
