topic ACS 5.4 - OCSP Debug in Network Access Control

ACS 5.4 - OCSP Debug

Josef Fuehrer — Mon, 11 Mar 2019 03:12:15 GMT

Hi everyone,

I'm currently having issues testing OCSP servers for certificate validation on ACS 5.4. Server team claims everything is fine on their side, but all attempts result in the following error:

12562 OCSP server response is invalid

I've already tried to disable NONCE extension support and signature validation, which hasn't really had any effect.

Does anyone know how to debug OCSP processing or look into the problem more precisely another way?

Thanks in advance!

Regards,

Josef

ACS 5.4 - OCSP Debug

Tarik Admani — Fri, 15 Mar 2013 20:28:24 GMT

Josef,

Did you try clearing the cache and trying again?

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/net_resources.html#wp1133154

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.4 - OCSP Debug

Josef Fuehrer — Mon, 18 Mar 2013 10:17:47 GMT

Hi Tarik,

thanks for your reply.

Unfortunately we haven't had a successful attempt so far, meaning that the cache is empty. Nonetheless, I've tried to clear it, but to no avail.

The exact log message sequence is as follows:

12568 Lookup user certificate status in OCSP cache

12569 User certificate status was not found in OCSP cache

12550 Sent an OCSP request to the primary OCSP server for the CA

12562 OCSP server response is invalid

12552 Conversation with OCSP server ended with failure

12572 OCSP response not cached

12556 OCSP status of user certificate is unknown

12571 ACS will continue to CRL verification if it is configured for specific CA

Do you know which application debug log contains OCSP related information:

(config-acs)# debug-log ?

Set debug level for the specified component.

( all

mgmt

mgmt-aac

mgmt-acsview

mgmt-audit

mgmt-bl

mgmt-bus

mgmt-changepassword

mgmt-cli

mgmt-common

mgmt-dbal

mgmt-distmgmt

mgmt-gui

mgmt-import-export

mgmt-license

mgmt-notification

mgmt-performancemonitoring

mgmt-pi

mgmt-replication

mgmt-rest

mgmt-ssl-support

mgmt-system

mgmt-validation

runtime

runtime-acslogs

runtime-admin

runtime-authenticators

runtime-authorization

runtime-configmanager

runtime-confignotificationflow

runtime-crypto

runtime-dataaccess

runtime-dbpassword

runtime-eap

runtime-eventhandler

runtime-idstores

runtime-logging

runtime-loggingnotificationflow

runtime-messagebus

runtime-messagecatalog

runtime-radius

runtime-ruleengine

runtime-statemanager

runtime-statistics

runtime-tacacs

runtime-xmlconfig

)

Regards,

Josef

ACS 5.4 - OCSP Debug

Tarik Admani — Mon, 18 Mar 2013 14:45:51 GMT

My assumption would be runtime-crypto, however you can enable the runtime (all), and try to reproduce the issue. If that doesn't work then go for mgmt.

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.4 - OCSP Debug

Josef Fuehrer — Mon, 18 Mar 2013 15:53:30 GMT

Hi Tarik,

Your assumption was perfectly right. Setting the logging level for runtime-crypto to debug did the trick.

Following this, I've got one more question. The debug output contains a reference to another log file named 'customer log' containing more detailed information:

Crypto,18/03/2013,16:10:22:650,ERROR,3050167184,NIL-CONTEXT,Crypto::Result=0, Crypto.OcspClient::performRequest - Failed to get response from OCSP server,OcspClient.cpp:236

Crypto,18/03/2013,16:10:22:651,WARN ,3050167184,NIL-CONTEXT,Crypto::Result=0, CryptoLib.CSSL.OCSP Callback - report detailed error to customer log,SSL.cpp:888

Do you know which file this exactly is and where it is to be found?

Thanks a lot,

Josef

ACS 5.4 - OCSP Debug

Tarik Admani — Mon, 18 Mar 2013 18:46:43 GMT

Josef,

I do not know where this is located or if this exists, however I havent worked with this integration yet (too much ISE). You may want to pull a support bundle and see if the file is present.

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.4 - OCSP Debug

Sergey Emantayev — Tue, 19 Mar 2013 09:38:41 GMT

Hi,

The "customer log" files are acsLocalStore.log*. Basically they contain the same info as ACS View has.

You can use the openSSL ocsp utility to test your server. See 'man ocsp' for details.

Thanks,

Sergey Emantayev

ACS 5.4 - OCSP Debug

Josef Fuehrer — Wed, 20 Mar 2013 00:55:29 GMT

Hi Sergey,

thanks for the hint with the OpenSSL utility.

Apparently there seems to be an issue with our OCSP responders:

30545:error:27070072:OCSP routines:OCSP_sendreq_bio:server response error:ocsp_ht.c:147:Code=405,Reason=Method Not Allowed

After some research I've come across a Microsoft Technet dealing with problems when using POST method for HTTP requests, which pretty much hits the nail on the head.

I'm already in contact with the guys responsible for the OCSP servers and will keep you in the loop.

Best regards,

Josef

I have right now the same

eni-co24192 — Fri, 31 Mar 2017 10:33:04 GMT

I have right now the same problem

Did you find out what was the cause of the issue ?

Hi,

Josef Fuehrer — Fri, 31 Mar 2017 12:31:30 GMT

Hi,

In my case it turned out that the OCSP responder URL was incorrect. In fact I was missing the /ocsp suffix.

ACS logs can be somewhat ambiguous, so best try to query the OSCP responder with openssl and look for any hints in the response:
openssl ocsp -issuer "path to issuing ca certificate" -cert "path to certificate you want to verify" -url "OSCP responder URL"

Cheers,
Josef