cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2142
Views
5
Helpful
9
Replies
Highlighted
Beginner

ACS 5.4 - OCSP Debug

Hi everyone,

I'm currently having issues testing OCSP servers for certificate validation on ACS 5.4. Server team claims everything is fine on their side, but all attempts result in the following error:

12562  OCSP server response is invalid

I've already tried to disable NONCE extension support and signature validation, which hasn't really had any effect.

Does anyone know how to debug OCSP processing or look into the problem more precisely another way?

Thanks in advance!

Regards,

Josef

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Advocate

ACS 5.4 - OCSP Debug

My assumption would be runtime-crypto, however you can enable the runtime (all), and try to reproduce the issue. If that doesn't work then go for mgmt.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

Highlighted

ACS 5.4 - OCSP Debug

Hi,

The "customer log" files are acsLocalStore.log*. Basically they contain the same info as ACS View has.

You can use the openSSL ocsp utility to test your server. See 'man ocsp' for details.

Thanks,

Sergey Emantayev

View solution in original post

9 REPLIES 9
Highlighted
Advocate

ACS 5.4 - OCSP Debug

Josef,

Did you try clearing the cache and trying again?

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/net_resources.html#wp1133154

Thanks,

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

ACS 5.4 - OCSP Debug

Hi Tarik,

thanks for your reply.

Unfortunately we haven't had a successful attempt so far, meaning that the cache is empty. Nonetheless, I've tried to clear it, but to no avail.

The exact log message sequence is as follows:

12568  Lookup user certificate status in OCSP cache

12569  User certificate status was not found in OCSP cache

12550  Sent an OCSP request to the primary OCSP server for the CA

12562  OCSP server response is invalid

12552  Conversation with OCSP server ended with failure

12572  OCSP response not cached

12556  OCSP status of user certificate is unknown

12571  ACS will continue to CRL verification if it is configured for specific CA

Do you know which application debug log contains OCSP related information:

(config-acs)# debug-log ?

    Set debug level for the specified component.

                 ( all

                   mgmt

                   mgmt-aac

                   mgmt-acsview

                   mgmt-audit

                   mgmt-bl

                   mgmt-bus

                   mgmt-changepassword

                   mgmt-cli

                   mgmt-common

                   mgmt-dbal

                   mgmt-distmgmt

                   mgmt-gui

                   mgmt-import-export

                   mgmt-license

                   mgmt-notification

                   mgmt-performancemonitoring

                   mgmt-pi

                   mgmt-replication

                   mgmt-rest

                   mgmt-ssl-support

                   mgmt-system

                   mgmt-validation

                   runtime

                   runtime-acslogs

                   runtime-admin

                   runtime-authenticators

                   runtime-authorization

                   runtime-configmanager

                   runtime-confignotificationflow

                   runtime-crypto

                   runtime-dataaccess

                   runtime-dbpassword

                   runtime-eap

                   runtime-eventhandler

                   runtime-idstores

                   runtime-logging

                   runtime-loggingnotificationflow

                   runtime-messagebus

                   runtime-messagecatalog

                   runtime-radius

                   runtime-ruleengine

                   runtime-statemanager

                   runtime-statistics

                   runtime-tacacs

                   runtime-xmlconfig

                   )

Regards,

Josef

Highlighted
Advocate

ACS 5.4 - OCSP Debug

My assumption would be runtime-crypto, however you can enable the runtime (all), and try to reproduce the issue. If that doesn't work then go for mgmt.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

Highlighted
Beginner

ACS 5.4 - OCSP Debug

Hi Tarik,

Your assumption was perfectly right. Setting the logging level for runtime-crypto to debug did the trick.

Following this, I've got one more question. The debug output contains a reference to another log file named 'customer log' containing more detailed information:

Crypto,18/03/2013,16:10:22:650,ERROR,3050167184,NIL-CONTEXT,Crypto::Result=0, Crypto.OcspClient::performRequest - Failed to get response from OCSP server,OcspClient.cpp:236

Crypto,18/03/2013,16:10:22:651,WARN ,3050167184,NIL-CONTEXT,Crypto::Result=0, CryptoLib.CSSL.OCSP Callback - report detailed error to customer log,SSL.cpp:888

Do you know which file this exactly is and where it is to be found?

Thanks a lot,

Josef

Highlighted
Advocate

ACS 5.4 - OCSP Debug

Josef,

I do not know where this is located or if this exists, however I havent worked with this integration yet (too much ISE). You may want to pull a support bundle and see if the file is present.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted

ACS 5.4 - OCSP Debug

Hi,

The "customer log" files are acsLocalStore.log*. Basically they contain the same info as ACS View has.

You can use the openSSL ocsp utility to test your server. See 'man ocsp' for details.

Thanks,

Sergey Emantayev

View solution in original post

Highlighted
Beginner

ACS 5.4 - OCSP Debug

Hi Sergey,

thanks for the hint with the OpenSSL utility.

Apparently there seems to be an issue with our OCSP responders:

30545:error:27070072:OCSP routines:OCSP_sendreq_bio:server response error:ocsp_ht.c:147:Code=405,Reason=Method Not Allowed

After some research I've come across a Microsoft Technet dealing with problems when using POST method for HTTP requests, which pretty much hits the nail on the head.

I'm already in contact with the guys responsible for the OCSP servers and will keep you in the loop.

Best regards,

Josef

Highlighted
Beginner

I have right now the same

I have right now the same problem

Did you find out what was the cause of the issue ?

Highlighted
Beginner

Hi,

Hi,

In my case it turned out that the OCSP responder URL was incorrect. In fact I was missing the /ocsp suffix.

ACS logs can be somewhat ambiguous, so best try to query the OSCP responder with openssl and look for any hints in the response:
openssl ocsp -issuer "path to issuing ca certificate" -cert "path to certificate you want to verify" -url "OSCP responder URL"

Cheers,
Josef