Validation Authority - Server Validator

The Server Validator (SV) product is a multi-platform client solution for enabling digital certificate validation in the most commonly used web based application server environments.

SV utilizes native interfaces in leading web application servers to add digital certificate validation functionality as part of that product’s PKI based client authentication. SV provides the capability to query a VA Server (or any standards based digital certificate validation responder) or utilize a Certificate Revocation List (CRL) to determine the status of a digital certificate presented by a client. Clients with revoked or expired certificates are denied access to the application. SV offers additional advanced features for high performance, availability, and ease of administration.

The Tumbleweed Server Validator (SV) leverages native web and application server interfaces so it can be installed as a “plug-in”, ensuring the server does not accept revoked  or expired certificates when performing client authentication as part of establishing a secure channel with a client.

SV enables digital certificate validation via standard protocol queries to a VA Server (or other OCSP or SCVP standards based responder) or via CRL lookups, the reliability and performance of which can be greatly improved by using the VA Server and the Tumbleweed VACRL protocol to distribute CA or VA manufactured CRLs and delta CRLs to SV enabled application servers.

SV is CA neutral and can support CRL data from multiple CA or VA sources. SV can support complex trust models and supports RFC 3280 certificate policy controls for path processing and policy enforcement. SV will perform end-to-end (complete) certificate validation if one or more intermediate CAs are used, and the validation policy requires end-to-end (complete) certificate chain validation.

SV can communicate securely with a VA Server by utilizing SSL/TLS. SV supports different trust models and can support validation of the VA Server certificate. SV can also digitally sign requests to the VA server for deployments that require a high degree of audit and non-repudiation. SV offers support for cryptographic hardware via the standard PKCS #11 interface, including FIPS 140-2 Level 3 and 4, which can be used to accelerate digital signing and SSL/TLS operations.

SV provides support for two separate, configurable validation caches. One is an in-memory repository of all certificate validation requests, regardless of the validation mechanism used. The other is a disk-resident CRL repository. Caching parameters, including the time-to-live of response and the total size of the cache, are flexible to meet the requirements of a specific deployment. Caching can be used to improve performance and increase reliability in environments where the underlying network is not always available. SV also offers a robust fail-over mechanism for querying multiple VA Servers.

SV can be automatically configured using parameters obtained from the VA Server if the web or pplication server supports auto-configuration. This integration between the SV and the VA Server greatly facilitates the operation of SV in a large-scale application deployment.