|
The Tumbleweed Valicert Validation Authority Server (VA Server) provides a number of advanced features, making it the ideal solution for customers who need a high-performance and high-availability solution proven in a wide range of application environments. VA Mirroring provides support for backup, load balancing and failover by replicating the same certificate revocation data across a cluster (more than one) of VA Servers. Mirroring enables revocation data from a source VA to be replicated via a secure push or pull based synchronization mechanism to one or more destination VA. Replicated revocation data can consist of pre-computed OCSP responses, CA generated full CRLs or delta CRLs representing the changes between two full CA-signed CRLs, VA manufactured delta CRLs representing the needs of the destination, or VA generated CRLs based on instant local revocation (either by the VA administrator or by a CMP message). In addition to replication, the VA offers caching. Large-scale, robust Internet service architectures have traditionally relied on network based caches to reduce traffic, improve user wait times as well as provide additional levels of security and robustness. The VA extended this concept to digital certificate validation by introducing a distributed VA Responder-Repeater caching architecture.
A Repeater is a VA Server that maintains a cache loaded with pre-computed OCSP responses or dynamically built up by proxy client requests to a Responder. Repeaters also support the VA-to-VA mirroring and can cache revocation data in CRL form. Repeaters support the VACRL protocol, providing support for non-OCSP clients or clients that want to maintain their own revocation data caches for backup. This functionality is highly useful in low-bandwidth environments or environments where real-time network access is not possible at all times. Since a Repeater does not need to perform cryptographic operations (the cached responses are digitally signed by the Responder), it does not require additional cryptographic hardware support, offering a cost effective way for organizations to scale their digital certificate validation infrastructure for performance and availability. Repeaters do not contain any sensitive key material and can easily reside in a different administrative domain than the Responder Server, allowing the Responder to be secured using a firewall or air gap. Additionally, the VA product line includes the Tumbleweed Valicert VA Repeater Appliance and Repeater Servlet. The VA Repeater Appliance is a hardware-software appliance solution, leveraging Tumbleweed’s secure, hardened Linux-based platform. The VA Repeater Appliance can be installed in less than thirty minutes, offering organizations the lowest total cost of ownership and an ideal solution for distributed computing environments. The Repeater Servlet provides a light-weight solution for deploying a high-scale, high-reliability digital certificate infrastructure, leveraging the platform independence of Java. The Repeater Servlet is an ideal solution for distributed hosted computing environments. The VA Server can be operated with a high-degree of security through features such as SSL based communications with clients, digitally signed client requests/responses, digitally signed XML logs and CRL archives, as well as SSL based server administration. To enhance the performance of these features, the VA supports software, PKCS #11 or CAPI token-based hardware signing and encryption products, including FIPS 140-2 Level 3 and Level 4 compliant hardware signing modules, from all leading vendors. Interested in Tumbleweed solutions? Please contact us.
|
|
