Running as container
OCSPd is also packaged as a container, and can be run on container runtimes such as Docker or Kubernetes CRI-compliant runtimes.
Database considerations
OCSPd uses an embedded database to store application configuration. The database is created automatically when OCSPd is started for the first time. The database is stored in the /ocspd/database directory and needs to be persisted :
-
On Docker, this can be done through a Docker volume or a bind mount.
-
On Kubernetes, this can be done through a persistent volume claim.
Docker example
The bare minimum requirements to start an OCSPd instance is to pass through environment variables at least :
-
a valid license through the
LICENSEvariable -
an application secret through the
APPLICATION_SECRETvariable
To do so, just run the following command :
docker run -p 9000:9000 -e LICENSE=$(cat ./ocspd.lic) -e APPLICATION_SECRET=QA3BgXqapXaEzLbX -v ./database:/ocspd/database:rw registry.evertrust.io/ocspd:3.1.3The OCSPd server will be available at http://localhost:9000. To configure the instance, please refer to the configuration section.
Configuration
The Docker image is configured through environment variables. The following environment variables are available :
General configuration
| Variable | Type | Description | Default |
|---|---|---|---|
LICENSE |
|
A valid OCSPd license string, base64-encoded. Can be used if |
|
LICENSE_PATH |
|
Path where an OCSPd license file is mounted inside the container. Can be used if the license is not passed directly through |
|
APPLICATION_SECRET |
|
Application secret used by OCSPd |
|
Your license usually contains newline characters, that you must replace by '\n' when setting it through the environment. |
Configuring HTTPS
In production, it is strongly recommended to ensure all requests go through a layer of encryption. Configuring TLS for OCSPd will allow your reverse proxy to request OCSPd data using TLS.
|
If all settings are left empty, OCSPd will generate a self-signed certificate upon startup and still expose its HTTPS endpoint on |
| Variable | Type | Description | Default |
|---|---|---|---|
HTTP_PORT |
|
Port of the HTTP server |
|
HTTPS_PORT |
|
Port of the HTTPS server |
|
HTTPS_KEYSTORE_PATH |
|
Location where the keystore containing a server certificate is located. |
|
HTTPS_KEYSTORE_PASSWORD |
|
Password for the given keystore, if required by the keystore type |
|
HTTPS_KEYSTORE_TYPE |
|
Format in which the keystore is. Can be either |
|
HTTPS_KEYSTORE_ALGORITHM |
|
The key store algorithm |
Platform default algorithm |
Mailer configuration
| Variable | Type | Description | Default |
|---|---|---|---|
SMTP_HOST |
|
SMTP host |
|
SMTP_PORT |
|
SMTP port |
|
SMTP_SSL |
|
Whether SSL should be used |
|
SMTP_TLS |
|
Whether TLS should be used |
|
SMTP_USER |
|
SMTP user |
|
SMTP_PASSWORD |
|
SMTP password |
Radius configuration
| Variable | Type | Description | Default |
|---|---|---|---|
RADIUS_HOST |
|
Radius host |
|
RADIUS_SECRET |
|
Radius secret |
|
RADIUS_PORT |
|
Radius port |
|
RADIUS_PROTOCOL |
|
Radius protocol, |
|
LDAP configuration
| Variable | Type | Description | Default |
|---|---|---|---|
LDAP_HOST |
|
LDAP host |
|
RADIUS_SECRET |
|
Radius secret |
|
LDAP_PORT |
|
LDAP port |
|
LDAP_SSL |
|
Whether SSL should be used for LDAP |
|
LDAP_BIND_DN |
|
Bind DN used to authenticate to LDAP |
|
LDAP_BIND_PASSWORD |
|
Bind password used to authenticate to LDAP |
|
LDAP_BASE_DN |
|
LDAP base DN |
|
LDAP_USERNAME_ATTRIBUTE |
|
LDAP username attribute |