F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Local Traffic Manager: Implementations
  3. Configuring Remote CRLDP Authentication
Manual Chapter : Configuring Remote CRLDP Authentication

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Link Controller

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP DNS

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

Configuring Remote CRLDP Authentication

Overview of remote authentication for application traffic

As an administrator in a large computing environment, you can set up the BIG-IP® system to use this server to authenticate any network traffic passing through the BIG-IP system. This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:
  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-in User Service (RADIUS)
  • TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
  • Online Status Certificate Protocol (OCSP)
  • Certificate Revocation List Distribution Point (CRLDP)
To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.

Task summary for configuring remote CRLDP authentication

To configure remote authentication with CRLDP, you must create a configuration object and a profile that correspond to the authentication server you are using to store your user accounts. You must also create a third type of object. This object is referred to as a server object.

Creating a CRLDP configuration object for authenticating application traffic remotely

The CRLDP authentication module verifies the revocation status of an SSL certificate, as part of authenticating that certificate. A
CRLDP configuration object
 specifies information that the BIG-IP system needs to perform the remote authentication.
  1. On the Main tab of the navigation pane, click
    Local Traffic
    Profiles
    .
  2. From the Authentication menu, choose
    Configurations
    .
  3. Click
    Create
    .
  4. In the
    Name
     field, type a unique name for the configuration object, such as
    my_crldp_config
    .
  5. From the
    Type
     list, select
    CRLDP
    .
  6. In the
    Connection Timeout
     field, retain or change the time limit, in seconds, for the connection to the Certificate Revocation List Distribution Points (CRLDP) server.
  7. In the
    Update Interval
     field, retain or change the interval, in seconds, for the system to use when receiving updates from the CRLDP server.
    If you use the default value of
    0
     (zero), the CRLDP server updates the system according to the expiration time specified for the CRL.
  8. For the
    Use Issuer
     setting, retain the default value (cleared) or select the box.
    When cleared (disabled), the BIG-IP system extracts the CRL distribution point from the incoming client certificate. When selected (enabled), the BIG-IP system extracts the CRL distribution point from the signing certificate.
  9. For the
    CRLDP Servers
     setting, select a CRLDP server name in the
    Available
     list, and using the Move button, move the name to the
    Selected
     list.
  10. Click
    Finished
    .
You now have a CRLDP configuration object that a CRLDP profile can reference.

Creating a custom CRLDP profile

The next task in configuring CRLDP-based remote authentication on the BIG-IP system is to create a custom CRLDP profile.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Authentication
    Profiles
    .
    The Profiles list screen opens.
  2. Click
    Create
    .
    The New Authentication Profile screen opens.
  3. In the
    Name
     field, type a unique name for the profile.
  4. Select
    CRLDP
     from the
    Type
     list.
  5. Select
    ssl_crldp
     in the
    Parent Profile
     list.
  6. Select the
    Custom
     check box.
  7. Select a CRLDP configuration object from the
    Configuration
     list.
  8. Click
    Finished
    .

Modifying a virtual server for CRLDP authentication

The final task in the process of implementing CRLDP authentication is to assign the custom CRLDP profile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of a virtual server.
  3. From the
    Configuration
     list, select
    Advanced
    .
  4. For the
    Authentication Profiles
     setting, in the
    Available
     field, select a custom CRLDP profile, and using the
    Move
     button, move the custom CRLDP profile to the
    Selected
     field.
  5. Click
    Update
     to save the changes.
The virtual server is assigned the custom CRLDP profile.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information