Manual Chapter : Configuring Remote SSL OCSP Authentication

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Analytics

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP Link Controller

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP PEM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP DNS

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

Configuring Remote SSL OCSP Authentication

Overview of remote authentication for application traffic

As an administrator in a large computing environment, you can set up the BIG-IP® system to use this server to authenticate any network traffic passing through the BIG-IP system. This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:
  • Lightweight Directory Access Protocol (LDAP)
  • Remote Authentication Dial-in User Service (RADIUS)
  • TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
  • Online Status Certificate Protocol (OCSP)
  • Certificate Revocation List Distribution Point (CRLDP)
To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.

Task summary for configuring remote SSL OCSP authentication

To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts.
When implementing an SSL OCSP authentication module, you must also create a third type of object. This object is referred to as an OCSP responder.

Create an SSL OCSP responder object for authenticating application traffic remotely

An
SSL Online Certificate Status Protocol (OCSP) responder object
is an object that includes a URL for an external SSL OCSP responder. You must create a separate SSL OCSP responder object for each external SSL OCSP responder.
  1. On the Main tab of the navigation pane, click
    Local Traffic
    Profiles
    .
  2. From the Authentication menu, select
    OCSP Responders
    .
  3. Click
    Create
    .
  4. In the
    Name
    field, type a unique name for the responder object, such as
    my_ocsp_responder
    .
  5. In the
    URL
    field, type the URL that you want the BIG-IP system to use to contact the OCSP service on the responder.
  6. In the
    Certificate Authority File
    field, type the name of the file containing trusted Certificate Authority (CA) certificates that the BIG-IP system uses to verify the signature on the OCSP response.

Creating an SSL OCSP configuration object for authenticating application traffic remotely

The BIG-IP system configuration must include at least one SSL OCSP responder object.
An
SSL OCSP authentication module
checks the revocation status of an SSL certificate during remote authentication, as part of authenticating that certificate.
  1. On the Main tab of the navigation pane, click
    Local Traffic
    Profiles
    .
  2. From the Authentication menu, choose
    Configurations
    .
  3. Click
    Create
    .
  4. In the
    Name
    field, type a unique name for the configuration object, such as
    my_ocsp_config
    .
  5. From the
    Type
    list, select
    SSL OCSP
    .
  6. For the
    Responders
    setting, select a responder server name from the
    Available
    list, and using the Move button, move the name to the
    Selected
    list.
  7. Click
    Finished
    .
You now have an SSL OCSP configuration object that an SSL OCSP profile can reference.

Creating a custom SSL OCSP profile

The next task in configuring SSL OCSP-based remote authentication on the BIG-IP system is to create a custom SSL OCSP profile.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Authentication
    Profiles
    .
    The Profiles list screen opens.
  2. Click
    Create
    .
    The New Authentication Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. Select
    SSL OCSP
    from the
    Type
    list.
  5. Select the
    Custom
    check box.
  6. Select an SSL OCSP configuration object from the
    Configuration
    list.
  7. Select
    ssl_ocsp
    in the
    Parent Profile
    list.
  8. Click
    Finished
    .
The custom SSL OCSP profile appears in the
Profiles:Authentication:Profiles
list.

Modify a virtual server for SSL OCSP authentication

The final task in the process of implementing SSL OCSP authentication is to assign the custom SSL OCSP profile to a virtual server that is configured to process HTTP traffic (that is, a virtual server to which an HTTP profile is assigned).
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of a virtual server.
  3. From the
    Configuration
    list, select
    Advanced
    .
  4. For the
    Authentication Profiles
    setting, in the
    Available
    field, select a custom SSL OCSP profile, and using the
    Move
    button, move the custom SSL OCSP profile to the
    Selected
    field.
  5. Click
    Update
    to save the changes.
The virtual server is assigned the custom SSL OCSP profile.