Manual Chapter :
Configuring Remote SSL OCSP Authentication
Applies To:
Show VersionsBIG-IP AAM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP APM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP Analytics
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP Link Controller
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP LTM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP PEM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP AFM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP DNS
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP ASM
- 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Configuring Remote SSL OCSP Authentication
Overview of remote authentication for application traffic
As an administrator in a large computing environment, you can set up the BIG-IP® system to use this server to authenticate any network traffic passing through the
BIG-IP system. This type of traffic passes through a virtual server and through Traffic
Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these
protocols:
- Lightweight Directory Access Protocol (LDAP)
- Remote Authentication Dial-in User Service (RADIUS)
- TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
- Online Status Certificate Protocol (OCSP)
- Certificate Revocation List Distribution Point (CRLDP)
To configure remote authentication for this type of traffic, you must create a configuration object and a
profile that correspond to the type of authentication server you are using to store your user
accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP
configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP
authentication module, you must also create a third type of object. For RADIUS and CRLDP
authentication, this object is referred to as a server object. For SSL OCSP authentication, this
object is referred to as an OCSP responder.
Task
summary for configuring remote SSL OCSP authentication
To configure remote authentication for this type of traffic, you must create a configuration
object and a profile that correspond to the type of authentication server
you are using to store your user accounts.
When implementing an SSL OCSP authentication
module, you must also create a third type of object. This object is referred to as an OCSP responder.
Create an SSL OCSP responder object for authenticating application traffic remotely
An
SSL Online Certificate Status Protocol (OCSP) responder object
is an object that includes a URL for
an external SSL OCSP responder. You must create a separate SSL OCSP
responder object for each external SSL OCSP responder.
- On the Main tab of the navigation pane, click.
- From the Authentication menu, selectOCSP Responders.
- ClickCreate.
- In theNamefield, type a unique name for the responder object, such asmy_ocsp_responder.
- In theURLfield, type the URL that you want the BIG-IP system to use to contact the OCSP service on the responder.
- In theCertificate Authority Filefield, type the name of the file containing trusted Certificate Authority (CA) certificates that the BIG-IP system uses to verify the signature on the OCSP response.
Creating an SSL OCSP configuration object for authenticating application traffic remotely
The BIG-IP system configuration must include at least one SSL OCSP responder object.
An
SSL OCSP authentication module
checks the revocation
status of an SSL certificate during remote authentication, as part of authenticating that certificate.
- On the Main tab of the navigation pane, click.
- From the Authentication menu, chooseConfigurations.
- ClickCreate.
- In theNamefield, type a unique name for the configuration object, such asmy_ocsp_config.
- From theTypelist, selectSSL OCSP.
- For theResponderssetting, select a responder server name from theAvailablelist, and using the Move button, move the name to theSelectedlist.
- ClickFinished.
You now have an SSL OCSP configuration object that an SSL OCSP profile can reference.
Creating a custom SSL OCSP profile
The next task in configuring SSL OCSP-based remote authentication on the BIG-IP system is to create a custom SSL OCSP profile.
- On the Main tab, click.The Profiles list screen opens.
- ClickCreate.The New Authentication Profile screen opens.
- In theNamefield, type a unique name for the profile.
- SelectSSL OCSPfrom theTypelist.
- Select theCustomcheck box.
- Select an SSL OCSP configuration object from theConfigurationlist.
- Selectssl_ocspin theParent Profilelist.
- ClickFinished.
The custom SSL OCSP profile appears in the
Profiles:Authentication:Profiles
list.Modify a virtual server for SSL OCSP authentication
The final task in the process of implementing SSL OCSP authentication is to assign
the custom SSL OCSP profile to a virtual server that is configured to process HTTP
traffic (that is, a virtual server to which an HTTP profile is assigned).
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of a virtual server.
- From theConfigurationlist, selectAdvanced.
- For theAuthentication Profilessetting, in theAvailablefield, select a custom SSL OCSP profile, and using theMovebutton, move the custom SSL OCSP profile to theSelectedfield.
- ClickUpdateto save the changes.
The virtual server is assigned the custom SSL OCSP profile.