Applies To:
Show VersionsBIG-IP APM
- 13.1.3, 13.1.1, 13.1.0
About OCSP authentication
Access Policy Manager® (APM®) supports authenticating a client using Online Certificate Status Protocol (OCSP). OCSP is a mechanism used to retrieve the revocation status of an X.509 certificate by sending machine or user certificate information to a remote OCSP responder. This responder maintains up-to-date information about the certificate's revocation status. OCSP ensures that APM always obtains real-time revocation status during the certificate verification process.
Overview: Verifying machine certificate revocation status with OCSP
Access Policy Manager® supports using Online Certificate Status Protocol (OCSP) to verify the revocation status of a machine certificate.
You must have already configured the access profile to which you want to add OCSP authentication.
Task summary
Configuring an OCSP responder
Adding OCSP machine certificate verification to an access policy
Overview: Verifying user certificate revocation status with OCSP
Access Policy Manager® supports using Online Certificate Status Protocol (OCSP) to verify the revocation status of a user certificate.
You must have already configured the access profile to which you want to add OCSP authentication.
Task summary
Configuring an OCSP responder
Adding OCSP user certificate verification to an access policy
Configuring a client SSL profile for OCSP
Adding client-side SSL and access profiles to a virtual server
OCSP session variables
When the OCSP Auth access policy item runs, it relies on information stored in session variables. Various access policy items can populate the session variables. This table lists the session variables and access policy items that can populate them.
Session variables for OCSP
Session Variable | Source | Description |
---|---|---|
session.ssl.cert.whole |
Cert Inspection On-Demand Cert Auth Variable Assign |
Provides the client certificate received from the user in PEM format. (Used for verifying the revocation status of a user certificate.) |
session.ssl.cert.certissuer |
Cert Inspection On-Demand Cert Auth Variable Assign |
Provides the issuer certificate of the client certificate in PEM format. (Used for verifying the revocation status of a user certificate.) |
session.check_machinecert.last.cert.cert |
Machine Cert Auth Variable Assign |
Provides the encrypted text of the machine certificate. (Used for verifying the revocation status of a machine certificate.) |
session.check_machinecert.last.cert.issuer.cert |
Machine Cert Auth Variable Assign |
Provides the issuer certificate of the machine certificate. (Used for verifying the revocation status of a machine certificate.) |
OCSP authentication troubleshooting tips
You might run into problems with OCSP authentication in some instances. Follow these tips to try to resolve any issues you might encounter.
OCSP auth and query troubleshooting
Possible error messages | Possible explanations and corrective actions |
---|---|
No AAA server associated with the agent | Make sure that a valid OCSP responder configuration is assigned to the OCSP agent in the access policy. |
User/Issuer certificate not found for the session | The user/issuer certificate session variables are missing. For a user certificate, make sure that either the Client Cert Inspection agent or On-Demand Cert Auth agent is configured in the access policy, or, use a variable assignment agent to create session variables. For a machine certificate, make sure that the Machine Cert Auth agent is configured or use variable assignment to create the session variables. |
Failure to connect to OCSP responder (BIO callback failure) | Make sure that the OCSP responder is up and running and reachable from the BIG-IP® system. |
Error parsing the OCSP response (invalid response) | Indicates that no valid basic response was found in the OCSP response. Check the configuration on the remote OCSP responder. |
Error signing OCSP request | Make sure that the signing certificate and key are valid. |
No valid nonce found in the response | This happens when the nonce setting is enabled on the OCSP responder configuration and the received OCSP response does not contain a valid nonce. Check the remote OCSP responder connection and setting. |
Nonce verification failed | This happens when the nonce received in the response does not match with the nonce sent in the request. Make sure that the connection from BIG-IP system to OCSP responder is secure. |
Failure to verify response | Make sure that the OCSP responder has a valid CA and verify other certificate settings. |
Status times invalid | Make sure that the BIG-IP system and OCSP responder clocks are in sync. |
OCSP response - Cert with serial number 'x' has been revoked | Indicates that the status of the user, or machine, certificate is revoked. |
Failed to add cert to OCSP request | Indicates a failure in creating the OCSP request; either the supplied user/issuer certificates are not valid or the CertID digest configured in the OCSP responder setting is not valid. |
Failed to initialize OCSP Auth Module | This might indicate that the certificate authority file that was imported into the BIG-IP® system is in DER encoding format. Transform the certificate authority file from DER to PEM encoding format and import it again. |