Applies To:
Show VersionsBIG-IP LTM
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Configuring Remote SSL OCSP Authentication
Overview of remote authentication for application traffic
As an administrator in a large computing environment, you can set up the BIG-IP system to use this server to authenticate any network traffic passing through the BIG-IP system. This type of traffic passes through a virtual server and through Traffic Management Microkernel (TMM) interfaces. Remote authentication servers typically use one of these protocols:
- Lightweight Directory Access Protocol (LDAP)
- Remote Authentication Dial-in User Service (RADIUS)
- TACACS+ (derived from Terminal Access Controller Access Control System [TACACS])
- Online Status Certificate Protocol (OCSP)
- Certificate Revocation List Distribution Point (CRLDP)
- Kerberos
To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts. For example, if your remote authentication server is an LDAP server, you create an LDAP configuration object and an LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.
Task Summary
To configure remote authentication for this type of traffic, you must create a configuration object and a profile that correspond to the type of authentication server you are using to store your user accounts.
When implementing an SSL OCSP authentication module, you must also create a third type of object. This object is referred to as an OCSP responder.
Task list
Creating an SSL OSCP responder object for authenticating application traffic remotely
- On the Main tab of the navigation pane, click .
- From the Authentication menu, choose OCSP Responders.
- Click Create.
- In the Namefield, type a unique name for the responder object, such asmy_ocsp_responder.
- In the URL field, type the URL that you want the BIG-IP system to use to contact the Online Certificate Status Protocol (OCSP) service on the responder.
- In the Certificate Authority File field, type the name of the file containing trusted Certificate Authority (CA) certificates that the BIG-IP system uses to verify the signature on the OCSP response.
Creating an SSL OCSP configuration object for authenticating application traffic remotely
- On the Main tab of the navigation pane, click .
- From the Authentication menu, choose Configurations.
- Click Create.
- In the Name field, type a unique name for the configuration object, such asmy_ocsp_config.
- From the Type list, select SSL OCSP.
- For the Responders setting, select a responder server name from the Available list, and using the Move button, move the name to the Selected list.
- Click Finished.