CRLDP Server¶
Overview¶
This document describes the API to configure AAA CRLDP servers and their properties in BIG-IQ.
REST Endpoint: /cm/access/working-config/apm/aaa/crldp¶
Requests¶
GET /cm/access/working-config/apm/aaa/crldp/<id>¶
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
address | string | Specify IP addresses of the CRLDP servers to which APM can connect for AAA services. |
usePool | string | Specify CRLDP servers for APM to use to authenticate users. Use Pool to create a high availability configuration. Use Direct to specify one CRLDP server for APM to authenticate users. |
pool | string | For the pool name, first create the pool and pool members. The LTM pool must be configured with the CRLDP server ip’s as its pool members. Then, associate in this property. |
allowNullcrl | string | If enabled, a null CRL from the CRLDP server is considered a successful authentication. |
baseDn | string | Specifies a CRLDP base distinguished name for certificates that specify the CRL distribution point in directory name (dirName) format. This is used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case, Access Policy Manager attempts to match the value of the crlDistributionPoints attribute to the Base DN value. Note: If the client certificate includes the distribution point extension in LDAP URI format, the IP address, Base DN, and Reverse DN settings configured on the agent are ignored; they are specific to directory-based CRLDP. All other settings are applicable to both LDAP URI and directory-based CRL DPs. |
cacheExpire | number | Specifies the number of seconds a CRL is cached. The default is 86400 seconds and, when it is used, the entry is deleted from the CRL cache after 24 hours. |
connectionTimeout | number | Specifies the number of seconds of inactivity the system allows before the connection times out. The default is 15 seconds. |
port | number | Specifies a CRLDP service port. The default is 389. |
reverseDn | string | Specifies in which order the system should attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. Possible values are Enabled and Disabled. When set to Enabled, the system matches the base DN from left to right, or from the beginning of the DN string, to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. |
updateInterval | number | Specifies the validity (in seconds) of the CRL file. To force the retrieval of a CRL file before the current CRL becomes obsolete, set this value to less than the CRL expiration time. If the value is zero (default), the CRLDP action uses the expiration time specified by the CA’s CRL publishing parameters (the Next update parameter). |
useIssuer | string | If enabled, the system extracts the CRL distribution point from the certificate of the client certificate issuer. |
verifySig | string | Specifies, when checked (enabled), that the signature on the received CRL is verified. By default, the check box is enabled. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
id | string | An ID of an application |
lastUpdateMicros | number | The last updated time in microseconds. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application.—+ |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | Yes |
Service_Catalog_Viewer | Yes |
Service_Catalog_Editor | Yes |
Trust_Discovery_Import | Yes |
Access_View | Yes |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | Yes |
Application_Viewer | Yes |
Trust_Discovery_Import | Yes |
Access_Deploy | Yes |
Access_Policy_Editor | Yes |
POST /cm/access/working-config/apm/aaa/crldp¶
Request Parameters¶
Name | Type | Required | Description |
---|---|---|---|
address | string | False | Specify IP addresses of the CRLDP servers to which APM can connect for AAA services. |
usePool | string | True | Specify CRLDP servers for APM to use to authenticate users. Use Pool to create a high availability configuration. Use Direct to specify one CRLDP server for APM to authenticate users. |
pool | string | False | For the pool name, first create the pool and pool members. The LTM pool must be configured with the CRLDP server ip’s as its pool members. Then, associate in this property. |
allowNullcrl | string | False | If enabled, a null CRL from the CRLDP server is considered a successful authentication. |
baseDn | string | True | Specifies a CRLDP base distinguished name for certificates that specify the CRL distribution point in directory name (dirName) format. This is used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case, Access Policy Manager attempts to match the value of the crlDistributionPoints attribute to the Base DN value. Note: If the client certificate includes the distribution point extension in LDAP URI format, the IP address, Base DN, and Reverse DN settings configured on the agent are ignored; they are specific to directory-based CRLDP. All other settings are applicable to both LDAP URI and directory-based CRL DPs. |
cacheExpire | number | True | Specifies the number of seconds a CRL is cached. The default is 86400 seconds and, when it is used, the entry is deleted from the CRL cache after 24 hours. |
connectionTimeout | number | True | Specifies the number of seconds of inactivity the system allows before the connection times out. The default is 15 seconds. |
port | number | False | Specifies a CRLDP service port. The default is 389. |
reverseDn | string | False | Specifies in which order the system should attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. Possible values are Enabled and Disabled. When set to Enabled, the system matches the base DN from left to right, or from the beginning of the DN string, to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. |
updateInterval | number | True | Specifies the validity (in seconds) of the CRL file. To force the retrieval of a CRL file before the current CRL becomes obsolete, set this value to less than the CRL expiration time. If the value is zero (default), the CRLDP action uses the expiration time specified by the CA’s CRL publishing parameters (the Next update parameter). |
useIssuer | string | False | If enabled, the system extracts the CRL distribution point from the certificate of the client certificate issuer. |
verifySig | string | False | Specifies, when checked (enabled), that the signature on the received CRL is verified. By default, the check box is enabled. |
name | string | True | The name of the object |
partition | string | True | The BIG-IP partition where the object should be placed |
subPath | string | False | The BIG-IP folder where the object should be placed |
lsoDeviceReference | reference | False | Reference to the device |
id | string | False | Id of the device. |
link | string | False | URI link of the reference. |
isLsoShared | boolean | True | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | False | Reference to the device group. |
link | string | False | URI link of the reference. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
address | string | Specify IP addresses of the CRLDP servers to which APM can connect for AAA services. |
usePool | string | Specify CRLDP servers for APM to use to authenticate users. Use Pool to create a high availability configuration. Use Direct to specify one CRLDP server for APM to authenticate users. |
pool | string | For the pool name, first create the pool and pool members. The LTM pool must be configured with the CRLDP server ip’s as its pool members. Then, associate in this property. |
allowNullcrl | string | If enabled, a null CRL from the CRLDP server is considered a successful authentication. |
baseDn | string | Specifies a CRLDP base distinguished name for certificates that specify the CRL distribution point in directory name (dirName) format. This is used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case, Access Policy Manager attempts to match the value of the crlDistributionPoints attribute to the Base DN value. Note: If the client certificate includes the distribution point extension in LDAP URI format, the IP address, Base DN, and Reverse DN settings configured on the agent are ignored; they are specific to directory-based CRLDP. All other settings are applicable to both LDAP URI and directory-based CRL DPs. |
cacheExpire | number | Specifies the number of seconds a CRL is cached. The default is 86400 seconds and, when it is used, the entry is deleted from the CRL cache after 24 hours. |
connectionTimeout | number | Specifies the number of seconds of inactivity the system allows before the connection times out. The default is 15 seconds. |
port | number | Specifies a CRLDP service port. The default is 389. |
reverseDn | string | Specifies in which order the system should attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. Possible values are Enabled and Disabled. When set to Enabled, the system matches the base DN from left to right, or from the beginning of the DN string, to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. |
updateInterval | number | Specifies the validity (in seconds) of the CRL file. To force the retrieval of a CRL file before the current CRL becomes obsolete, set this value to less than the CRL expiration time. If the value is zero (default), the CRLDP action uses the expiration time specified by the CA’s CRL publishing parameters (the Next update parameter). |
useIssuer | string | If enabled, the system extracts the CRL distribution point from the certificate of the client certificate issuer. |
verifySig | string | Specifies, when checked (enabled), that the signature on the received CRL is verified. By default, the check box is enabled. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
id | string | An ID of an application |
lastUpdateMicros | number | The last updated time in microseconds. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application. |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | No |
Service_Catalog_Viewer | No |
Service_Catalog_Editor | No |
Trust_Discovery_Import | Yes |
Access_View | No |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | No |
Application_Viewer | No |
Trust_Discovery_Import | No |
Access_Deploy | No |
Access_Policy_Editor | No |
PUT /cm/access/working-config/apm/aaa/crldp/<id>¶
Request Parameters¶
Name | Type | Required | Description |
---|---|---|---|
address | string | False | Specify IP addresses of the CRLDP servers to which APM can connect for AAA services. |
usePool | string | True | Specify CRLDP servers for APM to use to authenticate users. Use Pool to create a high availability configuration. Use Direct to specify one CRLDP server for APM to authenticate users. |
pool | string | False | For the pool name, first create the pool and pool members. The LTM pool must be configured with the CRLDP server ip’s as its pool members. Then, associate in this property. |
allowNullcrl | string | False | If enabled, a null CRL from the CRLDP server is considered a successful authentication. |
baseDn | string | False | Specifies a CRLDP base distinguished name for certificates that specify the CRL distribution point in directory name (dirName) format. This is used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case, Access Policy Manager attempts to match the value of the crlDistributionPoints attribute to the Base DN value. Note: If the client certificate includes the distribution point extension in LDAP URI format, the IP address, Base DN, and Reverse DN settings configured on the agent are ignored; they are specific to directory-based CRLDP. All other settings are applicable to both LDAP URI and directory-based CRL DPs. |
cacheExpire | number | False | Specifies the number of seconds a CRL is cached. The default is 86400 seconds and, when it is used, the entry is deleted from the CRL cache after 24 hours. |
connectionTimeout | number | False | Specifies the number of seconds of inactivity the system allows before the connection times out. The default is 15 seconds. |
port | number | False | Specifies a CRLDP service port. The default is 389. |
reverseDn | string | False | Specifies in which order the system should attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. Possible values are Enabled and Disabled. When set to Enabled, the system matches the base DN from left to right, or from the beginning of the DN string, to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. |
updateInterval | number | False | Specifies the validity (in seconds) of the CRL file. To force the retrieval of a CRL file before the current CRL becomes obsolete, set this value to less than the CRL expiration time. If the value is zero (default), the CRLDP action uses the expiration time specified by the CA’s CRL publishing parameters (the Next update parameter). |
useIssuer | string | False | If enabled, the system extracts the CRL distribution point from the certificate of the client certificate issuer. |
verifySig | string | False | Specifies, when checked (enabled), that the signature on the received CRL is verified. By default, the check box is enabled. |
name | string | False | The name of the object |
partition | string | False | The BIG-IP partition where the object should be placed |
subPath | string | False | The BIG-IP folder where the object should be placed |
lsoDeviceReference | reference | False | Reference to the device |
id | string | False | Id of the device. |
name | string | False | Device name. Typically it is device’s hostname. |
kind | string | False | Kind of the device. |
machineId | string | False | Machine ID of the device. |
link | string | False | URI link of the reference. |
isLsoShared | boolean | False | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | False | Reference to the device group. |
name | string | False | Name of the resource |
kind | string | False | The kind of the resource. |
link | string | False | URI link of the reference. |
id | string | False | An ID of an application |
lastUpdateMicros | number | False | The last updated time in microseconds. |
kind | string | False | The kind of an application. |
selfLink | string | False | The selfLink of an application. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
address | string | Specify IP addresses of the CRLDP servers to which APM can connect for AAA services. |
usePool | string | Specify CRLDP servers for APM to use to authenticate users. Use Pool to create a high availability configuration. Use Direct to specify one CRLDP server for APM to authenticate users. |
pool | string | For the pool name, first create the pool and pool members. The LTM pool must be configured with the CRLDP server ip’s as its pool members. Then, associate in this property. |
allowNullcrl | string | If enabled, a null CRL from the CRLDP server is considered a successful authentication. |
baseDn | string | Specifies a CRLDP base distinguished name for certificates that specify the CRL distribution point in directory name (dirName) format. This is used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case, Access Policy Manager attempts to match the value of the crlDistributionPoints attribute to the Base DN value. Note: If the client certificate includes the distribution point extension in LDAP URI format, the IP address, Base DN, and Reverse DN settings configured on the agent are ignored; they are specific to directory-based CRLDP. All other settings are applicable to both LDAP URI and directory-based CRL DPs. |
cacheExpire | number | Specifies the number of seconds a CRL is cached. The default is 86400 seconds and, when it is used, the entry is deleted from the CRL cache after 24 hours. |
connectionTimeout | number | Specifies the number of seconds of inactivity the system allows before the connection times out. The default is 15 seconds. |
port | number | Specifies a CRLDP service port. The default is 389. |
reverseDn | string | Specifies in which order the system should attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. Possible values are Enabled and Disabled. When set to Enabled, the system matches the base DN from left to right, or from the beginning of the DN string, to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. |
updateInterval | number | Specifies the validity (in seconds) of the CRL file. To force the retrieval of a CRL file before the current CRL becomes obsolete, set this value to less than the CRL expiration time. If the value is zero (default), the CRLDP action uses the expiration time specified by the CA’s CRL publishing parameters (the Next update parameter). |
useIssuer | string | If enabled, the system extracts the CRL distribution point from the certificate of the client certificate issuer. |
verifySig | string | Specifies, when checked (enabled), that the signature on the received CRL is verified. By default, the check box is enabled. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
id | string | An ID of an application |
lastUpdateMicros | number | The last updated time in microseconds. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application. |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | No |
Service_Catalog_Viewer | No |
Service_Catalog_Editor | No |
Trust_Discovery_Import | Yes |
Access_View | No |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | No |
Application_Viewer | No |
Trust_Discovery_Import | No |
Access_Deploy | No |
Access_Policy_Editor | No |
PATCH /cm/access/working-config/apm/aaa/crldp/<id>¶
Request Parameters¶
Name | Type | Required | Description |
---|---|---|---|
address | string | False | Specify IP addresses of the CRLDP servers to which APM can connect for AAA services. |
usePool | string | True | For the pool name, first create the pool and pool members. The LTM pool must be configured with the CRLDP server ip’s as its pool members. Then, associate in this property. |
allowNullcrl | string | False | If enabled, a null CRL from the CRLDP server is considered a successful authentication. |
baseDn | string | False | Specifies a CRLDP base distinguished name for certificates that specify the CRL distribution point in directory name (dirName) format. This is used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case, Access Policy Manager attempts to match the value of the crlDistributionPoints attribute to the Base DN value. Note: If the client certificate includes the distribution point extension in LDAP URI format, the IP address, Base DN, and Reverse DN settings configured on the agent are ignored; they are specific to directory-based CRLDP. All other settings are applicable to both LDAP URI and directory-based CRL DPs. |
cacheExpire | number | False | Specifies the number of seconds a CRL is cached. The default is 86400 seconds and, when it is used, the entry is deleted from the CRL cache after 24 hours. |
connectionTimeout | number | False | Specifies the number of seconds of inactivity the system allows before the connection times out. The default is 15 seconds. |
port | number | False | Specifies a CRLDP service port. The default is 389. |
reverseDn | string | False | Specifies in which order the system should attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. Possible values are Enabled and Disabled. When set to Enabled, the system matches the base DN from left to right, or from the beginning of the DN string, to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. |
updateInterval | number | False | Specifies the validity (in seconds) of the CRL file. To force the retrieval of a CRL file before the current CRL becomes obsolete, set this value to less than the CRL expiration time. If the value is zero (default), the CRLDP action uses the expiration time specified by the CA’s CRL publishing parameters (the Next update parameter). |
useIssuer | string | False | If enabled, the system extracts the CRL distribution point from the certificate of the client certificate issuer. |
verifySig | string | False | Specifies, when checked (enabled), that the signature on the received CRL is verified. By default, the check box is enabled. |
isLsoShared | boolean | False | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
address | string | Specify IP addresses of the CRLDP servers to which APM can connect for AAA services. |
usePool | string | Specify CRLDP servers for APM to use to authenticate users. Use Pool to create a high availability configuration. Use Direct to specify one CRLDP server for APM to authenticate users. |
pool | string | For the pool name, first create the pool and pool members. The LTM pool must be configured with the CRLDP server ip’s as its pool members. Then, associate in this property. |
allowNullcrl | string | If enabled, a null CRL from the CRLDP server is considered a successful authentication. |
baseDn | string | Specifies a CRLDP base distinguished name for certificates that specify the CRL distribution point in directory name (dirName) format. This is used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case, Access Policy Manager attempts to match the value of the crlDistributionPoints attribute to the Base DN value. Note: If the client certificate includes the distribution point extension in LDAP URI format, the IP address, Base DN, and Reverse DN settings configured on the agent are ignored; they are specific to directory-based CRLDP. All other settings are applicable to both LDAP URI and directory-based CRL DPs. |
cacheExpire | number | Specifies the number of seconds a CRL is cached. The default is 86400 seconds and, when it is used, the entry is deleted from the CRL cache after 24 hours. |
connectionTimeout | number | Specifies the number of seconds of inactivity the system allows before the connection times out. The default is 15 seconds. |
port | number | Specifies a CRLDP service port. The default is 389. |
reverseDn | string | Specifies in which order the system should attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. Possible values are Enabled and Disabled. When set to Enabled, the system matches the base DN from left to right, or from the beginning of the DN string, to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. |
updateInterval | number | Specifies the validity (in seconds) of the CRL file. To force the retrieval of a CRL file before the current CRL becomes obsolete, set this value to less than the CRL expiration time. If the value is zero (default), the CRLDP action uses the expiration time specified by the CA’s CRL publishing parameters (the Next update parameter). |
useIssuer | string | If enabled, the system extracts the CRL distribution point from the certificate of the client certificate issuer. |
verifySig | string | Specifies, when checked (enabled), that the signature on the received CRL is verified. By default, the check box is enabled. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
id | string | An ID of an application |
lastUpdateMicros | number | The last updated time in microseconds. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application. |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | No |
Service_Catalog_Viewer | No |
Service_Catalog_Editor | No |
Trust_Discovery_Import | Yes |
Access_View | No |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | No |
Application_Viewer | No |
Trust_Discovery_Import | No |
Access_Deploy | No |
Access_Policy_Editor | No |
DELETE /cm/access/working-config/apm/aaa/crldp/<id>¶
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
Name | Type | Description |
---|---|---|
address | string | Specify IP addresses of the CRLDP servers to which APM can connect for AAA services. |
usePool | string | Specify CRLDP servers for APM to use to authenticate users. Use Pool to create a high availability configuration. Use Direct to specify one CRLDP server for APM to authenticate users. |
pool | string | For the pool name, first create the pool and pool members. The LTM pool must be configured with the CRLDP server ip’s as its pool members. Then, associate in this property. |
allowNullcrl | string | If enabled, a null CRL from the CRLDP server is considered a successful authentication. |
baseDn | string | Specifies a CRLDP base distinguished name for certificates that specify the CRL distribution point in directory name (dirName) format. This is used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case, Access Policy Manager attempts to match the value of the crlDistributionPoints attribute to the Base DN value. Note: If the client certificate includes the distribution point extension in LDAP URI format, the IP address, Base DN, and Reverse DN settings configured on the agent are ignored; they are specific to directory-based CRLDP. All other settings are applicable to both LDAP URI and directory-based CRL DPs. |
cacheExpire | number | Specifies the number of seconds a CRL is cached. The default is 86400 seconds and, when it is used, the entry is deleted from the CRL cache after 24 hours. |
connectionTimeout | number | Specifies the number of seconds of inactivity the system allows before the connection times out. The default is 15 seconds. |
port | number | Specifies a CRLDP service port. The default is 389. |
reverseDn | string | Specifies in which order the system should attempt to match the Base DN value to the value of the X509v3 attribute crlDistributionPoints. Possible values are Enabled and Disabled. When set to Enabled, the system matches the base DN from left to right, or from the beginning of the DN string, to accommodate dirName strings in certificates such as c=us,st=wa,l=sea,ou=f5,cn=xxx. |
updateInterval | number | Specifies the validity (in seconds) of the CRL file. To force the retrieval of a CRL file before the current CRL becomes obsolete, set this value to less than the CRL expiration time. If the value is zero (default), the CRLDP action uses the expiration time specified by the CA’s CRL publishing parameters (the Next update parameter). |
useIssuer | string | If enabled, the system extracts the CRL distribution point from the certificate of the client certificate issuer. |
verifySig | string | Specifies, when checked (enabled), that the signature on the received CRL is verified. By default, the check box is enabled. |
name | string | The name of the object |
partition | string | The BIG-IP partition where the object should be placed |
subPath | string | The BIG-IP folder where the object should be placed |
lsoDeviceReference | reference | Reference to the device |
id | string | Id of the device. |
name | string | Device name. Typically it is device’s hostname. |
kind | string | Kind of the device. |
machineId | string | Machine ID of the device. |
link | string | URI link of the reference. |
isLsoShared | boolean | Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations. |
deviceGroupReference | reference | Reference to the device group. |
name | string | Name of the resource |
kind | string | The kind of the resource. |
link | string | URI link of the reference. |
id | string | An ID of an application |
lastUpdateMicros | number | The last updated time in microseconds. |
kind | string | The kind of an application. |
selfLink | string | The selfLink of an application. |
Error Response¶
HTTP/1.1 400 Bad Request
This response status is related to error conditions. A detailed error message displays in the response.
HTTP/1.1 401 Unauthorized
This response happens when access is denied due to invalid credentials(no Permission).
Permissions¶
Role | Allow |
---|---|
Application_Editor | No |
Service_Catalog_Viewer | No |
Service_Catalog_Editor | No |
Trust_Discovery_Import | Yes |
Access_View | No |
Access_Edit | Yes |
Access_Manager | Yes |
Application_Manager | No |
Application_Viewer | No |
Trust_Discovery_Import | No |
Access_Deploy | No |
Access_Policy_Editor | No |
Examples¶
Get AAA CRLDP Server¶
GET /cm/access/working-config/apm/aaa/crldp/<id>
Response¶
HTTP/1.1 200 OK
{
"address": "1.1.1.18",
"usePool": "enabled",
"pool": "true",
"allowNullcrl": "false",
"baseDn": "CN=lxxx,DC=f5,DC=com",
"cacheExpire": 86400,
"connectionTimeout": 15,
"port": 389,
"reverseDn": "c=us,st=wa,l=sea,ou=f5,cn=xxx.",
"updateInterval": 0,
"useIssuer": "false",
"verifySig": "true",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"generation": 1,
"lastUpdateMicros": 1518743088884807,
"kind": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
"selfLink": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
}
Create New AAA CRLDP Server¶
POST /cm/access/working-config/apm/aaa/crldp
{
"address": "1.1.1.18",
"usePool": "enabled",
"pool": "true",
"allowNullcrl": "false",
"baseDn": "CN=lxxx,DC=f5,DC=com",
"cacheExpire": 86400,
"connectionTimeout": 15,
"port": 389,
"reverseDn": "c=us,st=wa,l=sea,ou=f5,cn=xxx.",
"updateInterval": 0,
"useIssuer": "false",
"verifySig": "true",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
}
Response¶
HTTP/1.1 200 OK
{
"address": "1.1.1.18",
"usePool": "enabled",
"pool": "true",
"allowNullcrl": "false",
"baseDn": "CN=lxxx,DC=f5,DC=com",
"cacheExpire": 86400,
"connectionTimeout": 15,
"port": 389,
"reverseDn": "c=us,st=wa,l=sea,ou=f5,cn=xxx.",
"updateInterval": 0,
"useIssuer": "false",
"verifySig": "true",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"generation": 1,
"lastUpdateMicros": 1518743088884807,
"kind": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
"selfLink": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
}
Edit AAA CRLDP Server¶
PUT /cm/access/working-config/apm/aaa/crldp/<id>
{
"address": "1.1.1.18",
"usePool": "enabled",
"pool": "true",
"allowNullcrl": "false",
"baseDn": "CN=lxxx,DC=f5,DC=com",
"cacheExpire": 86400,
"connectionTimeout": 15,
"port": 389,
"reverseDn": "c=us,st=wa,l=sea,ou=f5,cn=xxx.",
"updateInterval": 0,
"useIssuer": "false",
"verifySig": "true",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"generation": 1,
"lastUpdateMicros": 1518743088884807,
"kind": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
"selfLink": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
}
Response¶
HTTP/1.1 200 OK
{
"address": "1.1.1.18",
"usePool": "enabled",
"pool": "true",
"allowNullcrl": "false",
"baseDn": "CN=lxxx,DC=f5,DC=com",
"cacheExpire": 86400,
"connectionTimeout": 15,
"port": 389,
"reverseDn": "c=us,st=wa,l=sea,ou=f5,cn=xxx.",
"updateInterval": 0,
"useIssuer": "false",
"verifySig": "true",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"generation": 1,
"lastUpdateMicros": 1518743088884807,
"kind": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
"selfLink": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
}
Edit AAA CRLDP Server¶
PATCH /cm/access/working-config/apm/aaa/crldp/<id>
{
"address": "1.1.1.18",
"usePool": "enabled",
"pool": "true",
"allowNullcrl": "false",
"baseDn": "CN=lxxx,DC=f5,DC=com",
"cacheExpire": 86400,
"connectionTimeout": 15,
"port": 389,
"reverseDn": "c=us,st=wa,l=sea,ou=f5,cn=xxx.",
"updateInterval": 0,
"useIssuer": "false",
"verifySig": "true",
"isLsoShared": false,
}
Response¶
HTTP/1.1 200 OK
{
"address": "1.1.1.18",
"usePool": "enabled",
"pool": "true",
"allowNullcrl": "false",
"baseDn": "CN=lxxx,DC=f5,DC=com",
"cacheExpire": 86400,
"connectionTimeout": 15,
"port": 389,
"reverseDn": "c=us,st=wa,l=sea,ou=f5,cn=xxx.",
"updateInterval": 0,
"useIssuer": "false",
"verifySig": "true",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"generation": 1,
"lastUpdateMicros": 1518743088884807,
"kind": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
"selfLink": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
}
Delete AAA CRLDP Server¶
DELETE /cm/access/working-config/apm/aaa/crldp/<id>
Response¶
HTTP/1.1 200 OK
{
"address": "1.1.1.18",
"usePool": "enabled",
"pool": "true",
"allowNullcrl": "false",
"baseDn": "CN=lxxx,DC=f5,DC=com",
"cacheExpire": 86400,
"connectionTimeout": 15,
"port": 389,
"reverseDn": "c=us,st=wa,l=sea,ou=f5,cn=xxx.",
"updateInterval": 0,
"useIssuer": "false",
"verifySig": "true",
"name": "foo",
"partition": "Common",
"subPath": "/folder",
"lsoDeviceReference": {
"id": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"name": "bigip.foo.com",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"machineId": "866cfd8a-4d03-48e9-ba94-bb21a4bc2346",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"isLsoShared": false,
"deviceGroupReference": {
"name": "resourceName",
"kind": "shared:resolver:device-groups:devicegroupstate",
"link": "https://localhost/mgmt/shared/foo/bar/866cfd8a-4d03-48e9-ba94-bb21a4bc2346"
},
"id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
"generation": 1,
"lastUpdateMicros": 1518743088884807,
"kind": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
"selfLink": "cm:access:working-config:apm:aaa:active-directory:activedirectorystate",
}