Management::CertificateValidatorOCSP¶
Methods¶
Method | Description | Introduced |
create | Creates the specified OCSP certificate validators, using proxy address pool or DNS resolver. If proxy server pool is specified, the OCSP requests will be sent to a proxy server that in turn sends the requests to the OCSP responder. Otherwise, DNS resolver must be specified for the system to make external http requests. | BIG-IP_v13.0.0 |
delete_all_ocsp_certificate_validators | Deletes all OCSP certificate validators. | BIG-IP_v13.0.0 |
delete_ocsp_certificate_validator | Deletes a set of OCSP certificate validators. | BIG-IP_v13.0.0 |
get_all_statistics | Gets the statistics for all the OCSP certificate validators. | BIG-IP_v13.0.0 |
get_cache_error_timeout | Gets the cache error timeouts for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_cache_timeout | Gets the cache timeouts for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_clock_skew | Gets the maximum time skew between the OCSP responder and the system&aposs clocks for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_concurrent_connections_limit | Gets the maximum number of concurrent connections per OCSP responder. | BIG-IP_v13.0.0 |
get_description | Gets the descriptions for a set of OCSP certificate validators. | BIG-IP_v13.0.0 |
get_dns_resolver | Gets the DNS resolver for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_list | Gets a list of OCSP certificate validators. | BIG-IP_v13.0.0 |
get_proxy_server_pool | Gets the proxy server pools that the OCSP request will be forwarded to for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_responder_url | Gets the responder URL for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_route_domain | Gets the route domains corresponding to the connections made to the OCSP responders using DNS resolvers for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_sign_hash | Gets the hash algorithm used to sign the OCSP request for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_signer_certificate | Gets the signer certificates that are used to sign the OCSP request for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_signer_key | Gets the signer private keys that are used to sign the OCSP request for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_statistics | Gets the statistics for a list of OCSP certificate validators. | BIG-IP_v13.0.0 |
get_status_age | Gets the status age, in seconds, for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_strict_responder_certificate_checking_state | Gets the strict responder certificate checking states for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_timeout | Gets the timeout of the connection made to the OCSP responder for fetching the OCSP response. | BIG-IP_v13.0.0 |
get_trusted_responder | Gets the trusted responder certificates for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
get_version | Gets the version information for this interface. | BIG-IP_v13.0.0 |
reset_statistics | Resets the statistics for a list of OCSP certificate validators. | BIG-IP_v13.0.0 |
set_cache_error_timeout | Sets the cache error timeouts for the specified OCSP certificate validators. If the OCSP response indicates an error, the response will be cached for the duration specified in cache error timeout. | BIG-IP_v13.0.0 |
set_cache_timeout | Sets the cache timeouts, in seconds, for the specified OCSP certificate validators. The lifetime of OCSP response cache is set to the lower value of the validity of the response and the configured cache timeout. | BIG-IP_v13.0.0 |
set_clock_skew | Sets the maximum time skew between the OCSP responder and the system&aposs clocks for the specified OCSP certificate validators. Clock skew is the tolerable absolute difference in the clocks between the responder and the system. | BIG-IP_v13.0.0 |
set_concurrent_connections_limit | Sets the maximum number of concurrent connections per OCSP responder. The OCSP responder is identified from the AIA extension of the certificate, or the user-defined URL. If an OCSP responder has multiple concurrent connection limit values associated with it from different OCSP certificate validators, the lowest value will be taken into account. | BIG-IP_v13.0.0 |
set_description | Sets the description for a set of OCSP certificate validators. This is an arbitrary field which can be used for any purpose. | BIG-IP_v13.0.0 |
set_dns_resolver | Sets the DNS resolver for the specified OCSP certificate validators that is used to resolve the domain names of the OCSP responders&apos URLs so that the system can communicate with the OCSP responders. If a dns resolver is not set for an OCSP certificate validator, then a pool of proxy servers must be set using set_proxy_server_pool - in that case these proxy servers will communicate with the OCSP responder on behalf of the system. | BIG-IP_v13.0.0 |
set_proxy_server_pool | Sets the proxy server pool that the OCSP request will be forwarded to for the specified OCSP certificate validators so that these proxies can communicate with the OCSP responders on behalf of the system. A pool of proxy servers can be created using LocalLB::Pool. It is a pool of IP addresses of the proxies that can forward the OCSP requests from the system to the OCSP responders. If a pool is not set for an OCSP certificate validator, then a dns_resolver must be set using set_dns_resolver - in that case the system will communicate with the OCSP responder directly. | BIG-IP_v13.0.0 |
set_responder_url | Sets the responder URL for the specified OCSP certificate validators. The OCSP responder&aposs URL may be obtained from the certificate&aposs AIA extension(s), however if it is explicitly set using set_responder_url, the one listed in the AIA extension will be ignored. | BIG-IP_v13.0.0 |
set_route_domain | Sets the route domains corresponding to the connections made to the OCSP responders using DNS resolvers for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
set_sign_hash | Sets the hash algorithm used to sign the OCSP request for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
set_signer_certificate | Sets the signer certificates that are used to sign the OCSP request for the specified OCSP certificate validators. This method needs to be used with set_signer_key within one transaction - otherwise it will result in a missing signer certificate error. Therefore set_signer_certificate_key_passphrase is the more recommended alternative method which can set singer certificate, key, and passphrase simultaneously. | BIG-IP_v13.0.0 |
set_signer_certificate_key_passphrase | Sets the signer certificates, signer keys that are used to sign the OCSP request, and the passphrases that are used to decrypt the protected signer keys, for the specified OCSP certificate validators. | BIG-IP_v13.0.0 |
set_signer_key | Sets the signer private keys that are used to sign the OCSP request for the specified OCSP certificate validators. This method needs to be used with set_signer_certificate within one transaction, otherwise it will result in a missing signer certificate error. Therefore set_signer_certificate_key_passphrase is the more recommended alternative method which can set singer certificate, key, and passphrase simultaneously. | BIG-IP_v13.0.0 |
set_signer_key_passphrase | Sets the passphrases used to decrypt the protected signer keys of the specified OCSP certificate validators. set_signer_certificate_key_passphrase is the more recommended alternative method which can set singer certificate, key, and passphrase simultaneously. | BIG-IP_v13.0.0 |
set_status_age | Sets the status age, in seconds, for the specified OCSP certificate validators. This specifies the maximum allowed lag time for the &aposthisUpdate&apos time in the OCSP response that the system accepts. If this maximum is exceeded, the response is dropped. If this value is set to &apos0&apos, this validation is skipped. The default value is 86400 seconds. | BIG-IP_v13.0.0 |
set_strict_responder_certificate_checking_state | Sets the strict responder certificate checking states for the specified OCSP certificate validators. If enabled, the system explicitly checks that the response signer&aposs certificate is authorized for OCSP response signing, by checking for OCSP signing extension in the signer&aposs certificate. | BIG-IP_v13.0.0 |
set_timeout | Sets the timeout of the connection made to the OCSP responder for fetching the OCSP response. | BIG-IP_v13.0.0 |
set_trusted_responder | Sets the trusted responder certificates for the specified OCSP certificate validators. A trusted responder certificate of an OCSP certificate validator is the OCSP responder&aposs certifiate that we trust. This can help reduce and hence speed up the OCSP process - if it is set, the system will skip verifying the OCSP responder&aposs certificate if it is identical to the configured one - otherwise it will need to verify if the responder&aposs certificate is signed by the issuer of the certificate that is monitored by this OCSP certificate validator. | BIG-IP_v13.0.0 |
Structures¶
Structure
Description
CertificateValidatorOCSPStatisticEntry
A struct that describes statistics for a specified OCSP certificate validator.
CertificateValidatorOCSPStatistics
A struct that describes OCSP certificate validator statistics and timestamp.
Enumerations¶
Enumeration | Description |
OCSPSignHash | Specifies the hash algorithm used for signing the OCSP request. |
Aliases¶
Alias | Type | Description |
CertificateValidatorOCSPStatisticEntrySequence | CertificateValidatorOCSPStatisticEntry [] | A sequence of OCSP certificate validator statistics. |
OCSPSignHashSequence | OCSPSignHash [] | A sequence of OCSP sign hash specifications. |
See Also¶
Warning
The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.
Sample Code¶
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.