Management::OCSPResponder¶
Introduced : BIG-IP_v9.0
The OCSPResponder interface enables you to manage OCSP responder
configuration.
Methods¶
| Method | Description | Introduced |
| create | Creates the specified OCSP responders. | BIG-IP_v9.0 |
| delete_all_responders | Deletes all OCSP responders. | BIG-IP_v9.0 |
| delete_responder | Deletes the specified OCSP responders. | BIG-IP_v9.0 |
| get_allow_additional_certificate_state | Gets the states that that indicate whether to allow the addition of certificates to the OCSP request. This option should normally only be used for testing purposes. | BIG-IP_v9.0 |
| get_ca_file | Certificate files are officially managed as certificate file objects via the get_ca_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Gets the names of the trusted CA certificate files used by the responders to verify the signature on the OCSP response. | BIG-IP_v9.0 |
| get_ca_file_v2 | Gets the names of the certificate file objects holding the trusted CA certificates used by the responders to verify the signature on the OCSP response. Certificate file objects are managed by the Management::KeyCertificate interface. | BIG-IP_v11.0.0 |
| get_ca_path | Gets the paths of the trusted CA certificates used by the responders to verify the signature on the OCSP response. | BIG-IP_v9.0 |
| get_certificate_check_state | Gets the states that indicate whether to perform any additional checks on the OCSP response signers certificate. If false, do not make any checks to see if the signers certificate is authorized to provide the necessary status information: as a result this option should only be used for testing purposes. | BIG-IP_v9.0 |
| get_certificate_id_digest_method | Gets the digest algorithm for hashing the certificate information used to create the certificate ID that is sent to the responder. | BIG-IP_v9.0 |
| get_certificate_verification_state | Gets the states that indicate whether to check the certificates in the OCSP responses. | BIG-IP_v9.0 |
| get_chain_state | Gets the states that indicate whether to use certificates in the response as additional untrusted CA certificates. | BIG-IP_v9.0 |
| get_description | Gets the descriptions for a set of OCSP responders. | BIG-IP_v11.0.0 |
| get_explicit_state | Gets the states that indicate whether to explicitly trust the OCSP response signers certificate as authorized for OCSP response signing. Specifying this option causes a response to be untrusted if the signers certificate does not contain the “OCSPSigning” extension. | BIG-IP_v9.0 |
| get_ignore_aia_state | Gets the states that if true, then always use the URL specified in the configuration file, and ignore any URL contained in the client certificates&apos authorityInfoAccess OCSP field. If this option is not set (the default) AND the client certificate has a valid AIA OCSP field set, then first attempt to connect to the responder in the client&aposs AIA OCSP field, and fall back to the URL in the responder definition if that server is not available. See RFC2560 for more detail of the authorityInfoAccess x509 extension and its intended usage. | BIG-IP_v9.0 |
| get_intern_state | Gets the states that that indicate whether to ignore certificates contained in the OCSP response when searching for the signers certificate. With this option the signers certificate must be specified with either the -verify_certs or -VAfile options. | BIG-IP_v9.0 |
| get_list | Gets a list of all OCSP responders. | BIG-IP_v9.0 |
| get_nonce_state | Gets the state that indicates whether to send a nonce in the OCSP request. | BIG-IP_v9.4.7 |
| get_other_certificate_file | Certificate files are officially managed as certificate file objects via the get_other_certificate_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Gets the files containing additional certificates to search when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer&aposs certificates from the response: this option can be used to supply the necessary certificates in such cases. | BIG-IP_v9.0 |
| get_other_certificate_file_v2 | Gets the names of the certificate file objects containing additional certificates to search when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer&aposs certificates from the response: this option can be used to supply the necessary certificates in such cases. Certificate file objects are managed by the Management::KeyCertificate interface. | BIG-IP_v11.0.0 |
| get_signature_verification_state | Gets the states that indicate whether to check the signature on the OCSP response. Since this option tolerates invalid signatures on OCSP responses it will normally only be used for testing purposes. | BIG-IP_v9.0 |
| get_signing_information | Certificate and key files are officially managed as file objects via the get_signing_information_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Gets the signing information necessary to sign the OCSP requests. | BIG-IP_v9.0 |
| get_signing_information_v2 | Gets the signing information necessary to sign the OCSP requests. Certificate and certificate key file objects are managed by the Management::KeyCertificate interface. | BIG-IP_v11.0.0 |
| get_status_age | Gets the status ages (sec) for the OCSP response. If the notAfter time is omitted from a response then this means that new status information is immediately available. In this case the age of the notBefore field is checked to see it is not older than age seconds old. By default this additional check is not performed when -status_age is not specified. | BIG-IP_v9.0 |
| get_trust_other_certificate_state | Gets the states indicating whether to be explicitly trust the other certificates specified via set_other_certificate_file and no additional checks will be performed on them. This is useful when the complete responder certificate chain is not available or trusting a root CA is not appropriate. | BIG-IP_v9.0 |
| get_url | Gets the URL or hostnames of the responders. | BIG-IP_v9.0 |
| get_va_file | Certificate files are officially managed as certificate file objects via the get_va_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Gets the names of the files containing explicitly trusted responder certificates. | BIG-IP_v9.0 |
| get_va_file_v2 | Gets the names of the certificate file objects containing explicitly trusted responder certificates. Certificate file objects are managed by the Management::KeyCertificate interface. | BIG-IP_v11.0.0 |
| get_validity_period | Gets the range of times, in seconds, which will be tolerated in an OCSP response. Each certificate status response includes a notBefore time and an optional notAfter time. The current time should fall between these two values, but the interval between the two times may be only a few seconds. In practice the OCSP responder and clients clocks may not be precisely synchronized and so such a check may fail. To avoid this the -validity_period option can be used to specify an acceptable error range in seconds, the default value is 300 seconds. | BIG-IP_v9.0 |
| get_verification_state | Gets the states that indicate whether to attempt to verify the OCSP response signature or the nonce values. This option will normally only be used for debugging since it disables all verification of the responders certificate. | BIG-IP_v9.0 |
| get_version | Gets the version information for this interface. | BIG-IP_v9.0 |
| set_allow_additional_certificate_state | Sets the states that indicate whether to allow the addition of certificates to the OCSP request. This option should normally only be used for testing purposes. | BIG-IP_v9.0 |
| set_ca_file | Certificate files are officially managed as certificate file objects via the set_ca_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Sets the names of the trusted CA certificate files used by the responders to verify the signature on the OCSP response. | BIG-IP_v9.0 |
| set_ca_file_v2 | Sets the names of the certificate file objects holding the trusted CA certificates used by the responders to verify the signature on the OCSP response. Certificate file objects are managed by the Management::KeyCertificate interface. | BIG-IP_v11.0.0 |
| set_ca_path | Sets the paths of the trusted CA certificates used by the responders to verify the signature on the OCSP response. | BIG-IP_v9.0 |
| set_certificate_check_state | Sets the states that indicate whether to perform any additional checks on the OCSP response signers certificate. If false, do not make any checks to see if the signers certificate is authorized to provide the necessary status information: as a result this option should only be used for testing purposes. | BIG-IP_v9.0 |
| set_certificate_id_digest_method | Sets the digest algorithm for hashing the certificate information used to create the certificate ID that is sent to the responder. | BIG-IP_v9.0 |
| set_certificate_verification_state | Sets the states that indicate whether to check the certificates in the OCSP responses. | BIG-IP_v9.0 |
| set_chain_state | Sets the states that indicate whether to use certificates in the response as additional untrusted CA certificates. | BIG-IP_v9.0 |
| set_description | Sets the description for a set of OCSP responders. This is an arbitrary field which can be used for any purpose. | BIG-IP_v11.0.0 |
| set_explicit_state | Sets the states that indicate whether to explicitly trust the OCSP response signers certificate as authorized for OCSP response signing. Specifying this option causes a response to be untrusted if the signers certificate does not contain the “OCSPSigning” extension. | BIG-IP_v9.0 |
| set_ignore_aia_state | Sets the states that if true, then always use the URL specified in the configuration file, and ignore any URL contained in the client certificates&apos authorityInfoAccess OCSP field. If this option is not set (the default) AND the client certificate has a valid AIA OCSP field set, then first attempt to connect to the responder in the client&aposs AIA OCSP field, and fall back to the URL in the responder definition if that server is not available. See RFC2560 for more detail of the authorityInfoAccess x509 extension and its intended usage. | BIG-IP_v9.0 |
| set_intern_state | Sets the states that indicate whether to ignore certificates contained in the OCSP response when searching for the signers certificate. With this option the signers certificate must be specified with either the -verify_certs or -VAfile options. | BIG-IP_v9.0 |
| set_nonce_state | Sets the state that indicates whether to send a nonce in the OCSP request. | BIG-IP_v9.4.7 |
| set_other_certificate_file | Certificate files are officially managed as certificate file objects via the set_other_certificate_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Sets the files containing additional certificates to search when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer&aposs certificates from the response: this option can be used to supply the necessary certificates in such cases. | BIG-IP_v9.0 |
| set_other_certificate_file_v2 | Sets the names of the certificate file objects containing additional certificates to search when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer&aposs certificates from the response: this option can be used to supply the necessary certificates in such cases. Certificate file objects are managed by the Management::KeyCertificate interface. | BIG-IP_v11.0.0 |
| set_signature_verification_state | Sets the states that indicate whether to check the signature on the OCSP response. Since this option tolerates invalid signatures on OCSP responses it will normally only be used for testing purposes. | BIG-IP_v9.0 |
| set_signing_information | Certificate and key files are officially managed as certificate and certificate key file objects via the set_signing_information_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Sets the signing information necessary to sign the OCSP requests. | BIG-IP_v9.0 |
| set_signing_information_v2 | Sets the signing information necessary to sign the OCSP requests. Certificate and certificate key file objects are managed by the Management::KeyCertificate interface. | BIG-IP_v11.0.0 |
| set_status_age | Sets the status ages (sec) for the OCSP response. If the notAfter time is omitted from a response then this means that new status information is immediately available. In this case the age of the notBefore field is checked to see it is not older than age seconds old. By default this additional check is not performed when -status_age is not specified. | BIG-IP_v9.0 |
| set_trust_other_certificate_state | Sets the states indicating whether to be explicitly trust the other certificates specified via set_other_certificate_file and no additional checks will be performed on them. This is useful when the complete responder certificate chain is not available or trusting a root CA is not appropriate. | BIG-IP_v9.0 |
| set_url | Sets the URLs of the responders. | BIG-IP_v9.0 |
| set_va_file | Certificate files are officially managed as certificate file objects via the set_va_file_v2 method and Management::KeyCertificate interface. Thus this method has been deprecated. Sets the names of the files containing explicitly trusted responder certificates. This functionality is equivalent to having the other certificates specified via set_other_certificate_file, and setting the state via set_trust_other_certificate_state. | BIG-IP_v9.0 |
| set_va_file_v2 | Sets the name of the certificate file objects containing explicitly trusted responder certificates. This functionality is equivalent to having the other certificates specified via set_other_certificate_file, and setting the state via set_trust_other_certificate_state. Certificate file objects are managed by the Management::KeyCertificate interface. | BIG-IP_v11.0.0 |
| set_validity_period | Sets the range of times, in seconds, which will be tolerated in an OCSP response. Each certificate status response includes a notBefore time and an optional notAfter time. The current time should fall between these two values, but the interval between the two times may be only a few seconds. In practice the OCSP responder and clients clocks may not be precisely synchronized and so such a check may fail. To avoid this the -validity_period option can be used to specify an acceptable error range in seconds, the default value is 300 seconds. | BIG-IP_v9.0 |
| set_verification_state | Sets the states that indicate whether to attempt to verify the OCSP response signature or the nonce values. This option will normally only be used for debugging since it disables all verification of the responders certificate. | BIG-IP_v9.0 |
Structures¶
Structure
Description
A struct that describes an OCSP responder.
A struct that describes information necessary to sign the OCSP request. The files are specified by their file object names. See the CertificateFile and CertificateKeyFile interfaces.
Aliases¶
| Alias | Type | Description |
| ResponderDefinitionSequence | ResponderDefinition [] | A sequence of OCSP responders. |
| SignInformationSequence | SignInformation [] | A sequence of signing information. |
See Also¶
iControl ::
Warning
The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.
Sample Code¶
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.