apm aaa crldp
apm aaa crldp(1) BIG-IP TMSH Manual apm aaa crldp(1)
NAME
crldp - Configure a Certificate Revocation List Distribution Point (CRDLP) server object for implementing a CRLDP
authentication module.
MODULE
apm aaa
SYNTAX
Configure the crldp component within the aaa module using the syntax shown in the following sections.
CREATE/MODIFY
create crldp [name]
modify crldp [name]
options:
address [ip addr]
allow-nullcrl [true | false]
app-service [[string] | none]
base-dn [[string> | none]
cache-expire [[integer] | none]
connection-timeout [[integer] | none]
description [[string> | none]
location-specific [true | false]
pool [name]
port [[integer] | none]
reverse-dn [true | false]
use-issuer [true | false]
use-pool [enabled | disabled]
verify-sig [true | false]
edit crldp | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list crldp
list crldp [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete crldp [name]
DESCRIPTION
Configure a CRLDP authentication server, and then assign the server to the CRLDP auth agent in your access policy.
EXAMPLES
create crldp aaa-ldap-2027 { address 172.27.32.60 allow-nullcrl false base-dn DC=net,DC=aina,DC=test cache-expire 1000
connection-timeout 15 description none partition Common pool aaa-ldap-2027-pool port ldap reverse-dn true use-issuer false
use-pool disabled verify-sig true }
Creates a CRLDP server named aaa-ldap-2027.
delete crldp server my_crldp_server
Deletes the CRLDP server named my_crldp_server.
OPTIONS
address
Specifies the IP address of the server. This option is required.
allow-nullcrl
Specifies whether to consider a null CRL from the CRLDP server a successful authentication. The default is false.
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
base-dn
Specifies the LDAP base directory name for certificates that specify the CRL distribution point in directory name
(dirName) format. Used when the value of the X509v3 attribute crlDistributionPoints is of type dirName. In this case,
the BIG-IP system attempts to match the value of the crlDistributionPoints attribute to the Base DN value. An example
of a Base DN value is cn=lxxx,dc=f5,dc=com.
cache-expire
Specifies (in seconds) an update interval for CRL distribution points. The update interval for distribution points
ensures that CRL status is checked at regular intervals, regardless of the CRL timeout value. This helps prevent CRL
information from becoming outdated before the Access Policy Manager checks the status of a certificate.
connection-timeout
Specifies the number of seconds of inactivity the system allows before the connection times out. The default is 15.
description
Specifies a unique description for the server. The default is none.
partition
Displays the partition within which the component resides.
location-specific
Specifies whether or not this object contains one or more attributes with values that are specific to the location
where the BIG-IP device resides. The location-specific attribute is either true or false. When using policy sync, mark
an object as location-specific to prevent errors that can occur when policies reference objects, such as
authentication servers, that are specific to a certain location.
pool Specifies the name of the pool with which the server is associated.
port Specifies the CRLDP service port. The default is 389.
reverse-dn
Specifies in which order the system is to attempt to match the Base DN value to the value of the X509v3 attribute
crlDistributionPoints. Possible values are enabled and disabled. When set to enabled, the system matches the base DN
from left to right, or from the beginning of the DN string, to accomodate dirName strings in certificates such as
C=US,ST=WA,L=SEA,OU=F5,CN=xxx. The default value is false.
use-issuer
Specifies whether the CRL distribution point is extracted from the certificate of the client certificate issuer. The
default is false.
use-pool
Enables or disables high availability between CRLDP servers. When enabled, Access Policy Manager sends CRLDP
authentication requests for the associated CRLDP auth agent to the virtual server, and standard pool behavior is used
to implement high availability for CRDLP.
verify-sig
Specifies whether the signature on the received CRL is verified. The default if true.
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2016. All rights reserved.
BIG-IP 2016-03-14 apm aaa crldp(1)