ltm auth ocsp-responderΒΆ

ltm auth ocsp-responder(1)				BIG-IP TMSH Manual				ltm auth ocsp-responder(1)

NAME
       ocsp-responder - Configures Online Certificate System Protocol (OCSP) responder objects.

MODULE
       ltm auth

SYNTAX
       Configure the ocsp-responder component within the ltm auth module using the syntax shown in the following sections.

   CREATE/MODIFY
	create ocsp-responder [name]
	modify ocsp-responder [name]
	  options:
	    allow-certs [disabled | enabled]
	    app-service [[string] | none]
	    ca-file [ [file name] | none]
	    ca-path [ [file name] | none]
	    cert-id-digest [md5 | sha1]
	    chain [disabled | enabled]
	    check-certs [disabled | enabled]
	    description [string]
	    explicit [disabled | enabled]
	    ignore-aia [disabled | enabled]
	    intern [disabled | enabled]
	    nonce [disabled | enabled]
	    sign-digest [md5 | sha1]
	    sign-key [ [key] | none)
	    sign-key-pass-phrase [ [pass phrase] | none]
	    sign-other [ [list of certs] | none]
	    signer [ [certificate] | none]
	    status-age [integer]
	    trust-other [disabled | enabled]
	    url [none | [url] ]
	    va-file [ [file name] | none]
	    validity-period [integer]
	    verify [disabled | enabled]
	    verify-cert [disabled | enabled]
	    verify-other [ [file name] | none]
	    verify-sig [disabled | enabled]

	edit ocsp-responder [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties

   DISPLAY
	list ocsp-responder
	list ocsp-responder [ [ [name] | [glob] | [regex] ] ... ]
	show running-config ocsp-responder
	show running-config ocsp-responder [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties
	    one-line
	    partition

   DELETE
	delete ocsp-responder [name]

DESCRIPTION
       To implement the SSL OCSP authentication module, you must create the following objects: one or more OCSP responder objects,
       an SSL OCSP configuration object, and an SSL OCSP profile.

       To implement an SSL OCSP authentication module and create an OCSP responder object:

       1. Use the ocsp-responder component in the ltm auth module to configure an OCSP responder object.
       2. Use the ssl-ocsp component in the ltm auth module to configure an SSL OCSP configuration object to which you add the
       OCSP responder object that you created in  Step 1.
       3. Use the profile component in the ltm auth module to create an authentication profile in which you specify the following
       options:
	    a. For the configuration option, specify the SSL OCSP configuration object that you created in Step 2.
	    b. For the defaults-from option, specify a parent profile (either the default OCSP Responder profile named ssl_ocsp or
	    another custom profile that you created).

OPTIONS
       allow-certs
	    Enables or disables the addition of certificates to an OCSP request. The default value is enabled.

       app-service
	    Specifies the name of the application service to which the OCSP responder object belongs. The default value is none.
	    Note: If the strict-updates option is enabled on the application service that owns the object, you cannot modify or
	    delete the OCSP responder object. Only the application service can modify or delete the OCSP responder object.

       ca-file
	    Specifies the name of the file containing trusted CA certificates used to verify the signature on the OCSP response.
	    The default value is none.

       ca-path
	    Specifies the name of the path containing trusted CA certificates used to verify the signature on the OCSP response.
	    The default value is none.

       cert-id-digest
	    Specifies a specific algorithm identifier, either sha1 or md5. The default value is sha1. The options are:

	    sha1 is newer and provides more security with a 160-bit hash length.
	    md5 is older and has only a 128-bit hash length.

	    The cert ID is part of the OCSP protocol. The OCSP client (in this case, the BIG-IP system) calculates the cert ID
	    using a hash of the Issuer and serial number for the certificate that it is trying to verify.

       chain
	    Specifies whether the system constructs a chain from certificates in the OCSP response. The default value is enabled.

       check-certs
	    Enables or disables verification of an OCSP response certificate. Use this option for debugging purposes only. The
	    default value is enabled.

       description
	    User defined description.

       explicit
	    Specifies that the Local Traffic Manager explicitly trusts that the OCSP response signer's certificate is authorized
	    for OCSP response signing. If the signer's certificate does not contain the OCSP signing extension, specification of
	    this option causes a response to be untrusted. The default value is enabled.

       glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.

       ignore-aia
	    Specifies whether the system ignores the URL contained in the certificate's AIA fields, and always uses the URL
	    specified by the responder instead. The default value is disabled.

       intern
	    Specifies whether the system ignores certificates contained in an OCSP response when searching for the signer's
	    certificate. To use this option, the signer's certificate must be specified with either the verify-other or va-file
	    option. The default value is enabled.

       name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.

       nonce
	    Specifies whether the system verifies an OCSP response signature or the nonce values. The default value is enabled.

       partition
	    Displays the administrative partition within which the component resides.

       regex
	    Displays the items that match the regular expression. The regular expression must be preceded by an at sign (@[regular
	    expression]) to indicate that the identifier is a regular expression. See help regex for a description of regular
	    expression syntax.

       sign-digest
	    Specifies the algorithm for signing the request, using the signing certificate and key. This parameter has no meaning,
	    if request signing is not in effect (that is, both the request signing certificate and request signing key parameters
	    are empty). This parameter is required only when request signing is in effect. The default value is sha1.

       sign-key
	    Specifies the key that the system uses to sign an OCSP request. The default value is none.

       sign-key-pass-phrase
	    Specifies the passphrase that the system uses to encrypt the sign key. The default value is none.

       sign-other
	    Adds a list of additional certificates to an OCSP request. The default value is none.

       signer
	    Specifies a certificate used to sign an OCSP request. If the certificate is specified, but the key is not specified,
	    then the private key is read from the same file as the certificate. If neither the certificate nor the key is
	    specified, then the request is not signed. If the certificate is not specified and the key is specified, then the
	    configuration is considered to be invalid. The default value is none.

       status-age
	    Specifies the age of the status of the OCSP responder. The default value is 0 (zero).

       trust-other
	    Instructs the BIG-IP local traffic management system to trust the certificates specified with the verify-other option.
	    The default is value disabled.

       url  Specifies the URL used to contact the OCSP service on the responder. This option is required. The default value is
	    none.

       va-file
	    Specifies the name of the file containing explicitly trusted responder certificates. This parameter is needed in the
	    event that the responder is not covered by the certificates already loaded into the responder's CA store. The default
	    value is none.

       validity period
	    Specifies the number of seconds used to specify an acceptable error range. Use this option when the OCSP responder
	    clock and a client clock are not synchronized, which can cause a certificate status check to fail. This value must be
	    a positive number. The default value is 300 seconds.

       verify
	    Enables or disables verification of an OCSP response signature or the nonce values. Used for debugging purposes only.
	    The default value is enabled.

       verify-cert
	    Specifies that the system makes additional checks to see if the signer's certificate is authorized to provide the
	    necessary status information. Use this option for testing purposes only. The default value is enabled.

       verify-other
	    Specifies the name of the file used to search for an OCSP response signing certificate when the certificate has been
	    omitted from the response. The default value is none.

       verify-sig
	    Specifies that the system checks the signature on the OCSP response. Use this option for testing purposes only. The
	    default value is enabled.

SEE ALSO
       create, delete, edit, glob,   list, ltm auth profile, ltm auth ssl-ocsp, ltm virtual, modify, regex, show, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
       photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
       use, without the express written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012. All rights reserved.

BIG-IP							    2012-10-19					ltm auth ocsp-responder(1)