apm aaa crldp

apm aaa crldp(1)	      BIG-IP TMSH Manual	      apm aaa crldp(1)



NAME
       crldp - Configure a Certificate Revocation List Distribution Point
       (CRDLP) server object for implementing a CRLDP authentication module.

MODULE
       apm aaa

SYNTAX
       Configure the crldp component within the aaa module using the syntax
       shown in the following sections.

   CREATE/MODIFY
	create crldp [name]
	modify crldp [name]
	  options:
	    address [ip addr]
	    allow-nullcrl [true | false]
	    app-service [[string] | none]
	    base-dn [[string> | none]
	    cache-expire [[integer] | none]
	    connection-timeout [[integer] | none]
	    description [[string> | none]
	    location-specific [true | false]
	    pool [name]
	    port [[integer] | none]
	    reverse-dn [true | false]
	    use-issuer [true | false]
	    use-pool [enabled | disabled]
	    verify-sig [true | false]

	edit crldp | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    non-default-properties

   DISPLAY
	list crldp
	list crldp [ [ [name] | [glob] | [regex] ] ... ]
	  options:
	    all-properties
	    app-service
	    non-default-properties
	    one-line
	    partition

   DELETE
	delete crldp [name]

DESCRIPTION
       Configure a CRLDP authentication server, and then assign the server to
       the CRLDP auth agent in your access policy.

EXAMPLES
       create crldp aaa-ldap-2027 { address 172.27.32.60 allow-nullcrl false
       base-dn DC=net,DC=aina,DC=test cache-expire 1000 connection-timeout 15
       description none partition Common pool aaa-ldap-2027-pool port ldap
       reverse-dn true use-issuer false use-pool disabled verify-sig true }
	    Creates a CRLDP server named aaa-ldap-2027.

       delete crldp server my_crldp_server
	    Deletes the CRLDP server named my_crldp_server.

OPTIONS
       address
	    Specifies the IP address of the server. This option is required.

       allow-nullcrl
	    Specifies whether to consider a null CRL from the CRLDP server a
	    successful authentication. The default is false.

       app-service
	    Specifies the name of the application service to which the object
	    belongs. The default value is none. Note: If the strict-updates
	    option is enabled on the application service that owns the object,
	    you cannot modify or delete the object. Only the application
	    service can modify or delete the object.

       base-dn
	    Specifies the LDAP base directory name for certificates that
	    specify the CRL distribution point in directory name (dirName)
	    format. Used when the value of the X509v3 attribute
	    crlDistributionPoints is of type dirName. In this case, the BIG-IP
	    system attempts to match the value of the crlDistributionPoints
	    attribute to the Base DN value. An example of a Base DN value is
	    cn=lxxx,dc=f5,dc=com.

       cache-expire
	    Specifies (in seconds) an update interval for CRL distribution
	    points. The update interval for distribution points ensures that
	    CRL status is checked at regular intervals, regardless of the CRL
	    timeout value. This helps prevent CRL information from becoming
	    outdated before the Access Policy Manager checks the status of a
	    certificate.

       connection-timeout
	    Specifies the number of seconds of inactivity the system allows
	    before the connection times out. The default is 15.

       description
	    Specifies a unique description for the server. The default is
	    none.

       partition
	    Displays the partition within which the component resides.

       location-specific
	    Specifies whether or not this object contains one or more
	    attributes with values that are specific to the location where the
	    BIG-IP device resides. The location-specific attribute is either
	    true or false. When using policy sync, mark an object as location-
	    specific to prevent errors that can occur when policies reference
	    objects, such as authentication servers, that are specific to a
	    certain location.

       pool Specifies the name of the pool with which the server is
	    associated.

       port Specifies the CRLDP service port. The default is 389.

       reverse-dn
	    Specifies in which order the system is to attempt to match the
	    Base DN value to the value of the X509v3 attribute
	    crlDistributionPoints. Possible values are enabled and disabled.
	    When set to enabled, the system matches the base DN from left to
	    right, or from the beginning of the DN string, to accomodate
	    dirName strings in certificates such as
	    C=US,ST=WA,L=SEA,OU=F5,CN=xxx. The default value is false.

       use-issuer
	    Specifies whether the CRL distribution point is extracted from the
	    certificate of the client certificate issuer. The default is
	    false.

       use-pool
	    Enables or disables high availability between CRLDP servers. When
	    enabled, Access Policy Manager sends CRLDP authentication requests
	    for the associated CRLDP auth agent to the virtual server, and
	    standard pool behavior is used to implement high availability for
	    CRDLP.

       verify-sig
	    Specifies whether the signature on the received CRL is verified.
	    The default if true.

SEE ALSO
COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or
       by any means, electronic or mechanical, including photocopying,
       recording, or information storage and retrieval systems, for any
       purpose other than the purchaser's personal use, without the express
       written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2011-2013, 2016. All rights
       reserved.



BIG-IP				  2016-03-14		      apm aaa crldp(1)