apm aaa ocsp
apm aaa ocsp(1) BIG-IP TMSH Manual apm aaa ocsp(1)
NAME
ocsp - Configure Online Certificate System Protocol (OCSP) responder
objects.
MODULE
apm aaa
SYNTAX
Configure the ocsp component within the aaa module using the syntax
shown in the following sections.
CREATE/MODIFY
create ocsp [name]
modify ocsp [name]
options:
allow-certs [true | false]
app-service [[string] | none]
ca-file ( | none)
ca-path ( | none)
cert-id-digest (sha1 | md5)
chain [true | false]
check-certs [true | false]
explicit-ocsp [true | false]
ignore-aia [true | false]
intern [true | false]
location-specific [true | false]
nonce [true | false]
sign-digest (sha1 | md5)
sign-key ( | none)
sign-key-passphrase ( | none)
sign-other ( | none)
signer ( | none)
status-age
trust-other [true | false]
url ( | none)
va-file ( | none)
validity-period
verify [true | false]
verify-cert [true | false]
verify-other ( | none)
verify-sig [true | false]
edit ocsp | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list ocsp
list ocsp [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete ocsp [name]
DESCRIPTION
To implement the SSL OCSP authentication module, create an OCSP
responder object and assign it to the OCSP auth agent in your access
policy.
OPTIONS
allow-certs
Specifies whether the addition of certificates to an OCSP request
is enabled. The default is true.
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
ca-file
Specifies the name of the certificate file object containing
trusted CA certificates used to verify the signature on the OCSP
response. The default is none.
ca-path
Specifies the path to the trusted CA certificates used to verify
the signature on the OCSP response. The default is none.
cert-id-digest
The cert ID digest is part of the OCSP protocol. The OCSP client
(in this case, the BIG-IP system) calculates the cert ID using a
hash of the Issuer and serial number for the certificate that it
is trying to verify. The options are:
sha1 Newer algorithm that provides a higher security level with a
160 bit hash length. This is the default.
md5 Older algorithm with a 128 bit hash length.
chain
Specifies whether the system constructs a chain from certificates
in the OCSP response. The default is true.
check-certs
Specifies whether the LTM system makes additional checks to see if
the signer's certificate is authorized to provide the necessary
status information. Use this option only for testing purposes. The
default is true.
explicit-ocsp
Specifies whether the BIG-IP system explicitly trusts that the
OCSP response signer's certificate is authorized for OCSP response
signing. If the signer's certificate does not contain the OCSP
signing extension, setting this option to true causes a response
to be untrusted. The default is true.
ignore-aia
Specifies whether to ignore the URL contained in the certificate's
AIA fields, and to always use the URL specified by the responder
instead. The default is false.
intern
Specifies whether to ignore certificates contained in an OCSP
response when searching for the signer's certificate. When you set
this option to true, you must also specify the signer's
certificate using either the verify-other or va-file option. The
default is true.
location-specific
Specifies whether or not this object contains one or more
attributes with values that are specific to the location where the
BIG-IP device resides. The location-specific attribute is either
true or false. When using policy sync, mark an object as location-
specific to prevent errors that can occur when policies reference
objects, such as authentication servers, that are specific to a
certain location.
[name]
Specifies a unique name for the component. This option is
required.
nonce
Specifies whether a nonce will be sent in an OCSP request. When
set to false, the request is sent without a nonce. The default is
true.
partition
Displays the partition within which the OCSP responder object
resides.
sign-digest
Specifies the algorithm (md5 or sha1> used to sign a request using
a signing certificate and key. The default is sha1. If you use
this option, you must also set the sign-key and sign-key-
passphrase options.
sign-key
Specifies the key used to sign an OCSP request. If you use this
option, you must also set the sign-digest and sign-key-passphrase
options. The default is none.
sign-key-passphrase
Specifies the passphrase for the signing key. If you use this
option, you must also set the sign-digest and sign-key options.
The default is none.
sign-other
Specifies additional certificates to add to an OCSP request. The
options are default.crt and ca-bundle.crt. The default is none.
signer
Specifies the certificate used to sign an OCSP request. If the
certificate is specified but the key is not specified, then the
private key is read from the same file as the certificate. If
neither the certificate nor the key is specified, then the request
is not signed. If the certificate is not specified and the key is
specified, then the configuration is considered to be invalid. The
default is none.
status-age
Species the amount of time (in seconds) to compare to the
notBefore value of a status response. Use this option only when a
status response does not include the notAfter field. The default
is 0 (zero).
trust-other
Specifies whether the BIG-IP system trusts the certificates
specified using the verify-other option. The default is false.
url Specifies the URL used to contact the OCSP service on the
responder. This option is required. The default is none.
va-file
Specifies the name of the file containing explicitly-trusted
responder certificates. Use this option when the responder is not
covered by the certificates already loaded into the responder's CA
store. The default is none.
validity-period
Specifies an acceptable error range in seconds. Use this option
when the OCSP responder clock and a client clock are not
synchronized, which could cause a certificate status check to
fail. This value must be a positive number. This option is
required. The default is 300.
verify
Specifies whether verification of an OCSP response signature or
the nonce values is enabled. Use this option only for debugging
purposes. The default is true.
verify-cert
Specifies whether the BIG-IP system verifies the certificate in
the OCSP response. The default is true.
verify-other
Specifies the name of the file used to search for an OCSP response
signing certificate when the certificate has been omitted from the
response. The default is none.
verify-sig
Specifies whether the BIG-IP system checks the signature on the
OCSP response. Use this option only for testing purposes. The
default is true.
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2012. All rights reserved.
BIG-IP 2016-01-07 apm aaa ocsp(1)