apm aaa crldp
apm aaa crldp(1) BIG-IP TMSH Manual apm aaa crldp(1)
NAME
crldp - Configure a Certificate Revocation List Distribution Point
(CRDLP) server object for implementing a CRLDP authentication module.
MODULE
apm aaa
SYNTAX
Configure the crldp component within the aaa module using the syntax
shown in the following sections.
CREATE/MODIFY
create crldp [name]
modify crldp [name]
options:
address [ip addr]
allow-nullcrl [true | false]
app-service [[string] | none]
base-dn [[string> | none]
cache-expire [[integer] | none]
connection-timeout [[integer] | none]
description [[string> | none]
location-specific [true | false]
pool [name]
port [[integer] | none]
reverse-dn [true | false]
use-issuer [true | false]
use-pool [enabled | disabled]
verify-sig [true | false]
edit crldp | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list crldp
list crldp [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete crldp [name]
DESCRIPTION
Configure a CRLDP authentication server, and then assign the server to
the CRLDP auth agent in your access policy.
EXAMPLES
create crldp aaa-ldap-2027 { address 172.27.32.60 allow-nullcrl false
base-dn DC=net,DC=aina,DC=test cache-expire 1000 connection-timeout 15
description none partition Common pool aaa-ldap-2027-pool port ldap
reverse-dn true use-issuer false use-pool disabled verify-sig true }
Creates a CRLDP server named aaa-ldap-2027.
delete crldp server my_crldp_server
Deletes the CRLDP server named my_crldp_server.
OPTIONS
address
Specifies the IP address of the server. This option is required.
allow-nullcrl
Specifies whether to consider a null CRL from the CRLDP server a
successful authentication. The default is false.
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
base-dn
Specifies the LDAP base directory name for certificates that
specify the CRL distribution point in directory name (dirName)
format. Used when the value of the X509v3 attribute
crlDistributionPoints is of type dirName. In this case, the BIG-IP
system attempts to match the value of the crlDistributionPoints
attribute to the Base DN value. An example of a Base DN value is
cn=lxxx,dc=f5,dc=com.
cache-expire
Specifies (in seconds) an update interval for CRL distribution
points. The update interval for distribution points ensures that
CRL status is checked at regular intervals, regardless of the CRL
timeout value. This helps prevent CRL information from becoming
outdated before the Access Policy Manager checks the status of a
certificate.
connection-timeout
Specifies the number of seconds of inactivity the system allows
before the connection times out. The default is 15.
description
Specifies a unique description for the server. The default is
none.
partition
Displays the partition within which the component resides.
location-specific
Specifies whether or not this object contains one or more
attributes with values that are specific to the location where the
BIG-IP device resides. The location-specific attribute is either
true or false. When using policy sync, mark an object as location-
specific to prevent errors that can occur when policies reference
objects, such as authentication servers, that are specific to a
certain location.
pool Specifies the name of the pool with which the server is
associated.
port Specifies the CRLDP service port. The default is 389.
reverse-dn
Specifies in which order the system is to attempt to match the
Base DN value to the value of the X509v3 attribute
crlDistributionPoints. Possible values are enabled and disabled.
When set to enabled, the system matches the base DN from left to
right, or from the beginning of the DN string, to accomodate
dirName strings in certificates such as
C=US,ST=WA,L=SEA,OU=F5,CN=xxx. The default value is false.
use-issuer
Specifies whether the CRL distribution point is extracted from the
certificate of the client certificate issuer. The default is
false.
use-pool
Enables or disables high availability between CRLDP servers. When
enabled, Access Policy Manager sends CRLDP authentication requests
for the associated CRLDP auth agent to the virtual server, and
standard pool behavior is used to implement high availability for
CRDLP.
verify-sig
Specifies whether the signature on the received CRL is verified.
The default if true.
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2016. All rights
reserved.
BIG-IP 2016-03-14 apm aaa crldp(1)