apm aaa crldp
apm aaa crldp(1) BIG-IP TMSH Manual apm aaa crldp(1)
NAME
crldp - Configure a Certificate Revocation List Distribution Point (CRDLP) server object for implementing a
CRLDP authentication module.
MODULE
apm aaa
SYNTAX
Configure the crldp component within the aaa module using the syntax shown in the following sections.
CREATE/MODIFY
create crldp [name]
modify crldp [name]
options:
address [ip addr]
allow-nullcrl [true | false]
app-service [[string] | none]
base-dn [[string> | none]
cache-expire [[integer] | none]
connection-timeout [[integer] | none]
description [[string> | none]
location-specific [true | false]
pool [name]
port [[integer] | none]
reverse-dn [true | false]
use-issuer [true | false]
use-pool [enabled | disabled]
verify-sig [true | false]
edit crldp | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list crldp
list crldp [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete crldp [name]
DESCRIPTION
Configure a CRLDP authentication server, and then assign the server to the CRLDP auth agent in your access
policy.
EXAMPLES
create crldp aaa-ldap-2027 { address 172.27.32.60 allow-nullcrl false base-dn DC=net,DC=aina,DC=test cache-
expire 1000 connection-timeout 15 description none partition Common pool aaa-ldap-2027-pool port ldap reverse-
dn true use-issuer false use-pool disabled verify-sig true }
Creates a CRLDP server named aaa-ldap-2027.
delete crldp server my_crldp_server
Deletes the CRLDP server named my_crldp_server.
OPTIONS
address
Specifies the IP address of the server. This option is required.
allow-nullcrl
Specifies whether to consider a null CRL from the CRLDP server a successful authentication. The default
is false.
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
base-dn
Specifies the LDAP base directory name for certificates that specify the CRL distribution point in
directory name (dirName) format. Used when the value of the X509v3 attribute crlDistributionPoints is of
type dirName. In this case, the BIG-IP system attempts to match the value of the crlDistributionPoints
attribute to the Base DN value. An example of a Base DN value is cn=lxxx,dc=f5,dc=com.
cache-expire
Specifies (in seconds) an update interval for CRL distribution points. The update interval for
distribution points ensures that CRL status is checked at regular intervals, regardless of the CRL
timeout value. This helps prevent CRL information from becoming outdated before the Access Policy Manager
checks the status of a certificate.
connection-timeout
Specifies the number of seconds of inactivity the system allows before the connection times out. The
default is 15.
description
Specifies a unique description for the server. The default is none.
partition
Displays the partition within which the component resides.
location-specific
Specifies whether or not this object contains one or more attributes with values that are specific to the
location where the BIG-IP device resides. The location-specific attribute is either true or false. When
using policy sync, mark an object as location-specific to prevent errors that can occur when policies
reference objects, such as authentication servers, that are specific to a certain location.
pool Specifies the name of the pool with which the server is associated.
port Specifies the CRLDP service port. The default is 389.
reverse-dn
Specifies in which order the system is to attempt to match the Base DN value to the value of the X509v3
attribute crlDistributionPoints. Possible values are enabled and disabled. When set to enabled, the
system matches the base DN from left to right, or from the beginning of the DN string, to accomodate
dirName strings in certificates such as C=US,ST=WA,L=SEA,OU=F5,CN=xxx. The default value is false.
use-issuer
Specifies whether the CRL distribution point is extracted from the certificate of the client certificate
issuer. The default is false.
use-pool
Enables or disables high availability between CRLDP servers. When enabled, Access Policy Manager sends
CRLDP authentication requests for the associated CRLDP auth agent to the virtual server, and standard
pool behavior is used to implement high availability for CRDLP.
verify-sig
Specifies whether the signature on the received CRL is verified. The default if true.
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2016. All rights reserved.
BIG-IP 2016-03-14 apm aaa crldp(1)